Permalink
Commits on Jul 19, 2017
  1. [Security] simplified tests

    fabpot committed Jul 19, 2017
  2. [Security] refactored tests

    fabpot committed Jul 19, 2017
Commits on Jul 17, 2017
  1. Merge branch '3.4'

    * 3.4: (22 commits)
      Fix lazy commands registration
      [TwigBridge] deprecate TwigRenderer
      [FrameworkBundle] Set default public directory on install assets
      [Security] Fix wrong term in UserProviderInterface
      [HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
      disable inlining deprecated services
      [Stopwatch] Fix precision for root section
      [Cache] add constructor docblocks for clarity
      [WebServerBundle] allowed public/ root directory to be auto-discovered along side web/
      [WebServerBundle] remove duplicate code
      [SecurityBundle] Clarify deprecation in UserPasswordEncoderCommand::getContainer
      [Profiler][Validator] ValidatorDataCollector: use new DataCollector::getCasters() method
      [Profiler] Fix data collector getCasters() call
      [VarDumper] Added setMinDepth to VarCloner
      remove symfony/process suggestion
      [DI] Remove unused dynamic property
      [Cache] add constructor docblocks for clarity
      [Security] validate empty passwords again
      [Process] Fixed issue between process builder and exec
      non-conflicting anonymous service ids across files
      ...
    nicolas-grekas committed Jul 17, 2017
  2. Merge branch '3.3' into 3.4

    * 3.3:
      [FrameworkBundle] Set default public directory on install assets
      [Security] Fix wrong term in UserProviderInterface
      [HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
      disable inlining deprecated services
      [Cache] add constructor docblocks for clarity
      [WebServerBundle] allowed public/ root directory to be auto-discovered along side web/
      [WebServerBundle] remove duplicate code
      [SecurityBundle] Clarify deprecation in UserPasswordEncoderCommand::getContainer
      [Cache] add constructor docblocks for clarity
      [Security] validate empty passwords again
      [DI] Remove irrelevant comment from container
      [TwigBridge] cleaner implementation of the TwigRenderer
    fabpot committed Jul 17, 2017
  3. Merge branch '3.2' into 3.3

    * 3.2:
      [Security] Fix wrong term in UserProviderInterface
      [HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
      disable inlining deprecated services
      [Cache] add constructor docblocks for clarity
      [Security] validate empty passwords again
      [DI] Remove irrelevant comment from container
      [TwigBridge] cleaner implementation of the TwigRenderer
    fabpot committed Jul 17, 2017
  4. Merge branch '2.8' into 3.2

    * 2.8:
      [Security] Fix wrong term in UserProviderInterface
      [HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
      disable inlining deprecated services
      [Security] validate empty passwords again
      [DI] Remove irrelevant comment from container
      [TwigBridge] cleaner implementation of the TwigRenderer
    fabpot committed Jul 17, 2017
  5. Merge branch '2.7' into 2.8

    * 2.7:
      [Security] Fix wrong term in UserProviderInterface
      [HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
      [Security] validate empty passwords again
      [DI] Remove irrelevant comment from container
      [TwigBridge] cleaner implementation of the TwigRenderer
    fabpot committed Jul 17, 2017
  6. security #23507 [Security] validate empty passwords again (xabbuh)

    This PR was merged into the 2.7 branch.
    
    Discussion
    ----------
    
    [Security] validate empty passwords again
    
    | Q             | A
    | ------------- | ---
    | Branch?       | 2.7
    | Bug fix?      | yes
    | New feature?  | no
    | BC breaks?    | no
    | Deprecations? | no
    | Tests pass?   | yes
    | Fixed tickets | symfony/symfony#23341 (comment)
    | License       | MIT
    | Doc PR        |
    
    It looks like this part of #23341 causes serious security issues for some users who rely on the validator to also compare the empty string with their user's password (see for example symfony/symfony#23341 (comment)). Thus I suggest to revert this part of #23341.
    
    Commits
    -------
    
    878198cefa [Security] validate empty passwords again
    fabpot committed Jul 17, 2017
Commits on Jul 14, 2017
Commits on Jul 12, 2017
  1. Merge branch '3.4'

    * 3.4:
      Add TokenProcessor
      [DI] Handle root namespace in service definitions
      Add support for command lazy-loading
      Use rawurlencode() to transform the Cookie into a string
      [TwigBundle] Added a RuntimeExtensionInterface to take advantage of autoconfigure
      [Process] Fix parsing args on Windows
      Add exculde verbosity test
      [HttpKernel][VarDumper] Truncate profiler data & optim perf
      [DI] Allow imports in string format for YAML
      [Validator] Allow to use a property path to get value to compare in comparison constraints
      [Security] Fix authentication.failure event not dispatched on AccountStatusException
      add option to define the access decision manager
      Add support for doctrin/dbal 2.6 types
    nicolas-grekas committed Jul 12, 2017
  2. Merge branch '3.3' into 3.4

    * 3.3:
      [DI] Handle root namespace in service definitions
      Use rawurlencode() to transform the Cookie into a string
      [Process] Fix parsing args on Windows
      [HttpKernel][VarDumper] Truncate profiler data & optim perf
      [Security] Fix authentication.failure event not dispatched on AccountStatusException
    nicolas-grekas committed Jul 12, 2017
  3. Merge branch '3.2' into 3.3

    * 3.2:
      [DI] Handle root namespace in service definitions
      Use rawurlencode() to transform the Cookie into a string
      [Security] Fix authentication.failure event not dispatched on AccountStatusException
    nicolas-grekas committed Jul 12, 2017
  4. Merge branch '2.8' into 3.2

    * 2.8:
      [DI] Handle root namespace in service definitions
      Use rawurlencode() to transform the Cookie into a string
      [Security] Fix authentication.failure event not dispatched on AccountStatusException
    nicolas-grekas committed Jul 12, 2017
  5. Merge branch '2.7' into 2.8

    * 2.7:
      [DI] Handle root namespace in service definitions
      Use rawurlencode() to transform the Cookie into a string
      [Security] Fix authentication.failure event not dispatched on AccountStatusException
    nicolas-grekas committed Jul 12, 2017
  6. bug #23256 [Security] Fix authentication.failure event not dispatched…

    … on AccountStatusException (chalasr)
    
    This PR was merged into the 2.7 branch.
    
    Discussion
    ----------
    
    [Security] Fix authentication.failure event not dispatched on AccountStatusException
    
    | Q             | A
    | ------------- | ---
    | Branch?       | 2.7
    | Bug fix?      | yes
    | New feature?  | no
    | BC breaks?    | no
    | Deprecations? | no
    | Tests pass?   | yes
    | Fixed tickets | symfony/symfony#18807
    | License       | MIT
    | Doc PR        | n/a
    
    Authentication fails if the user exists but its account is disabled/expired/locked, the failure event should be dispatched in this case, so that you can hook into as for any authentication exception.
    
    Commits
    -------
    
    64c2efd [Security] Fix authentication.failure event not dispatched on AccountStatusException
    nicolas-grekas committed Jul 12, 2017
Commits on Jul 11, 2017
  1. Merge branch '3.4'

    * 3.4:
      Add exculde verbosity test
      [Security] Lazy load user providers
    nicolas-grekas committed Jul 11, 2017
  2. feature #23295 [Security] Lazy load user providers (chalasr)

    This PR was merged into the 3.4 branch.
    
    Discussion
    ----------
    
    [Security] Lazy load user providers
    
    | Q             | A
    | ------------- | ---
    | Branch?       | 3.4
    | Bug fix?      | no
    | New feature?  | yes
    | BC breaks?    | no
    | Deprecations? | no
    | Tests pass?   | yes
    | Fixed tickets | n/a
    | License       | MIT
    | Doc PR        | n/a
    
    Commits
    -------
    
    d7914a6 [Security] Lazy load user providers
    nicolas-grekas committed Jul 11, 2017
Commits on Jul 6, 2017
  1. Merge branch '3.3' into 3.4

    * 3.3: (33 commits)
      Preserve HttpOnly value when deserializing a header
      [DX] [TwigBundle] Enhance the new exception page design
      Fix deprecated message
      [DI][Security] Prevent unwanted deprecation notices when using Expression Languages
      bumped Symfony version to 3.3.5
      updated VERSION for 3.3.4
      updated CHANGELOG for 3.3.4
      [VarDumper] Reduce size of serialized Data objects
      bumped Symfony version to 3.2.12
      updated VERSION for 3.2.11
      updated CHANGELOG for 3.2.11
      fixed bad merge
      Fix indent of methods
      [Cache] Handle APCu failures gracefully
      [DoctrineBridge] Use normalizedIds for resetting entity manager services
      [FrameworkBundle] Do not remove files from assets dir
      [FrameworkBundle] 3.3: Don't get() private services from debug:router
      bumped Symfony version to 3.3.4
      updated VERSION for 3.3.3
      updated CHANGELOG for 3.3.3
      ...
    nicolas-grekas committed Jul 6, 2017
  2. added missing type hints

    fabpot committed Jul 6, 2017
  3. Merge branch '3.3'

    * 3.3:
      [DI][Security] Prevent unwanted deprecation notices when using Expression Languages
      bumped Symfony version to 3.3.5
      updated VERSION for 3.3.4
      updated CHANGELOG for 3.3.4
      [VarDumper] Reduce size of serialized Data objects
      bumped Symfony version to 3.2.12
      updated VERSION for 3.2.11
      updated CHANGELOG for 3.2.11
      [DoctrineBridge] Use normalizedIds for resetting entity manager services
    fabpot committed Jul 6, 2017
  4. Merge branch '3.2' into 3.3

    * 3.2:
      [DI][Security] Prevent unwanted deprecation notices when using Expression Languages
      bumped Symfony version to 3.2.12
      updated VERSION for 3.2.11
      updated CHANGELOG for 3.2.11
    fabpot committed Jul 6, 2017
Commits on Jul 5, 2017
Commits on Jul 3, 2017
  1. Merge branch '3.4'

    * 3.4:
      [Console] Fix descriptor tests
      Change wording from object to subject
      add changelog entry for Stopwatch::reset()
      Add DateCaster
      [Dotenv] parse concatenated variable values
      [Yaml] deprecate the !str tag
      Add filter in VarDumperTestTrait
      Support for parsing PHP constants in yaml loader
    fabpot committed Jul 3, 2017
  2. minor #23201 Change wording from object to subject (greg0ire)

    This PR was merged into the 3.4 branch.
    
    Discussion
    ----------
    
    Change wording from object to subject
    
    | Q             | A
    | ------------- | ---
    | Branch?       | 3.4
    | Bug fix?      | no
    | New feature?  | no <!-- don't forget updating src/**/CHANGELOG.md files -->
    | BC breaks?    | no
    | Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
    | Tests pass?   | yes
    | License       | MIT
    
    The authorization checker has been changed to support any value
    recently. The naming should reflect that to avoid confusion.
    Refs sonata-project/SonataAdminBundle#4518
    
    Commits
    -------
    
    d261894c6e Change wording from object to subject
    fabpot committed Jul 3, 2017
  3. Change wording from object to subject

    The authorization checker has been changed to support any value
    recently. The naming should reflect that to avoid confusion.
    Refs sonata-project/SonataAdminBundle#4518
    greg0ire committed Jun 15, 2017
  4. Merge branch '3.4'

    * 3.4:
      Misspelled word
      Display a better error design when the toolbar cannot be displayed
      fixed CS
      do not validate empty values
      [Cache] fix cleanup of expired items for PdoAdapter
      [Dotenv] clean up before running assertions
      [Console] fix description of INF default values
      parse escaped quotes in unquoted env var values
      [PropertyAccess] Fix TypeError discard
      [Validator] Throw exception on Comparison constraints null options
      [FrameworkBundle] Display a proper warning on cache:clear without the --no-warmup option
      [Security] Fix Firewall ExceptionListener priority
      Allow * to bind all interfaces (as INADDR_ANY)
      Identify tty tests in Component/Process
      [Workflow] Added more events to the announce function
      [Validator] Remove property path suggestion for using the Expression validator
      [WebProfilerBundle] Fix css trick used for offsetting html anchor from fixed header
      disable unusable fragment renderers
      [Stopwatch] Add a reset method
      [Security] Fix annotation
    fabpot committed Jul 3, 2017
  5. Merge branch '3.3' into 3.4

    * 3.3:
      Misspelled word
      Display a better error design when the toolbar cannot be displayed
      do not validate empty values
      [Cache] fix cleanup of expired items for PdoAdapter
      [Dotenv] clean up before running assertions
      [Console] fix description of INF default values
      parse escaped quotes in unquoted env var values
      [PropertyAccess] Fix TypeError discard
      [Validator] Throw exception on Comparison constraints null options
      [FrameworkBundle] Display a proper warning on cache:clear without the --no-warmup option
      [Security] Fix Firewall ExceptionListener priority
      Identify tty tests in Component/Process
      [Workflow] Added more events to the announce function
      [Validator] Remove property path suggestion for using the Expression validator
      [WebProfilerBundle] Fix css trick used for offsetting html anchor from fixed header
      [Security] Fix annotation
    fabpot committed Jul 3, 2017
  6. Merge branch '3.2' into 3.3

    * 3.2:
      Misspelled word
      Display a better error design when the toolbar cannot be displayed
      do not validate empty values
      [Cache] fix cleanup of expired items for PdoAdapter
      [Console] fix description of INF default values
      [PropertyAccess] Fix TypeError discard
      [Validator] Throw exception on Comparison constraints null options
      Identify tty tests in Component/Process
      [Workflow] Added more events to the announce function
      [Validator] Remove property path suggestion for using the Expression validator
      [WebProfilerBundle] Fix css trick used for offsetting html anchor from fixed header
      [Security] Fix annotation
    fabpot committed Jul 3, 2017
  7. Merge branch '2.8' into 3.2

    * 2.8:
      Misspelled word
      Display a better error design when the toolbar cannot be displayed
      do not validate empty values
      [Console] fix description of INF default values
      [PropertyAccess] Fix TypeError discard
      [Validator] Throw exception on Comparison constraints null options
      Identify tty tests in Component/Process
      [Security] Fix annotation
    fabpot committed Jul 3, 2017
  8. Merge branch '2.7' into 2.8

    * 2.7:
      Misspelled word
      Display a better error design when the toolbar cannot be displayed
      do not validate empty values
      [Console] fix description of INF default values
      [PropertyAccess] Fix TypeError discard
      [Validator] Throw exception on Comparison constraints null options
      Identify tty tests in Component/Process
      [Security] Fix annotation
    fabpot committed Jul 3, 2017
  9. bug #23341 [DoctrineBridge][Security][Validator] do not validate empt…

    …y values (xabbuh)
    
    This PR was merged into the 2.7 branch.
    
    Discussion
    ----------
    
    [DoctrineBridge][Security][Validator] do not validate empty values
    
    | Q             | A
    | ------------- | ---
    | Branch?       | 2.7
    | Bug fix?      | yes
    | New feature?  | no
    | BC breaks?    | no
    | Deprecations? | no
    | Tests pass?   | yes
    | Fixed tickets | #23319
    | License       | MIT
    | Doc PR        |
    
    Nearly all validators operating on scalar values (except for some special constraints) do ignore empty values. If you want to forbid them, you have to use the `NotBlank` constraint instead.
    
    Commits
    -------
    
    fd7ad234bc do not validate empty values
    fabpot committed Jul 3, 2017
  10. minor #23107 [Security] Fix annotation (enumag)

    This PR was merged into the 2.7 branch.
    
    Discussion
    ----------
    
    [Security] Fix annotation
    
    | Q             | A
    | ------------- | ---
    | Branch?       | 2.7
    | Bug fix?      | yes
    | New feature?  | no
    | BC breaks?    | no
    | Deprecations? | no
    | Tests pass?   | yes
    | Fixed tickets |
    | License       | MIT
    | Doc PR        |
    
    Commits
    -------
    
    8a4d4eb563 [Security] Fix annotation
    fabpot committed Jul 3, 2017