Respond with 404 instead of 422 for invalid QueryString

[String] Correct inflection of 'codes' and 'names'

[Validator] Update BIC validator IBAN mappings

[DependencyInjection] Add support for generating lazy closures

add translations for the filename max length validator option

[HttpFoundation] Add ParameterBag::getString() and deprecate accepting invalid values

Stop stopwatch events in case of exception

bug #49706 Stop stopwatch events in case of exception (MatTheCat)

This PR was squashed before being merged into the 5.4 branch.

Discussion

Stop stopwatch events in case of exception

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49677 | License | MIT | Doc PR | N/A

Stopwatch events need to be stopped even if an exception occurred, else they will appear to span across the whole request timeline.

The following screenshots were taken with RouterListener throwing in debug mode following a NoConfigurationException:

Commits

beca17a10c Stop stopwatch events in case of exception

bug #49697 [Validator] Update BIC validator IBAN mappings (maxbeckers)

This PR was merged into the 5.4 branch.

Discussion

[Validator] Update BIC validator IBAN mappings

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | n/a | License | MIT | Doc PR | n/a

With #29755 were added some special cases for BIC validation. The old references have updated and don't include this mapping anymore. But https://www.iban.com/structure describes this special cases. I updated the list with this PR based on the new reference.

Commits

436dcba003 [Validator] Update BIC validator IBAN mappings

bug #49681 [String] Correct inflection of 'codes' and 'names' (GwendolenLynch)

This PR was merged into the 5.4 branch.

Discussion

[String] Correct inflection of 'codes' and 'names'

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | | License | MIT | Doc PR |

Singularizing of codes and names currently returns cod and nam. This PR simply adds them as suffixes, with tests.

Commits

97e932e3f2 [String] Correct inflection of 'codes' and 'names'

fix: GetSetMethodNormalizer::supportss should not check ignored methods

bug #49720 [Serializer] GetSetMethodNormalizer::supportss should not check ignored methods (nikophil)

This PR was merged into the 5.4 branch.

Discussion

[Serializer] GetSetMethodNormalizer::supportss should not check ignored methods

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | License | MIT

GetSetMethodNormalizer support methods do not check if potentiel getters have #[Ignore] attribute

Commits

829617746a fix: GetSetMethodNormalizer::supportss should not check ignored methods

minor #49714 [Validator] add translations for the filename max length validator option (xabbuh)

This PR was merged into the 5.4 branch.

Discussion

[Validator] add translations for the filename max length validator option

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | related to #49417 | License | MIT | Doc PR |

Commits

37ef83bee5 add translations for the filename max length validator option

[HttpClient] Encode and decode curly brackets {}

bug #49722 [HttpClient] Encode and decode curly brackets {} (pbowyer)

This PR was squashed before being merged into the 5.4 branch.

Discussion

[HttpClient] Encode and decode curly brackets {}

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49582 | License | MIT

HttpClient wasn't encoding { and } which meant passing JSON in the query string wasn't working.

Commits

a70c496025 [HttpClient] Encode and decode curly brackets {}

skip test using attributes on PHP 7

minor #49728 [Serializer] skip test using attributes on PHP 7 (xabbuh)

This PR was merged into the 5.4 branch.

Discussion

[Serializer] skip test using attributes on PHP 7

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | | License | MIT | Doc PR |

Commits

7250083205 skip test using attributes on PHP 7

re-allow phpdocumentor/type-resolver 1.7

minor #49727 [Serializer] re-allow phpdocumentor/type-resolver 1.7 (xabbuh)

This PR was merged into the 5.4 branch.

Discussion

[Serializer] re-allow phpdocumentor/type-resolver 1.7

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | reverts #48471 | License | MIT | Doc PR |

Commits

0776decd73 re-allow phpdocumentor/type-resolver 1.7

[Messenger] Add support for the DelayStamp in InMemoryTransport

feature #49725 [Messenger] Add support for the DelayStamp in InMemoryTransport (fabpot)

This PR was merged into the 6.3 branch.

Discussion

[Messenger] Add support for the DelayStamp in InMemoryTransport

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | n/a | License | MIT | Doc PR | n/a

Commits

1025f3501b [Messenger] Add support for the DelayStamp in InMemoryTransport

[Mailer] STDOUT blocks infinitely under Windows when STDERR is filled

bug #49604 [Mailer] STDOUT blocks infinitely under Windows when STDERR is filled (TemaYud)

This PR was submitted for the 6.2 branch but it was squashed and merged into the 5.4 branch instead.

Discussion

[Mailer] STDOUT blocks infinitely under Windows when STDERR is filled

| Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #... | License | MIT | Doc PR | symfony/symfony-docs#...

stream_get_contents() on STDOUT blocks infinitely under Windows when STDERR is filled under some circumstances. Open STDERR in append mode ("a"), then this will work.

Commits

2641438d5f [Mailer] STDOUT blocks infinitely under Windows when STDERR is filled

[Messenger] Fix evaluate() calls in WorkerTest

minor #49655 [Messenger] Fix evaluate() calls in WorkerTest (alexandre-daubois)

This PR was merged into the 5.4 branch.

Discussion

[Messenger] Fix evaluate() calls in WorkerTest

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | NA | License | MIT | Doc PR | NA

Just two little tweaks in tests to fix evaluate() calls :+1:

Commits

40efc7b862 [Messenger] Fix evaluate() calls in WorkerTest

Change limit argument from string to integer.

Fix test

[VarDumper] Fixed dumping of CutStub

bug #49673 [VarDumper] Fixed dumping of CutStub (lyrixx)

This PR was merged into the 5.4 branch.

Discussion

[VarDumper] Fixed dumping of CutStub

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | | License | MIT | Doc PR |

Commits

7675006133 [VarDumper] Fixed dumping of CutStub

[FrameworkBundle] Rename limiter’s strategy to policy in XSD

[Config] Improve performance of GlobResource

bug #49674 [FrameworkBundle] Rename limiter’s strategy to policy in XSD (MatTheCat)

This PR was merged into the 5.4 branch.

Discussion

[FrameworkBundle] Rename limiter’s strategy to policy in XSD

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49671 | License | MIT | Doc PR | N/A

https://github.com/symfony/symfony/pull/38664 renamed strategy to policy but did not update the XSD.

Commits

c19711c027 [FrameworkBundle] Rename limiter’s strategy to policy in XSD

bug #49657 [HttpKernel] Change limit argument from string to integer for Profiler (Aliance)

This PR was merged into the 5.4 branch.

Discussion

[HttpKernel] Change limit argument from string to integer for Profiler

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49656 | License | MIT

Commits

fb9b0d0bd3 Change limit argument from string to integer.

Fix some Composer keywords

Merge branch '5.4' into 6.2

• 5.4: Fix some Composer keywords [FrameworkBundle] Rename limiter’s strategy to policy in XSD [VarDumper] Fixed dumping of CutStub Fix test Change limit argument from string to integer. [Messenger] Fix evaluate() calls in WorkerTest [Mailer] STDOUT blocks infinitely under Windows when STDERR is filled

Merge branch '6.2' into 6.3

• 6.2: Fix some Composer keywords [FrameworkBundle] Rename limiter’s strategy to policy in XSD [VarDumper] Fixed dumping of CutStub Fix test Change limit argument from string to integer. [Messenger] Fix evaluate() calls in WorkerTest [Mailer] STDOUT blocks infinitely under Windows when STDERR is filled

Fix some Composer keywords

Merge branch '5.4' into 6.2

• 5.4: Fix some Composer keywords

Fix some Composer keywords

Fix some Composer keywords

Merge branch '6.2' into 6.3

• 6.2: Fix some Composer keywords Fix some Composer keywords Fix some Composer keywords

Yes, please 🙏. We will have 2 months for tuning it

[HttpFoundation] Deprecate passing invalid URI to Request::create

Fixes: #47084

Passing an invalid URI to Request::create triggers an undefined code path. In PHP7 the false value returned by parse_url would quietly be treated as a an array through type coercion leading to unexpected results. In PHP8 this triggers a deprecation exposing the bug.

[DomCrawler] Improve html5Parser tests

minor #49669 [DomCrawler] Improve html5Parser tests (victor-prdh)

This PR was squashed before being merged into the 6.3 branch.

Discussion

[DomCrawler] Improve html5Parser tests

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | / | License | MIT | Doc PR | /

Hi ! As mentioned by @Bilge in https://github.com/symfony/symfony/pull/49121#discussion_r1126265816, test to ensure the new html5Parser strategy wasn't the best ! So i worked a little on this subject and i come with this new proposal !

Thanks

Commits

1231d75e8a [DomCrawler] Improve html5Parser tests

[HttpFoundation] Add support for the 103 status code (Early Hints) and other 1XX statuses

feature #48128 [HttpFoundation] Add support for the 103 status code (Early Hints) and other 1XX statuses (dunglas)

This PR was squashed before being merged into the 6.3 branch.

Discussion

[HttpFoundation] Add support for the 103 status code (Early Hints) and other 1XX statuses

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | yes | Tickets | n/a | License | MIT | Doc PR | todo

This patch adds support for sending informational responses, including Early Hints responses if supported by the SAPI. It also allows sending other informational status codes such as 102 Processing.

According to Shopify and Cloudflare, using Early Hints, the performance improvement to the Largest Contentful Paint can go from several hundred milliseconds, and up to a second faster.

Usage:

<?php

namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\WebLink\Link;

class HomepageController extends AbstractController
{
    #[Route("/", name: "homepage")]
    public function index(): Response
    {
        $response = $this->sendEarlyHints([
            (new Link(href: '/style.css'))->withAttribute('as', 'stylesheet'),
            (new Link(href: '/script.js'))->withAttribute('as', 'script'),
        ]);

        // Do something slow...

        return $this->render('homepage/index.html.twig', response: $response);
    }
}

With this patch, HttpFoundation will leverage the headers_send() function provided by FrankenPHP. FrankenPHP is currently the only SAPI supporting Early Hints, but other SAPI such as mod_apache will probably implement this function at some point: https://github.com/php/php-src/pull/7025#issuecomment-848015799

The low-level API is similar to the one provided by Go: https://github.com/golang/go/pull/42597 The high-level API helper in AbstractController is similar to Node's one: https://github.com/nodejs/node/pull/44180

Commits

5be52b2b77 [HttpFoundation] Add support for the 103 status code (Early Hints) and other 1XX statuses

[Form] Improve exception for unsubmitted form

minor #49667 [Form] Improve exception for unsubmitted form (KThiebault)

This PR was squashed before being merged into the 6.3 branch.

Discussion

[Form] Improve exception for unsubmitted form

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix #49619 | License | MIT | Doc PR | -

This PR improves the error message when a form is submitted but its submission is not verified.

Commits

51d3038d09 [Form] Improve exception for unsubmitted form

bug #49376 [HttpFoundation] Deprecate passing invalid URI to Request::create (neclimdul)

This PR was merged into the 6.3 branch.

Discussion

[HttpFoundation] Deprecate passing invalid URI to Request::create

Fixes: #47084

Passing an invalid URI to Request::create triggers an undefined code path. In PHP7 the false value returned by parse_url would quietly be treated as a an array through type coercion leading to unexpected results. In PHP8 this triggers a deprecation exposing the bug.

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | yes | New feature? | no | Deprecations? | yes | Tickets | Fix #47084 | License | MIT

Commits

bce4c27097 [HttpFoundation] Deprecate passing invalid URI to Request::create

[ErrorHander] Display exception properties in the HTML error page

feature #49620 [ErrorHander] Display exception properties in the HTML error page (lyrixx)

This PR was squashed before being merged into the 6.3 branch.

Discussion

[ErrorHander] Display exception properties in the HTML error page

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | Fix #49613 | License | MIT | Doc PR |

class MyException extends \Exception
{
    public function __construct()
    {
        parent ::__construct('some_message', 0, new MyException2());
    }

    public string $myMessage = 'some_message';
    public string $myCode = 'some_code';
    private string $privateStuff = 'private_stuff';
}

class MyException2 extends \Exception
{
    private string $anotherPrivateStuff = 'another_private_stuff';
}

Commits

b041d06492 [ErrorHander] Display exception properties in the HTML error page

Create Attributes to map data from Request to typed objects

@nicolas-grekas rebased again :smiley:

[Security] Add logout configuration for Clear-Site-Data header

[Validator] Add the excluded option to the Cascade constraint

[Tests] Replace setMethods() by onlyMethods() and addMethods()

[Security] remove deprecated conditions in supports and authenticate methods from AccessListener class

minor #49635 [Security] AccessListener Class : remove deprecated conditions in supports and authenticate methods (AntoineDly)

This PR was submitted for the 6.3 branch but it was merged into the 6.2 branch instead.

Discussion

[Security] AccessListener Class : remove deprecated conditions in supports and authenticate methods

…methods from AccessListener class

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | no | Deprecations? | yes | Tickets | - | License | MIT | Doc PR | -

This PR is about the deprecation of IS_AUTHENTICATED_ANONYMOUSLY in the AuthenticatedVoter.

Since IS_AUTHENTICATED_ANONYMOUSLY as been removed from Voter, it can be misleading if it's still in use in the AccessListener Class. I removed it since the condition wasn't usefull anymore.

Commits

f9077f9bde [Security] remove deprecated conditions in supports and authenticate methods from AccessListener class

[DependencyInjection] Add support for autowiring services as closures using attributes

minor #49624 [Tests] Replace setMethods() by onlyMethods() and addMethods() (alexandre-daubois)

This PR was merged into the 5.4 branch.

Discussion

[Tests] Replace setMethods() by onlyMethods() and addMethods()

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | -

setMethods() is deprecated and must be replaced by onlyMethods() and addMethods(). This PR fixes this 🙂

Commits

d8ec2afb53 [Tests] Replace setMethods() by onlyMethods() and addMethods()

feature #49628 [DependencyInjection] Add support for autowiring services as closures using attributes (nicolas-grekas)

This PR was merged into the 6.3 branch.

Discussion

[DependencyInjection] Add support for autowiring services as closures using attributes

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | - | License | MIT | Doc PR | -

When dealing with laziness on the consumer side, a common pattern is to wrap a heavy service in a closure and call it only when needed.

This PR adds attribute #[AutowireServiceClosure] for this purpose:

// generate a closure that returns service "foo"
public function __construct(
    #[AutowireServiceClosure('foo')]
    \Closure $foo,
)

It also adds support for turning callables into closures with a new #[AutowireCallable] attribute:

// generate a closure that calls "foo"::someMethod()
public function __construct(
    #[AutowireCallable(service: 'foo', method: 'someMethod')]
    \Closure $foo,
)

Of course, this fully leverages autowiring aliases, so that instead of "foo", you can use MyInterface::class.

Commits

9869327ab2 [DependencyInjection] Add support for autowiring services as closures using attributes

[DependencyInjection] Deprecate #[MapDecorated] in favor of #[AutowireDecorated]

Merge branch '5.4' into 6.2

• 5.4: [Tests] Replace setMethods() by onlyMethods() and addMethods()

Merge branch '6.2' into 6.3

• 6.2: [Security] remove deprecated conditions in supports and authenticate methods from AccessListener class [Tests] Replace setMethods() by onlyMethods() and addMethods()

[Messenger] make StopWorkerOnSignalsListener listen by default on SIGTERM and SIGINT

[Dotenv] Improve Dotenv::usePutenv phpdoc

[DependencyInjection] Add tests for #[TaggedIterator] & #[TaggedLocator] on controller arguments

Fix support binary values in parameters.

bug #49651 [DependencyInjection] Fix support binary values in parameters. (vtsykun)

This PR was merged into the 5.4 branch.

Discussion

[DependencyInjection] Fix support binary values in parameters.

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49638 | License | MIT | Doc PR | -

This issue related to #25928

Step to reproduce

1. Add parameter like this

parameters:
    banner_message: "\e[37;44m#StandWith\e[30;43mUkraine\e[0m"

2. Run command debug:router

Actual result:

Commits

8541643756 Fix support binary values in parameters.

minor #49649 [Dotenv] Improve Dotenv::usePutenv phpdoc (alamirault)

This PR was merged into the 5.4 branch.

Discussion

[Dotenv] Improve Dotenv::usePutenv phpdoc

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix #49648 | License | MIT | Doc PR | symfony/symfony-docs#...

Cureent comment is confusing. This PR try avoid mislead

Commits

80c7a65c45 [Dotenv] Improve Dotenv::usePutenv phpdoc

[Tests] Remove occurrences of withConsecutive()

minor #49621 [Tests] Remove occurrences of withConsecutive() (alexandre-daubois)

This PR was merged into the 5.4 branch.

Discussion

[Tests] Remove occurrences of withConsecutive()

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | -

withConsecutive() has been deprecated in PHPUnit 9.6 and removed in PHP 10 (https://github.com/sebastianbergmann/phpunit/issues/4564). This PR aims at starting the work to remove these occurrences. There is unfortunately no given migration path, and this requires manual work.

I'll create a meta issue referencing remaining occurrences if this one's merged, to keep track. Some seems pretty hard to remove.

cc @OskarStark this might interest you, as we worked a lot on tests lately 😄

Commits

2047763649 [Tests] Remove occurrences of withConsecutive()

minor #49500 [HttpKernel] Add tests for #[TaggedIterator] & #[TaggedLocator] on controller arguments (HypeMC)

This PR was merged into the 6.3 branch.

Discussion

[HttpKernel] Add tests for #[TaggedIterator] & #[TaggedLocator] on controller arguments

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix #49083 | License | MIT | Doc PR | -

~~I think this doesn't qualify as a bug fix, but an improvement. If I'm wrong please let me know.~~

#49628 fixed the issue, this PR only adds tests now.

Commits

121e072194 [DependencyInjection] Add tests for #[TaggedIterator] & #[TaggedLocator] on controller arguments

Wrap use of \Locale in a class_exists test

minor #49609 [Translation] Wrap call to \Locale::setDefault from LocaleSwitcher in a class_exists call (larowlan)

This PR was merged into the 6.2 branch.

Discussion

[Translation] Wrap call to \Locale::setDefault from LocaleSwitcher in a class_exists call

| Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | N/a - see below | License | MIT | Doc PR | n/a

In #45793 a new LocaleSwitcher was added which uses the \Locale class from ext-intl. On upgrading an English only project from 5.4 to 6.2, I received the following error as we don't have the ext-intl extension

Error: Class "Locale" not found

I searched for previous PRs to add a dependency on ext-intl and came across one for the string component directing the user to install a polyfill.

Should symfony/translation therefore depend on the polyfill - otherwise updating is broken without manually installing the polyfill?

If so, here's a PR for that.

Keep up the good work folks :heart:

Commits

c043e93fd7 Wrap use of \Locale in a class_exists test

[DependencyInjection] Keep track of decorated ids

[GHA] use stubs instead of extensions for psalm job

minor #49626 [GHA] use stubs instead of extensions for psalm job (nicolas-grekas)

This PR was merged into the 5.4 branch.

Discussion

[GHA] use stubs instead of extensions for psalm job

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | -

Commits

d609b670ff [GHA] use stubs instead of extensions for psalm job

Merge branch '5.4' into 6.2

• 5.4: [GHA] use stubs instead of extensions for psalm job

Merge branch '6.2' into 6.3

• 6.2: [GHA] use stubs instead of extensions for psalm job Wrap use of \Locale in a class_exists test

minor #49625 [DependencyInjection] Keep track of decorated ids (nicolas-grekas)

This PR was merged into the 6.3 branch.

Discussion

[DependencyInjection] Keep track of decorated ids

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | - | License | MIT | Doc PR | -

When a service "foo" is decorated by a service "bar", all references to "foo" are replaced by references to "bar".

This has visible side effects e.g. when running debug:autowiring, before this PR:

Symfony\Contracts\HttpClient\HttpClientInterface (.debug.http_client)

After:

Symfony\Contracts\HttpClient\HttpClientInterface (http_client)

Details matter ;)

This PR replaces #49622 since it's a less invasive way to achieve this behavior.

Commits

1ac07d3d38 [DependencyInjection] Keep track of decorated ids

[Seurity] Minor code cleanup in SecurityExtension

minor #49640 [SecurityBundle] Minor code cleanup in SecurityExtension (maxbeckers)

This PR was merged into the 6.3 branch.

Discussion

[SecurityBundle] Minor code cleanup in SecurityExtension

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | n/a | License | MIT | Doc PR | n/a

Remove a var only used once.

Commits

edf8d1dd4b [Seurity] Minor code cleanup in SecurityExtension

[HttpKernel] Renamed "pinned" to "targeted" for value resolvers

minor #49636 [HttpKernel] Renamed "pinned" to "targeted" for value resolvers (nicolas-grekas)

This PR was merged into the 6.3 branch.

Discussion

[HttpKernel] Renamed "pinned" to "targeted" for value resolvers

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | -

"pinned" was introduced in #48992 but a quick chat within the core-team lead to this proposal, which might be preferred. WDYT?

Commits

ad58cc65fd [HttpKernel] Renamed "pinned" to "targeted" for value resolvers

Create Attributes to map data from Request to typed objects

Create #[Serialize] Attribute to serialize Controller Result

Added condition to always return the real Authenticator

[Security] Migrate the session on login only when the user changes

feature #49015 [Security] Added condition to always return the real Authenticator from security events (florentdestremau)

This PR was merged into the 6.3 branch.

Discussion

[Security] Added condition to always return the real Authenticator from security events

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no / maybe | New feature? | yes / maybe | Deprecations? | no | Tickets | Fix #49010 | License | MIT | Doc PR | symfony/symfony-docs#...

This PR aims to uniformise the getAuthenticator method of several security Events when using the profiler in dev environement.

Commits

5e6b471a15 Added condition to always return the real Authenticator

Removed @internal tag on TraceableAuthenticator::getAuthenticator()

[TwigBridge] Fix TwigDataCollector::getTime() return type

[Messenger] Fix TransportNamesStamp deserialization

| Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | https://github.com/symfony/symfony/issues/31490#issuecomment-1439927253 | License | MIT | Doc PR | n/a

Currently, when ones use TransportNameStamp the following exception occurs:

In Serializer.php line 125:

  [Symfony\Component\Messenger\Exception\MessageDecodingFailedException]
  Could not decode stamp: Cannot create an instance of "Symfony\Component\Messenger\Stamp\TransportNamesStamp" from serialized data because its constructor requires parameter "transports" to be present.

In AbstractNormalizer.php line 384:

  [Symfony\Component\Serializer\Exception\MissingConstructorArgumentsException]
  Cannot create an instance of "Symfony\Component\Messenger\Stamp\TransportNamesStamp" from serialized data because its constructor requires parameter "transports" to be present.

This PR renames TransportNamesStamp constructor argument in order to match the accesor method (getTranspdortNames) so that deserialization work.

I know this is technically a BC break but as far as I can tell the feature can not currently work this way and also named arguments are not covered by Symfony's BC if I remember correctly.

bug #49526 [Security] Migrate the session on login only when the user changes (nicolas-grekas)

This PR was merged into the 5.4 branch.

Discussion

[Security] Migrate the session on login only when the user changes

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49194 | License | MIT | Doc PR | -

As described in the linked issue, the recent security fix breaks submitting forms when stateless authenticators are mixed with stateful CSRF storage.

This PR fixes the issue by ensuring that the session is not migrated when the user selected by the stateless authenticator is the same as the one retrieved from the session.

In order to do so, I had add to the previous token to LoginSuccessEvent.

/cc @wouterj @weaverryan @stof can you please have a look? This should be part of the next release if possible.

Commits

238f25c937 [Security] Migrate the session on login only when the user changes

Merge remote-tracking branch 'origin/5.4' into 6.2

• origin/5.4: [Security] Migrate the session on login only when the user changes

Merge remote-tracking branch 'origin/6.2' into 6.3

• origin/6.2: [Security] Migrate the session on login only when the user changes

Update CHANGELOG for 5.4.21

Update CONTRIBUTORS for 5.4.21

Update VERSION for 5.4.21

Merge pull request #49558 from fabpot/release-5.4.21

released v5.4.21

Bump Symfony version to 5.4.22

Update CHANGELOG for 6.2.7

Update VERSION for 6.2.7

Merge pull request #49559 from fabpot/release-6.2.7

released v6.2.7

Bump Symfony version to 6.2.8

Fix typo

Fix typo

Create #[Serialize] Attribute to serialize Controller Result

Added condition to always return the real Authenticator

[Security] Migrate the session on login only when the user changes

feature #49015 [Security] Added condition to always return the real Authenticator from security events (florentdestremau)

This PR was merged into the 6.3 branch.

Discussion

[Security] Added condition to always return the real Authenticator from security events

| Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no / maybe | New feature? | yes / maybe | Deprecations? | no | Tickets | Fix #49010 | License | MIT | Doc PR | symfony/symfony-docs#...

This PR aims to uniformise the getAuthenticator method of several security Events when using the profiler in dev environement.

Commits

5e6b471a15 Added condition to always return the real Authenticator

Removed @internal tag on TraceableAuthenticator::getAuthenticator()

[TwigBridge] Fix TwigDataCollector::getTime() return type

[Messenger] Fix TransportNamesStamp deserialization

| Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | https://github.com/symfony/symfony/issues/31490#issuecomment-1439927253 | License | MIT | Doc PR | n/a

Currently, when ones use TransportNameStamp the following exception occurs:

In Serializer.php line 125:

  [Symfony\Component\Messenger\Exception\MessageDecodingFailedException]
  Could not decode stamp: Cannot create an instance of "Symfony\Component\Messenger\Stamp\TransportNamesStamp" from serialized data because its constructor requires parameter "transports" to be present.

In AbstractNormalizer.php line 384:

  [Symfony\Component\Serializer\Exception\MissingConstructorArgumentsException]
  Cannot create an instance of "Symfony\Component\Messenger\Stamp\TransportNamesStamp" from serialized data because its constructor requires parameter "transports" to be present.

This PR renames TransportNamesStamp constructor argument in order to match the accesor method (getTranspdortNames) so that deserialization work.

I know this is technically a BC break but as far as I can tell the feature can not currently work this way and also named arguments are not covered by Symfony's BC if I remember correctly.

bug #49526 [Security] Migrate the session on login only when the user changes (nicolas-grekas)

This PR was merged into the 5.4 branch.

Discussion

[Security] Migrate the session on login only when the user changes

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49194 | License | MIT | Doc PR | -

As described in the linked issue, the recent security fix breaks submitting forms when stateless authenticators are mixed with stateful CSRF storage.

This PR fixes the issue by ensuring that the session is not migrated when the user selected by the stateless authenticator is the same as the one retrieved from the session.

In order to do so, I had add to the previous token to LoginSuccessEvent.

/cc @wouterj @weaverryan @stof can you please have a look? This should be part of the next release if possible.

Commits

238f25c937 [Security] Migrate the session on login only when the user changes

Merge remote-tracking branch 'origin/5.4' into 6.2

• origin/5.4: [Security] Migrate the session on login only when the user changes

Merge remote-tracking branch 'origin/6.2' into 6.3

• origin/6.2: [Security] Migrate the session on login only when the user changes

Update CHANGELOG for 5.4.21

Update CONTRIBUTORS for 5.4.21

Update VERSION for 5.4.21

Merge pull request #49558 from fabpot/release-5.4.21

released v5.4.21

Bump Symfony version to 5.4.22

Update CHANGELOG for 6.2.7

Update VERSION for 6.2.7

Merge pull request #49559 from fabpot/release-6.2.7

released v6.2.7

Bump Symfony version to 6.2.8

Fix typo

Fix typo

Removed @internal tag on TraceableAuthenticator::getAuthenticator()

[Messenger] Fix TransportNamesStamp deserialization

| Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | https://github.com/symfony/symfony/issues/31490#issuecomment-1439927253 | License | MIT | Doc PR | n/a

Currently, when ones use TransportNameStamp the following exception occurs:

In Serializer.php line 125:

  [Symfony\Component\Messenger\Exception\MessageDecodingFailedException]
  Could not decode stamp: Cannot create an instance of "Symfony\Component\Messenger\Stamp\TransportNamesStamp" from serialized data because its constructor requires parameter "transports" to be present.

In AbstractNormalizer.php line 384:

  [Symfony\Component\Serializer\Exception\MissingConstructorArgumentsException]
  Cannot create an instance of "Symfony\Component\Messenger\Stamp\TransportNamesStamp" from serialized data because its constructor requires parameter "transports" to be present.

This PR renames TransportNamesStamp constructor argument in order to match the accesor method (getTranspdortNames) so that deserialization work.

I know this is technically a BC break but as far as I can tell the feature can not currently work this way and also named arguments are not covered by Symfony's BC if I remember correctly.

Update CHANGELOG for 5.4.21

Update CONTRIBUTORS for 5.4.21

Update VERSION for 5.4.21

Merge pull request #49558 from fabpot/release-5.4.21

released v5.4.21

Bump Symfony version to 5.4.22

Update CHANGELOG for 6.2.7

Update VERSION for 6.2.7

Merge pull request #49559 from fabpot/release-6.2.7

released v6.2.7

Bump Symfony version to 6.2.8

[DependencyInjection] Fix dumping array of enums parameters

bug #49578 [DependencyInjection] Fix dumping array of enums parameters (fancyweb)

This PR was merged into the 5.4 branch.

Discussion

[DependencyInjection] Fix dumping array of enums parameters

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | https://github.com/symfony/symfony/issues/49505 | License | MIT | Doc PR | -

Commits

97c5874320 [DependencyInjection] Fix dumping array of enums parameters

bug #49541 [Security] Remove @internal tag on TraceableAuthenticator::getAuthenticator() (florentdestremau)

This PR was merged into the 5.4 branch.

Discussion

[Security] Remove @internal tag on TraceableAuthenticator::getAuthenticator()

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | See #49015 | License | MIT

Following the discussion in #49015 I made this PR

Commits

0a8ba937b7 Removed @internal tag on TraceableAuthenticator::getAuthenticator()

[HttpClient] Fix encoding "+" in URLs

bug #49580 [HttpClient] Fix encoding "+" in URLs (nicolas-grekas)

This PR was merged into the 5.4 branch.

Discussion

[HttpClient] Fix encoding "+" in URLs

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49579 | License | MIT | Doc PR | -

My bad.

Commits

e79eebb7ba [HttpClient] Fix encoding "+" in URLs

[TwigBridge] Fix flagged malicious url

minor #49602 [TwigBridge] Fix flagged malicious url (alamirault)

This PR was merged into the 5.4 branch.

Discussion

[TwigBridge] Fix flagged malicious url

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix #47454 | License | MIT | Doc PR | symfony/symfony-docs#...

We already use github blob links in the codebase, so IMO we can replace raw.githubusercontent.com by github.com link

Commits

2b11a453db [TwigBridge] Fix flagged malicious url

bug #49548 [Messenger] Fix TransportNamesStamp deserialization (tucksaun)

This PR was merged into the 6.2 branch.

Discussion

[Messenger] Fix TransportNamesStamp deserialization

| Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | #49574, https://github.com/symfony/symfony/issues/31490#issuecomment-1439927253 | License | MIT | Doc PR | n/a

Currently, when ones use TransportNameStamp the following exception can occur if they don't use native PHP serialization:

In Serializer.php line 125:

  [Symfony\Component\Messenger\Exception\MessageDecodingFailedException]
  Could not decode stamp: Cannot create an instance of "Symfony\Component\Messenger\Stamp\TransportNamesStamp" from serialized data because its constructor requires parameter "transports" to be present.

In AbstractNormalizer.php line 384:

  [Symfony\Component\Serializer\Exception\MissingConstructorArgumentsException]
  Cannot create an instance of "Symfony\Component\Messenger\Stamp\TransportNamesStamp" from serialized data because its constructor requires parameter "transports" to be present.

This PR renames TransportNamesStamp constructor argument in order to match the accessor method (getTransportNames) so that deserialization works when using the Serializer.

I know this is technically a (small) BC break but Symfony's BC does not cover named arguments if I remember correctly.

Commits

2c7eee068f [Messenger] Fix TransportNamesStamp deserialization

[VarDumper] Add a bit of test coverage