eZecosystem / Mirror / Symfony Blog

This week Symfony published 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14 and 4.1.3 security releases to fix two security vulnerabilities related to HTTP headers.

Symfony development highlights

2.8 changelog:

  • 9d0ff4f: [HttpKernel] fixed invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet
  • 6604978: [HttpFoundation] removed support for legacy and risky HTTP headers
  • 0f7667d: [HttpKernel] fixed trusted headers management in HttpCache and InlineFragmentRenderer
  • 5d8bf16: [HttpFoundation] removed the Expires header when calling Response::expire()
  • 470ac26: [PropertyInfo] allowed nested collections

Master changelog:

  • fbe4bc1: [Yaml] save preg_match() calls when possible
  • 924f7f9: [DomCrawler] made the base URI optional when elements use absolute URIs
  • 6198223: [WebProfilerBundle] append new ajax request to the end of the list
  • dd2f830: [Form] added options for separate date/time labels in DateTimeType

Newest issues and pull requests

They talked about us

Upcoming Symfony Events

Call to Action


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/05/2018 03:28 am   Symfony Blog   Mirror   Link  

Affected versions

Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13, and 4.1.0 to 4.1.2 versions of the Symfony HttpKernel component are affected by this security issue.

The issue has been fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.

Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.

Description

When using HttpCache, the values of the X-Forwarded-Host headers are implicitly and wrongly set as trusted, leading to potential host header injection.

Resolution

The trusted headers are removed when doing internal sub-requests and the remote client is not trusted.

The patch for this issue is available here for branch 2.8.

Credits

I would like to thank @chaosversum for reporting the issue and Nicolas Grekas for fixing it.


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/01/2018 10:35 am   Symfony Blog   Mirror   Link  

Affected versions

Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2 versions of the Symfony HttpFoundation component are affected by this security issue.

The issue has been fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.

Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.

Description

Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.

The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.

Resolution

Support for the offending headers has been removed.

The patch for this issue is available here for branch 2.8.

Credits

I would like to thank Michael Cullum for reporting the issue and Nicolas Grekas for fixing it.


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/01/2018 10:35 am   Symfony Blog   Mirror   Link  

Symfony 4.1.3 has just been released. Here is a list of the most important changes:

  • security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
  • security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)
  • bug #28003 [HttpKernel] Fixes invalid REMOT _ADDR in inline subrequest when configuring trusted proxy with subnet (@netiul)
  • bug #28007 [FrameworkBundle] fixed guard event names for transitions (@destillat)
  • bug #28045 [HttpFoundation] Fix Cookie::isCleared (@ro0NL)
  • bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (@Phobetor)
  • bug #28059 [Messenger] Fix error message on undefined message class for non-subscriber handler (@chalasr)
  • bug #28052 [HttpKernel] Fix merging bindings for controllers' locators (@nicolas-grekas)
  • bug #28014 [Messenger] Fix chaining senders with their aliases (@sroze)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/01/2018 10:34 am   Symfony Blog   Mirror   Link  

Symfony 4.0.14 has just been released. Here is a list of the most important changes:

  • security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
  • security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)
  • bug #28003 [HttpKernel] Fixes invalid REMOT _ADDR in inline subrequest when configuring trusted proxy with subnet (@netiul)
  • bug #28007 [FrameworkBundle] fixed guard event names for transitions (@destillat)
  • bug #28045 [HttpFoundation] Fix Cookie::isCleared (@ro0NL)
  • bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (@Phobetor)
  • bug #28052 [HttpKernel] Fix merging bindings for controllers' locators (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/01/2018 10:29 am   Symfony Blog   Mirror   Link  

Symfony 3.4.14 has just been released. Here is a list of the most important changes:

  • security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
  • security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)
  • bug #28003 [HttpKernel] Fixes invalid REMOT _ADDR in inline subrequest when configuring trusted proxy with subnet (@netiul)
  • bug #28007 [FrameworkBundle] fixed guard event names for transitions (@destillat)
  • bug #28045 [HttpFoundation] Fix Cookie::isCleared (@ro0NL)
  • bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (@Phobetor)
  • bug #28052 [HttpKernel] Fix merging bindings for controllers' locators (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/01/2018 09:55 am   Symfony Blog   Mirror   Link  

Symfony 2.8.44 has just been released. Here is a list of the most important changes:

  • security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
  • security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)
  • bug #28003 [HttpKernel] Fixes invalid REMOT _ADDR in inline subrequest when configuring trusted proxy with subnet (@netiul)
  • bug #28045 [HttpFoundation] Fix Cookie::isCleared (@ro0NL)
  • bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (@Phobetor)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/01/2018 09:46 am   Symfony Blog   Mirror   Link  

Symfony 3.3.18 has just been released. Here is a list of the most important changes:

  • security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
  • security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/01/2018 09:08 am   Symfony Blog   Mirror   Link  

Symfony 2.7.49 has just been released. Here is a list of the most important changes:

  • security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
  • security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
08/01/2018 09:00 am   Symfony Blog   Mirror   Link  

This week Symfony 2.8.43, 3.4.13, 4.0.13, and 4.1.2 maintenance versions were released. 4.0.13 was the last version of the 4.0 branch which will keep receiving security fixes until January 2019.

Symfony development highlights

2.8 changelog:

  • b2ec4aa: [HttpKernel] fixed templateExists on parse error of the template name
  • 82d13da: fixed coding standards

3.4 changelog:

  • 707e52a: [Form] fixed truncating form views in data collector
  • 1b9baa4: [HttpKernel] fixed merging bindings for controllers' locators

4.1 changelog:

  • 975421c: [Messenger] fixed chaining senders with their aliases
  • abc4ef2: [PhpUnitBridge] describe weak_vendors properly
  • afb17ab: [Messenger] fixed error message on undefined message class for non-subscriber handler

Newest issues and pull requests

They talked about us

Upcoming Symfony Events

Call to Action


Be trained by Symfony experts - 2018-08-6 Paris - 2018-08-6 Paris - 2018-08-8 Paris
07/29/2018 03:15 am   Symfony Blog   Mirror   Link  

Berlin will see its next SymfonyLive from October 24th to 26th! This year, we are moving to a new, but familiar, venue: the Mercure MOA, where the international SymfonyCon 2016 took place.

As usual for the Berlin edition, we will have two days of workshops, and a single day conference with two tracks full of talks about Symfony and related technologies.

The CfP is now open!

The CfP for Berlin is already open, so go ahead and submit your talk ideas until July 31st!

We are looking for talks about Symfony features, related libraries, developer workflows, DevOps, infrastructure technologies, and modern Javascript. The conference main language, as always, will be German. However, we will accept a few selected talks in English, so feel free to submit if you are from abroad.

Who are we looking for?

Everybody, actually! If you are not a seasoned speaker, and are unsure if you are ready to talk at a SymfonyLive, we are there to support you! Contact us on Twitter or directly via email, or come and visit us at one of our user groups in Berlin or Cologne. We are happy to provide tips, tricks, and mentoring on your topic and for writing your abstract. As always, all speakers will be reimbursed for travel and hotel expenses, are invited to our special speakers’ dinner, and get full access to the conference.

The CfP process does not consider speakers based on any racial, gender or physical criteria. All abstracts are evaluated solely based on content and relevance to the conference.

Our goal is to provide a safe and comfortable environment for all Symfony conferences. As both a speaker and an attendee, you agree to abide by our code of conduct. SensioLabs will provide a care team at the conference venue who will be open to any and all your questions, and will help to solve any situation.

Workshops

SymfonyLive offers two days of workshops, covering topics from beginner to advanced, from some of the best workshop trainers around. The workshop schedule is published already, so be sure to hop over and get your ticket!

See you all in Berlin :)


Be trained by Symfony experts - 2018-07-23 Paris - 2018-07-23 Paris - 2018-07-25 Paris
07/18/2018 08:17 am   Symfony Blog   Mirror   Link  

We’re very pleased to announce that the conference schedule for this year’s edition of the SymfonyLive conference in London is online. Join us on September 28th for an intense conference day dedicated to Symfony, divided into 2 tracks.

Discover now all the speakers selected and the talks they will present there! We’re very excited to welcome 14 speakers at the conference (in alphabetical order):

  • Zan Baldwin who will be speaking about “The Symfony Open-source Community” at the closing Keynote! Stay tuned for more details to be announced soon.

  • Neal Brooks will speak about “Running Symfony on AWS Lambda”. If you ever find yourself deploying your Symfony app to your EC2 boxes and wondering if you're using your resources wisely, then this talk is for you!

  • Michael Cullum will be talking about “Building first-class REST APIs with Symfony”. In this talk Michael will show you how you can build a simple maintainable REST API using the Symfony components that can perform some simple operations in ways that are clean and simple.

  • Kévin Dunglas, Symfony Core Team member, will be presenting a talk about “Panther: test your Symfony apps with real web browsers”. Symfony Panther is a brand new e2e testing and web scrapping library written in PHP that drives real browsers thanks to the WebDriver protocol from the W3C. Let’s meet the feline!

  • Sandra Eriksson will present a talk about “What is accessibility, and why I should care?”. Find out more about the accessibility area, WCAG (Web Content Accessibility Guidelines) and how to improve accessibility in ICT products (Information Communications Technology) for users with disabilities.

  • Christian Flothmann and Christopher Hertel will present a talk entitled “Using Symfony Forms with Rich Domain Models” to understand the different aspects of a rich domain model that makes it hard to use it in conjunction with the Form component.

  • Nicolas Grekas, Symfony Core Team member, who will talk about “Symfony Cache: a premium recipe to fast apps”. This talk will show you that caching might be the most efficient strategy to fast apps.

  • Tobias Nyholm will be speaking about “Symfony without the framework bundle”. This talk will go over performance to see what you can do to make an application run faster.

  • Fabien Potencier, Symfony founder and project lead, will be on stage for the opening Keynote! Stay tuned for more details to be announced soon.

  • André Rømcke will speak about “Take your Http caching to the next level with xkey & Fastly”. FOSHttpCache is extending Symfony in many ways, in this talk, you’ll discover how to use it!

  • Samuel Roze, Symfony Core Team member, who will present a talk entitled “Symfony Messenger: Messages, Queues, Workers and more” about the new Messenger component that he created a few months ago.

  • Erin Taylor and Gawain Lynch, will be speaking about “GDPR for web development”. In this talk they’ll give an overview of the main principles of GDPR and their relevance to web development. They’ll describe use cases for back-end and front-end developers working for Symfony and its ecosystem.

An incredible Symfony day is waiting for you, take your conference ticket now! If you want to get the most out of the conference, register for a workshop and conference combo ticket. Several pre-conference workshops are organized on September 27th:

  • Symfony 4 Best Practices by Nicolas Grekas
  • Building API-driven apps with API Platform by Kévin Dunglas
  • Symfony Messenger by Samuel Rozé
  • Lightning Fast Tests by Jakub Zalas

We hope to see you at SymfonyLive London 2018, less than 3 months left before the event!

Let’s meet in London and gather the great British Symfony community. Will you join us?


Be trained by Symfony experts - 2018-07-23 Paris - 2018-07-23 Paris - 2018-07-25 Paris
07/17/2018 03:39 am   Symfony Blog   Mirror   Link  

Following the new features we've added in May in the Events & Meetups section, we're pleased to introduce a brand new section within the main website menu: Symfony Events. This will enable you to find a Symfony event near you more easily.

Symfony Events Menu Option

The Events section itself has also been improved, again! We've added a map where you can see at a glance where are organized all the upcoming Symfony events. You can find on the map: all the upcoming official Symfony conferences pinned in red and all the upcoming Symfony community events pinned in blue.

Symfony events map

Remember that lately new features were added to this section: all the past events are still shown and the «add to my calendar» button was added. But there is more! You can now find all the Symfony meetups listed in the upcoming community events. Any Symfony meetup created on meetup.com is automatically listed on Symfony website. And you can also add them to your calendar!

We aim to create a unique place for you to find the next Symfony event organized near you! If your meetup is not on the list, contact us or add it on the website. Once you add your event here or on meetup, a tweet is sent from @symfony to announce it and you can find it on the map. This way, all the Symfony events will get more visibility for everyone within the community. You won't miss anymore a Symfony event organized near you!


Be trained by Symfony experts - 2018-07-23 Paris - 2018-07-23 Paris - 2018-07-25 Paris
07/16/2018 04:00 am   Symfony Blog   Mirror   Link  

This week, the upcoming Symfony 4.2 version added a config option to enable the UTF8 mode in routes and improved the Cache component to allow using PDO databases. Meanwhile, form profiling was optimized to reduce its memory footprint and Symfony Contracts were created as a set of abstractions extracted out of the Symfony components.

Symfony development highlights

2.8 changelog:

  • 66b9ebc: [Filesystem] fixed lock file permissions
  • e2c0239: [HttpFoundation] suppress side effects in get() and has() methods of NamespacedAttributeBag
  • f803762: [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called

3.4 changelog:

  • 0fcc874: [Process] fixed the detection of the Process new argument
  • 137753d: [Console] correctly return parameter's default value on "--"
  • 44ce4dd: [WebProfilerBundle] massively reduction of memory footprint when profiling forms

4.1 changelog:

  • a552e84: [Serializer] fixed serialization of items with groups across entities and discrimination map
  • 10f7dcc: [EventDispatcher] clear orphaned events on reset

Master changelog:

  • 10e15dc: [Process, Console] deprecated defining commands as strings
  • 254f4c8: [FrameworkBundle] allow turning routes to utf8 mode by default
  • cbda6a3: [FrameworkBundle, Cache] allow configuring PDO-based cache pools with table auto-creation on first use
  • f20eaf2: [Cache] added MarshallerInterface allowing to change the serializer
  • a5709ee: [ProxyManagerBridge] allow proxifying interfaces
  • c85134c: [Routing] deprecate non string requirement names
  • df26fea: [Console] add title table
  • 20070b7: [BrowserKit] added new methods submitForm and clickLink
  • 1e16a8b, e379146: added symfony/contracts: a set of abstractions extracted out of the Symfony components
  • eb112a5: [DoctrineBridge] inject the entity manager instead of the class metadata factory in DoctrineExtractor

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-07-23 Paris - 2018-07-23 Paris - 2018-07-25 Paris
07/15/2018 02:31 am   Symfony Blog   Mirror   Link  

A few years ago, we introduced the Symfony Installer as the fastest way to create new Symfony projects. While Composer took up to several minutes to create a new project, Symfony Installer did the same in less than ten seconds.

The trick was that the installer downloaded a ZIP archive with all the dependencies required by the specific Symfony version you were installing, so it was not necessary that Composer resolved the project dependencies.

However, with the release of Symfony 4 we deprecated the Symfony Installer in favor of Composer, because we wanted to use standard development tools as much as possible. Sadly this made creating new Symfony projects slower and, in some cases, it triggered "out of memory" exceptions while Composer was resolving the dependencies.

Making installation via Composer faster

During the past months we've worked hard to improve the performance of Symfony Flex, the package used to create and manage Symfony apps. A few days ago, we made the two biggest improvements ever:

  1. The two skeletons used to create new Symfony projects, symfony/skeleton (for small apps, APIs, microservices, etc.) and symfony/website-skeleton (for traditional web applications) now include a composer.lock file to avoid Composer's dependency resolving (see symfony/skeleton #66 and symfony/web-skeleton #11). An automatic process ensures that those composer.lock files are updated whenever a dependency has a new version.
  2. Symfony Flex removes all the legacy Composer tags from all Symfony components before creating the project. This removes hundreds of unused tags and saves Composer hundreds of thousands of unnecessary checks.

Benchmarks

Thanks to these changes, creating new Symfony projects is between 60% and 90% faster and updating existing projects is up to 50% faster. Actual results may vary depending on your Composer cache, the size of your project and the speed of your Internet connection.

Creating new projects

1
2
3
4
5
6
7
$ composer create-project symfony/skeleton
  # BEFORE: 25 seconds / 395 MB
  # AFTER:  10 seconds / 142 MB

$ composer create-project symfony/website-skeleton
  # BEFORE: 3 minutes 32 seconds / 766 MB
  # AFTER:            21 seconds / 144 MB

Updating existing projects

1
2
3
$ composer update
  # BEFORE: 1 minute 10 seconds / 346 MB
  # AFTER:           33 seconds / 188 MB

Be trained by Symfony experts - 2018-07-23 Paris - 2018-07-23 Paris - 2018-07-25 Paris
07/13/2018 04:32 am   Symfony Blog   Mirror   Link  

This week, Symfony added a ProcessorInterface to allow Monolog processors to be autoconfigured, added a json_login_ldap authentication provider to use LDAP authentication with a REST API and improved the performance of service locators thanks to PHP OPCache. Lastly, Symfony started discussing about adding compatibility with Monolog 2.

Symfony development highlights

2.8 changelog:

  • ae0a69a: added color support for Hyper terminal
  • 7f3aae0: [Doctrine Bridge] fixed usage of wrong variable when tagged subscriber is invalid

3.4 changelog:

  • 19ab889: [DependencyInjection] don't show internal service id on binding errors
  • 9a6fe47: [PropertyInfo] fixed dock block lookup fallback loop
  • 332b7fd: [TwigBridge] fixed missing path and separators in loader paths list on debug:twig output
  • 6fea634: [OptionResolver] added support to resolve nested arrays
  • 1cb3b5b: [DependencyInjection] fixed dumping ignore-on-uninitialized references to synthetic services
  • 2a2e6f1: [HttpFoundation] don't encode cookie name for BC

4.0 changelog:

  • 8a96fdc: [Security] fixed accepting null as $uidKey in LdapUserProvider
  • 332b7fd: [TwigBridge] fixed missing path and separators in loader paths list on debug:twig output

4.1 changelog:

  • 1aae233: [PropertyInfo] added handling of nullable types in PhpDoc

Master changelog:

  • 27b89cb: [Security] use AuthenticationTrustResolver in SimplePreAuthenticationListener
  • 9da0454: [Security] report file+line of unserialization errors in Firewall/ContextListener
  • f27c3a8: [MonologBridge] added ProcessorInterface to enable autoconfiguration of monolog processors
  • 44d4330: [Messenger] fixed a bug when having more than one named handler per message subscriber
  • 6cefd88: [SecurityBundle] add JSON login LDAP
  • 1cf8146: [Workflow] fixed autofit label in rendering
  • 6d3f63d: [DependencyInjection] added ServiceLocatorArgument to generate array-based locators optimized for OPcache shared memory
  • ac1189a: [Serializer] allow to access to the format and context in circular ref handler
  • 18c2dde: [HttpKernel] turn HTTP exceptions to HTTP status codes by default

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-07-9 Paris - 2018-07-9 Paris - 2018-07-11 Paris
07/08/2018 03:29 am   Symfony Blog   Mirror   Link  

The SymfonyLive conference in the USA will take place from October 9th to 12th in San Francisco.

Never been at a SymfonyLive conference before? Join us at the SymfonyLive USA: it is a 4-day event, the only one dedicated to Symfony in the USA, where you can learn all the latest news about Symfony:

  • Two-day workshop: Tuesday, 9th and Wednesday, 10th

  • Two-day conference: Thursday, 11th and Friday, 12th

The Call for Papers is still open for a few days, if you have any best practices, experience, tips, use case to share with the US Symfony community, think about submitting a talk proposal for the conference. CFP is open until July 8th to anyone in the Symfony community. Unexperienced speakers are welcome, we've created a mentoring program for speakers to help anyone to take the plundge and submit a talk proposal. You can find all the information about our mentoring program on the dedicated blog post!

Even if you think you’re not ready yet to be on stage, book now your seat to the conference! Early bird registration ends on July 15th. Conference tickets are only $239 for early bird registration and price goes up after July 15th.

Interested in learning more about Symfony? Register to the pre-conference workshops too, organized on October 9th and 10th. Several workshops are scheduled:

  • Getting up and running with Symfony (2 days)

Learn how to efficiently use the service container and register your own services. You'll also discover how to setup and run a unit and functional tests suite with PHPUnit to improve the quality and stability of your code.

  • Extending and Hacking Symfony (2 days)

Understand how to easily hack and extend some parts of the Symfony framework thanks to the dependency injection container and how to master some advanced tools such as the form and validation components, as well as the event dispatcher system to decouple your code.

  • Mastering OOD & Design Patterns (1 day combo with Symfony 4 Best Practices)

Learn how to write cleaner, more robust and more testable object oriented code and how to make your code respect the SOLID principles.

  • Symfony 4 Best Practices (1 day combo with Mastering OOD & Design Patterns)

Discover the new practices recommended by the Symfony Core team. You will learn how to install third-party packages with Symfony Flex, configure your application with environment variables or exploit the new features of the dependency injection container.

Get your combo ticket for the pre-conference workshops and the conference at the early bird price of $1,543 until July 8th.

Enjoy the atmosphere of downtown San Francisco while hearing all the latest and best developments with Symfony! See you there!


Be trained by Symfony experts - 2018-07-9 Paris - 2018-07-9 Paris - 2018-07-11 Paris
07/06/2018 03:22 am   Symfony Blog   Mirror   Link  

This week, the upcoming Symfony 4.2 version added the ability to clear form errors, improved Doctrine event listeners to always lazy load them and tweaked some the VarDumper output. In addition, this is the 600th weekly summary for the Symfony project. Thanks for reading us and for being part of the Symfony community!

Symfony development highlights

2.8 changelog:

  • abe49ef: [Intl] update ICU data to 62.1
  • 1371b8f: [DependencyInjection] fixed dumping deprecated service in yaml
  • 6e5c15d: [SecurityBundle] don't throw if security.http_utils is not found

3.4 changelog:

  • 2d29e2d: [TwigBundle] add the Twig WebLinkExtension only if the WebLink component is enabled
  • 5971e2d: [Debug] redesign the Debug error page in prod
  • ad066bb: [HttpFoundation] fixed registration of session proxies
  • b9a3c87: [HttpFoundation] fixed session tracking counter
  • 0990bbd: [ProxyManagerBridge] fixed support of private services

4.1 changelog:

  • 6f47d0c: [Serializer] use CsvEncoder::AS_COLLECTION_KEY constant
  • 3f4644b: [Routing] fixed too much greediness in host-matching regex
  • 9604e69: [Routing] disallow object usage inside Route
  • d4561e4: [DependencyInjection] fixed handling of empty DI extension configs
  • 18aec2d: [Serializer] class discriminator and serialization groups

Master changelog:

  • 53a39b7: [Form] added ability to clear form errors
  • 0dcf111: [Translation] added support for translation files with other filename patterns
  • d871473: [PropertyAccess] add Property Path to Exception Message
  • 21a3439: [Config] deprecated tree builders without root nodes
  • 2b9c142: [WebProfilerBundle] display uploaded files details
  • 1a3d445: [PropertyInfo] implement Collection types in PhpDocExtractor
  • 0252a00: [HttpKernel] improved an error message related to controllers
  • 17977c8: [Cache] ArrayAdapter and NullAdapter don't need stampede protection
  • 83232f8: [DoctrineBridge] always load event listeners lazy via ServiceLocator
  • 9bb990f: [VarDumper] show proxified class on hover
  • c52b2e9: [VarDumper] display the signature of callables
  • 83d116b: [VarDumper] made control characters non-selectable in HTML
  • 80aa8df: [Serializer] allow to pass a single value for the groups option

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-07-9 Paris - 2018-07-9 Paris - 2018-07-11 Paris
07/01/2018 02:56 am   Symfony Blog   Mirror   Link  

SymfonyLive London is only 3 months away! Did you take your ticket yet? Early bird registration is still open for a few days, get your conference ticket at 129£ until July 1st. After that, regular price will apply and the conference ticket will be at 169£, save 40£ on your conference ticket now!

SymfonyLive London 2018 is a 2-day event on September 27th, workshop day and September 28th, 2 tracks conference day.

You can buy a combo ticket to register for a workshop and the conference at 543£ until July 1st (early bird price). 4 different workshops are scheduled on September 27th, discover them:

  • Symfony 4 Best Practices by Nicolas Grekas: Symfony 4 changes the way you develop web applications. During this workshop, you will discover the new practices recommended by the Symfony Core team.

  • Building API-driven apps with API Platform by Kévin Dunglas: API Platform has become a very popular framework to build advanced and modern API-driven web projects. After an overview of modern API patterns and formats (REST, Swagger, hypermedia, HATEOAS, JSON-LD, Hydra, Schema.org, GraphQL...), we'll learn how to use and extend the most popular features of the API Platform API component.

  • Symfony Messenger by Samuel Rozé: The Messenger component just landed in Symfony 4.1. It drastically simplifies the use of message buses and handling asynchronous operations using message queues such as RabbitMq. Discover all about it by the creator of the component.

  • Lightning Fast Tests by Jakub Zalas: Learn everything from writing good unit tests, through using test doubles (like stubs or mocks), to writing integration tests. Learn how to structure your project to benefit from a test-first design.

The conference schedule is coming soon! The Call for Papers ended last Monday and we'd like to thank all the people who submitted a talk proposal there. We're currently reviewing all the submissions we received but we can already announce the first selected speakers!

We're excited to welcome Michelle Sanver who will speak about "Using the Symfony WorkFlow component as a state machine makes handling money easier!". We're also very pleased to welcome Neal Brooks who will talk about "Running Symfony on AWS Lambda". And we're thrilled to welcome Sandra Eriksson who will be speaking about "What is accessibility, and why I should care?". The selected speakers and their talk descriptions will be soon available online, along with the conference schedule. Stay tuned for more information about all the selected speakers.

Ready to join us there? Take now your ticket for SymfonyLive London 2018 to enjoy our early bird and save money! You only have 3 days left to register at early bird, hurry up!


Be trained by Symfony experts - 2018-07-9 Paris - 2018-07-9 Paris - 2018-07-11 Paris
06/27/2018 07:57 am   Symfony Blog   Mirror   Link  

Symfony 4.1.1 has just been released. Here is a list of the most important changes:

  • bug #27626 [TwigBundle][DX] Only add the Twig WebLinkExtension if the WebLink component is enabled (@thewilkybarkid)
  • bug #27702 [TwigBundle] bump lowest deps to fix issue with "double-colon" controller service refs (@nicolas-grekas)
  • bug #27701 [SecurityBundle] Dont throw if "security.htt _utils" is not found (@nicolas-grekas)
  • bug #27690 [DI] Resolve env placeholder in logs (@ro0NL)
  • bug #27687 [HttpKernel] fix argument's error messages in ServiceValueResolver (@nicolas-grekas)
  • bug #27614 [VarDumper] Fix dumping by splitting Server/Connection out of Dumper/ServerDumper (@nicolas-grekas)
  • bug #27681 [DI] Avoid leaking unused env placeholders (@ro0NL)
  • bug #26534 allo _extr _attributes does not throw an exception as documented (@deviantintegral)
  • bug #27664 [FrameworkBundle] Ignore keepQueryParams attribute when generating route redirect (@vudaltsov)
  • bug #27668 [Lock] use 'r+' for fopen (fixes issue on Solaris) (@fritzmg)
  • bug #27669 [Filesystem] fix file lock on SunOS (@fritzmg)
  • bug #27662 [HttpKernel] fix handling of nested Error instances (@xabbuh)
  • bug #27651 [Messenger] Fixed MessengerPass::guessHandledClasses return type (@massimilianobraglia)
  • bug #26845 [Config] Fixing GlobResource when inside phar archive (@vworldat)
  • bug #27382 [Form] Fix error when rendering a DateIntervalType form with exactly 0 weeks (@krixon)
  • bug #27309 Fix surrogate not using original request (@Toflar)
  • bug #27467 [HttpKernel] fix session tracking in surrogate master requests (@nicolas-grekas)
  • bug #27632 [HttpFoundation] Ensure RedisSessionHandler::updateTimestamp returns a boolean (@MatTheCat)
  • bug #27630 [Validator][Form] Remove BOM in some xlf files (@gautierderuette)
  • bug #27596 [Framework][Workflow] Added support for interfaces (@vudaltsov)
  • bug #27593 [ProxyManagerBridge] Fixed support of private services (@nicolas-grekas)
  • bug #27591 [VarDumper] Fix dumping ArrayObject and ArrayIterator instances (@nicolas-grekas)
  • bug #27528 [FrameworkBundle] give access to non-shared services when using test.servic _container (@nicolas-grekas)
  • bug #27584 Avoid calling eval when there is no script embedded in the toolbar (@stof)
  • bug #27581 Fix bad method call with guard authentication + session migration (@weaverryan)
  • bug #27576 [Cache] Fix expiry comparisons in array-based pools (@nicolas-grekas)
  • bug #27566 [FrameworkBundle] fix for allowing single colon controller notation (@dmaicher)
  • bug #27556 Avoiding session migration for stateless firewall UsernamePasswordJsonAuthenticationListener (@weaverryan)
  • bug #27452 Avoid migration on stateless firewalls (@weaverryan)
  • bug #27568 [DI] Deduplicate generated proxy classes (@nicolas-grekas)
  • bug #27511 [Routing] fix matching host patterns, utf8 prefixes and non-capturing groups (@nicolas-grekas)
  • bug #27326 [Serializer] deserialize from xml: Fix a collection that contains the only one element (@webnet-fr)
  • bug #27562 [HttpKernel] Log/Collect exceptions at prio 0 (@ro0NL)
  • bug #27567 [PhpUnitBridge] Fix error on some Windows OS (@Nsbx)
  • bug #27357 [Lock] Remove released semaphore (@jderusse)
  • bug #27416 TagAwareAdapter over non-binary memcached connections corrupts memcache (@Aleksey Prilipko)
  • bug #27514 [Debug] Pass previous exception to FatalErrorException (@pmontoya)
  • bug #27516 Revert "bug #26138 [HttpKernel] Catch HttpExceptions when templating is not installed (cilefen)" (@nicolas-grekas)
  • bug #27501 [FrameworkBundle] Fix test-container on kernel reboot, revert to returning the real container from Client::getContainer() (@nicolas-grekas)
  • bug #27472 [DI] Ignore missing tree root nodes on validate (@ro0NL)
  • bug #27458 [WebProfilerBundle] fixed getSession when no session has been set deprecation warnings (@GregOriol)
  • bug #27318 [Cache] memcache connect should not add duplicate entries on sequential calls (@Aleksey Prilipko)
  • bug #27498 [Routing] Don't reorder past variable-length placeholders (@nanocom, @nicolas-grekas)
  • bug #27496 [DebugBundle] DebugBundle::registerCommands should be noop (@ogizanagi)
  • bug #27485 [BrowserKit] Fix a BC break in Client affecting Panthère (@dunglas)
  • bug #27470 [DI] Remove default env type check on validate (@ro0NL)
  • bug #27454 [FrameworkBundle][TwigBridge] Fix BC break from strong dependency on CSRF token storage (@tgalopin)
  • bug #27389 [Serializer] Fix serializer tries to denormalize null values on nullable properties (@ogizanagi)
  • bug #27272 [FrameworkBundle] Change priority of AddConsoleCommandPass to TYP _BEFOR _REMOVING (@upyx)
  • bug #27396 [HttpKernel] fix registering IDE links (@nicolas-grekas)
  • bug #26973 [HttpKernel] Set first trusted proxy as REMOT _ADDR in InlineFragmentRenderer. (@kmadejski)
  • bug #27303 [Process] Consider "executable" suffixes first on Windows (@sanmai)
  • bug #27297 Triggering RememberMe's loginFail() when token cannot be created (@weaverryan)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-07-9 Paris - 2018-07-9 Paris - 2018-07-11 Paris
06/25/2018 08:32 am   Symfony Blog   Mirror   Link  

Symfony 4.0.12 has just been released. Here is a list of the most important changes:

  • bug #27626 [TwigBundle][DX] Only add the Twig WebLinkExtension if the WebLink component is enabled (@thewilkybarkid)
  • bug #27701 [SecurityBundle] Dont throw if "security.htt _utils" is not found (@nicolas-grekas)
  • bug #27690 [DI] Resolve env placeholder in logs (@ro0NL)
  • bug #26534 allo _extr _attributes does not throw an exception as documented (@deviantintegral)
  • bug #27668 [Lock] use 'r+' for fopen (fixes issue on Solaris) (@fritzmg)
  • bug #27669 [Filesystem] fix file lock on SunOS (@fritzmg)
  • bug #27662 [HttpKernel] fix handling of nested Error instances (@xabbuh)
  • bug #26845 [Config] Fixing GlobResource when inside phar archive (@vworldat)
  • bug #27382 [Form] Fix error when rendering a DateIntervalType form with exactly 0 weeks (@krixon)
  • bug #27309 Fix surrogate not using original request (@Toflar)
  • bug #27467 [HttpKernel] fix session tracking in surrogate master requests (@nicolas-grekas)
  • bug #27630 [Validator][Form] Remove BOM in some xlf files (@gautierderuette)
  • bug #27596 [Framework][Workflow] Added support for interfaces (@vudaltsov)
  • bug #27593 [ProxyManagerBridge] Fixed support of private services (@nicolas-grekas)
  • bug #27591 [VarDumper] Fix dumping ArrayObject and ArrayIterator instances (@nicolas-grekas)
  • bug #27581 Fix bad method call with guard authentication + session migration (@weaverryan)
  • bug #27576 [Cache] Fix expiry comparisons in array-based pools (@nicolas-grekas)
  • bug #27556 Avoiding session migration for stateless firewall UsernamePasswordJsonAuthenticationListener (@weaverryan)
  • bug #27452 Avoid migration on stateless firewalls (@weaverryan)
  • bug #27568 [DI] Deduplicate generated proxy classes (@nicolas-grekas)
  • bug #27326 [Serializer] deserialize from xml: Fix a collection that contains the only one element (@webnet-fr)
  • bug #27567 [PhpUnitBridge] Fix error on some Windows OS (@Nsbx)
  • bug #27357 [Lock] Remove released semaphore (@jderusse)
  • bug #27416 TagAwareAdapter over non-binary memcached connections corrupts memcache (@Aleksey Prilipko)
  • bug #27514 [Debug] Pass previous exception to FatalErrorException (@pmontoya)
  • bug #27516 Revert "bug #26138 [HttpKernel] Catch HttpExceptions when templating is not installed (cilefen)" (@nicolas-grekas)
  • bug #27318 [Cache] memcache connect should not add duplicate entries on sequential calls (@Aleksey Prilipko)
  • bug #27389 [Serializer] Fix serializer tries to denormalize null values on nullable properties (@ogizanagi)
  • bug #27272 [FrameworkBundle] Change priority of AddConsoleCommandPass to TYP _BEFOR _REMOVING (@upyx)
  • bug #27396 [HttpKernel] fix registering IDE links (@nicolas-grekas)
  • bug #26973 [HttpKernel] Set first trusted proxy as REMOT _ADDR in InlineFragmentRenderer. (@kmadejski)
  • bug #27303 [Process] Consider "executable" suffixes first on Windows (@sanmai)
  • bug #27297 Triggering RememberMe's loginFail() when token cannot be created (@weaverryan)
  • bug #27344 [HttpKernel] reset kernel start time on reboot (@kiler129)
  • bug #27365 [Serializer] Check the value of enabl _ma _depth if defined (@dunglas)
  • bug #27358 [PhpUnitBridge] silence some stderr outputs (@ostrolucky)
  • bug #27366 [DI] never inline lazy services (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-07-9 Paris - 2018-07-9 Paris - 2018-07-11 Paris
06/25/2018 08:04 am   Symfony Blog   Mirror   Link  

Symfony 3.4.12 has just been released. Here is a list of the most important changes:

  • bug #27626 [TwigBundle][DX] Only add the Twig WebLinkExtension if the WebLink component is enabled (@thewilkybarkid)
  • bug #27701 [SecurityBundle] Dont throw if "security.htt _utils" is not found (@nicolas-grekas)
  • bug #27690 [DI] Resolve env placeholder in logs (@ro0NL)
  • bug #26534 allo _extr _attributes does not throw an exception as documented (@deviantintegral)
  • bug #27668 [Lock] use 'r+' for fopen (fixes issue on Solaris) (@fritzmg)
  • bug #27669 [Filesystem] fix file lock on SunOS (@fritzmg)
  • bug #27662 [HttpKernel] fix handling of nested Error instances (@xabbuh)
  • bug #26845 [Config] Fixing GlobResource when inside phar archive (@vworldat)
  • bug #27382 [Form] Fix error when rendering a DateIntervalType form with exactly 0 weeks (@krixon)
  • bug #27309 Fix surrogate not using original request (@Toflar)
  • bug #27467 [HttpKernel] fix session tracking in surrogate master requests (@nicolas-grekas)
  • bug #27630 [Validator][Form] Remove BOM in some xlf files (@gautierderuette)
  • bug #27596 [Framework][Workflow] Added support for interfaces (@vudaltsov)
  • bug #27593 [ProxyManagerBridge] Fixed support of private services (@nicolas-grekas)
  • bug #27591 [VarDumper] Fix dumping ArrayObject and ArrayIterator instances (@nicolas-grekas)
  • bug #27581 Fix bad method call with guard authentication + session migration (@weaverryan)
  • bug #27576 [Cache] Fix expiry comparisons in array-based pools (@nicolas-grekas)
  • bug #27556 Avoiding session migration for stateless firewall UsernamePasswordJsonAuthenticationListener (@weaverryan)
  • bug #27452 Avoid migration on stateless firewalls (@weaverryan)
  • bug #27568 [DI] Deduplicate generated proxy classes (@nicolas-grekas)
  • bug #27326 [Serializer] deserialize from xml: Fix a collection that contains the only one element (@webnet-fr)
  • bug #27567 [PhpUnitBridge] Fix error on some Windows OS (@Nsbx)
  • bug #27357 [Lock] Remove released semaphore (@jderusse)
  • bug #27416 TagAwareAdapter over non-binary memcached connections corrupts memcache (@Aleksey Prilipko)
  • bug #27514 [Debug] Pass previous exception to FatalErrorException (@pmontoya)
  • bug #27516 Revert "bug #26138 [HttpKernel] Catch HttpExceptions when templating is not installed (cilefen)" (@nicolas-grekas)
  • bug #27318 [Cache] memcache connect should not add duplicate entries on sequential calls (@Aleksey Prilipko)
  • bug #27389 [Serializer] Fix serializer tries to denormalize null values on nullable properties (@ogizanagi)
  • bug #27272 [FrameworkBundle] Change priority of AddConsoleCommandPass to TYP _BEFOR _REMOVING (@upyx)
  • bug #27396 [HttpKernel] fix registering IDE links (@nicolas-grekas)
  • bug #26973 [HttpKernel] Set first trusted proxy as REMOT _ADDR in InlineFragmentRenderer. (@kmadejski)
  • bug #27303 [Process] Consider "executable" suffixes first on Windows (@sanmai)
  • bug #27297 Triggering RememberMe's loginFail() when token cannot be created (@weaverryan)
  • bug #27344 [HttpKernel] reset kernel start time on reboot (@kiler129)
  • bug #27365 [Serializer] Check the value of enabl _ma _depth if defined (@dunglas)
  • bug #27358 [PhpUnitBridge] silence some stderr outputs (@ostrolucky)
  • bug #27366 [DI] never inline lazy services (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-07-9 Paris - 2018-07-9 Paris - 2018-07-11 Paris
06/25/2018 08:00 am   Symfony Blog   Mirror   Link  

Symfony 2.8.42 has just been released. Here is a list of the most important changes:

  • bug #27669 [Filesystem] fix file lock on SunOS (@fritzmg)
  • bug #27309 Fix surrogate not using original request (@Toflar)
  • bug #27630 [Validator][Form] Remove BOM in some xlf files (@gautierderuette)
  • bug #27591 [VarDumper] Fix dumping ArrayObject and ArrayIterator instances (@nicolas-grekas)
  • bug #27581 Fix bad method call with guard authentication + session migration (@weaverryan)
  • bug #27452 Avoid migration on stateless firewalls (@weaverryan)
  • bug #27514 [Debug] Pass previous exception to FatalErrorException (@pmontoya)
  • bug #26973 [HttpKernel] Set first trusted proxy as REMOT _ADDR in InlineFragmentRenderer. (@kmadejski)
  • bug #27303 [Process] Consider "executable" suffixes first on Windows (@sanmai)
  • bug #27297 Triggering RememberMe's loginFail() when token cannot be created (@weaverryan)
  • bug #27366 [DI] never inline lazy services (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-07-9 Paris - 2018-07-9 Paris - 2018-07-11 Paris
06/25/2018 07:28 am   Symfony Blog   Mirror   Link  

This week, development activity focused on fixing the first reported issues about the Symfony 4.1 stable version. Meanwhile, work on Symfony 4.2 already started with the addition of a ServiceSubscriberTrait and the improvement of the performance of some Dependency Injection passes. Lastly, the Call for Papers for SymfonyCon 2018 conference was announced.

Symfony development highlights

2.8 changelog:

  • ae30a80: [Debug] pass previous exception to FatalErrorException

3.4 changelog:

  • af06990: [Cache] memcache connect should not add duplicate entries on sequential calls
  • 67d4e6d: [Cache] TagAwareAdapter should not corrupt memcached connection in ascii mode
  • 88098f3: [Cache] TagAwareAdapter over non-binary memcached connections corrupts memcache
  • 7f2cb73: [Lock] remove released semaphore

4.1 changelog:

  • 9660103: [FrameworkBundle] improved exception message when AbstractController::getParameter fails
  • 7605706: [DebugBundle] DebugBundle::registerCommands should be noop
  • 2521e7b: [Routing] don't reorder past variable-length placeholders
  • 0ed3d0d: [WebProfilerBundle] fixed getSession when no session has been set deprecation warnings
  • 8130f22: [DependencyInjection] ignore missing tree root nodes on validate
  • 6770630: [FrameworkBundle] fix test-container on kernel reboot and revert to returning the real container from Client::getContainer()

Master changelog:

  • fa022f0: [DependencyInjection] add ServiceSubscriberTrait
  • 4f197a5: [FrameworkBundle] deprecate auto-injection of the container in AbstractController instances
  • 4cd6477: [DependencyInjection] don't generate factories for errored services
  • d8739d1: [DependencyInjection] improved performance of removing/inlining passes

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-06-11 Paris - 2018-06-11 Paris - 2018-06-13 Paris
06/10/2018 03:09 am   Symfony Blog   Mirror   Link  

We’re so happy to announce SymfonyCon Lisbon 2018! We’ve just released the official website, the international Symfony conference will be held at the Lisbon Mariott Hotel on December 6-8!

Come to attend SymfonyCon Lisbon, conference days are on December 6th and 7th, and the hackday is on December 8th. Come for the conference, stay for the hackday! A lot of surprises are waiting for you, don’t miss the event.

Early bird to register to the conference is already available but limited to the first 100 attendees! If you want to enjoy it, hurry up to register before there are no early bird tickets left!

Call for Papers is also open, until June 22nd. If you want to speak at the SymfonyCon, send us your talk proposals. We are looking for highly technical talks related to Symfony and its ecosystem and original talks that haven't been delivered in previous conferences. All criteria regarding the CFP are listed on the website. Don’t hesitate to send more than one proposal to increase your chances of being selected.

Workshops will be organized before the conference, on December 4th and 5th. Grab your early bird combo ticket for workshop and conference to get a 20% discount!

We hope to see the entire Symfony community at SymfonyCon Lisbon, and we’d like to thank you for your involvement with Symfony.

See you in December!


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
06/04/2018 02:30 am   Symfony Blog   Mirror   Link  

This week, Symfony 4.1.0 was released, which includes more than 200 big and small new features. In addition, the registration for the SymfonyCon Lisbon 2018 conference opened with the first 100 early bird tickets available.

Symfony development highlights

3.4 changelog:

  • 3114ffb: [FrameworkBundle] changed priority of AddConsoleCommandPass to TYPE_BEFORE_REMOVING
  • 16ebf43: [Serializer] fixed serializer tries to denormalize null values on nullable properties

4.1 changelog:

  • ce616bf: [FrameworkBundle] insert correct parameter_bag service in AbstractController
  • 16ebf43: [Serializer] fixed serializer tries to denormalize null values on nullable properties
  • ca5e561: [FrameworkBundle] added a Twig runtime for the CsrfExtension

Master changelog:

  • 143628f: [FrameworkBundle] allow configuring taggable cache pools
  • 3bade96: [Finder] added a "use natural sort" option
  • c8ce780: [PropertyInfo] auto-enable PropertyInfo component
  • 5937566: [Messenger] show dispatch caller in the profiler
  • c81f88f: [Cache] removed TaggableCacheInterface and aliased cache.app.taggable to CacheInterface

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
06/03/2018 02:47 am   Symfony Blog   Mirror   Link  

Symfony 4.1.0 has just been released. Here is a list of the most important changes:

  • bug #27420 Revert "feature #26702 Mark ExceptionInterfaces throwable (ostrolucky)" (@nicolas-grekas)
  • bug #27415 Insert correct paramete _bag service in AbstractController (@curry684)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/30/2018 08:08 am   Symfony Blog   Mirror   Link  

Symfony 4.1.0 is going to be released later today. As for any other Symfony minor release, our backward compatibility promise applies and this means that you should be able to upgrade easily without changing anything in your code.

We've already blogged about the great 4.1 new features, but here is a curated list of the most relevant changes (this version has a total of 200 new small and big features):

New Components

  • Messenger (sroze) #24411 improved by many other pull requests:
    • Allow to scope handlers per bus (ogizanagi, sroze) #27275
    • Uses custom method names for handlers (sroze) #27034
    • Add debug:messenger CLI command (ro0NL, sroze) #26803
    • Support configuring messages when dispatching (ogizanagi) #26945
    • Add a time limit receiver (sdelicata) #27130
    • Add a memory limit option for ConsumeMessagesCommand (sdelicata) #26975
    • Define multiple buses from the framework.messenger.buses configuration (sroze) #26864
    • Allow to configure the transport (sroze) #26941
    • Add AMQP adapter (sroze) #26632
    • Add a MessageHandlerInterface (multiple messages + auto-configuration) #26685 (sroze)
    • Add a middleware that validates messages (Nyholm) #26648
    • Add a middleware that wraps all handlers in one Doctrine transaction. (Nyholm) #26647
    • Clone messages to show in profiler (Nyholm) #26650

Console

  • Add box-double table style (maidmaid) #26693
  • Add box style table (maidmaid) #25301
  • Modify console output and print multiple modifyable sections (pierredup) #24363
  • Add option to automatically run suggested command if there is only 1 alternative (pierredup) #25732

DependencyInjection

  • Validate env vars in config (ro0NL) #23888
  • Add a simple CSV env var processor (dunglas) #25627
  • Allow binary values in parameters (bburnichon) #25928
  • Anonymous services in PHP DSL (unkind) #24632
  • Add support for variadics in named arguments (PabloKowalczyk) #24937

Form

  • Add choice_translation_locale option for Intl choice types (yceruto, fabpot) #26825
  • Add a data_help method in Form (mpiot, Nyholm) #26332
  • Ability to set rounding strategy for MoneyType (syastrebov) #26767

FrameworkBundle

  • Add PSR-11 "ContainerBag" to access parameters as-a-service (nicolas-grekas, sroze) #25288
  • Add ControllerTrait::getParameter() (chalasr) #25439
  • Add support to 307/308 HTTP status codes in RedirectController (ZipoKing) #26213
  • Deprecate bundle:controller:action and service:method notation (Tobion) #26085
  • Allow fetching private services from test clients (nicolas-grekas) #26499
  • Add command to delete an item from a cache pool (pierredup) #26223
  • framework.php_errors.log now accept a log level (Simperfit) #26504
  • Keep query in redirect (Simperfit) #26281
  • Add the ability to search a route (Simperfit) #26121
  • Add cache.app.simple psr simple cache (dmaicher) #25710
  • Add email_validation_mode option (xabbuh) #25478
  • Add atom editor to ide config (lexcast) #25415

HttpFoundation

  • Add a migrating session handler (rossmotley) #26096
  • Add HeaderUtils class (c960657) #24699
  • Split FileException into specialized ones about upload handling (fmata) #26475
  • RedisSessionHandler (dkarlovi) #24781

Process

  • Introduce signaled process specific exception class (Soullivaneuh) #25775
  • Make PhpExecutableFinder look for the PHP_BINARY env var (nicolas-grekas) #25629
  • Create a "isTtySupported" static method (nesk) #25142

Routing

  • Allow no-slash root on imported routes (nicolas-grekas) #26284
  • Allow inline definition of requirements and defaults (nicolas-grekas) #26518
  • Implement i18n routing (frankdejonge, nicolas-grekas) #26143
  • Match 77.7x faster by compiling routes in one regexp (nicolas-grekas) #26059
  • Parse PHP constants in YAML routing files (ostrolucky) #25293

Serializer

  • Cache the normalizer to use when possible (dunglas, nicolas-grekas) #27049
  • Allow to access to the context and various other infos in callbacks and max depth handler (dunglas) #27017
  • Added a ConstraintViolationListNormalizer (lyrixx) #22150
  • Ignore comments when decoding XML (q0rban) #26445
  • Add a MaxDepth handler (dunglas) #26108
  • add a constructor argument to return csv always as collection (Simperfit) #25218
  • add a context key to return always as collection for XmlEncoder (Simperfit) #25369
  • Fix security issue on CsvEncoder about CSV injection (welcoMattic) #24508
  • default_constructor_arguments context option for denormalization (Nek-) #25493
  • Serialize and deserialize from abstract classes (sroze) #24375
  • Parse PHP constants in YAML mappings (ostrolucky) #25294

Twig

  • Make csrf_token() usable without forms (xabbuh) #25197
  • Add priority to twig extensions (Brunty) #24777
  • Do not normalize array keys in twig globals (lstrojny) #26770
  • Deprecate "false" in favor of "kernel.debug" as default value of "strict_variable" (yceruto) #25780

Security

  • Allow using custom function inside allow_if expressions (dmaicher) #26660
  • Deprecate AdvancedUserInterface (iltar) #23508
  • Add configuration for Argon2i encryption (CoalaJoe) #26175
  • Make security.providers optional (MatTheCat) #26787

Validator

  • Html5 Email Validation (PurpleBooth) #24442
  • Deprecated "checkDNS" option in Url constraint (ro0NL) #25516
  • Deprecate use of Locale validation constraint without setting "canonicalize" option to true (phansys) #26075
  • Support protocolless URLs validation (MyDigitalLife) #24308
  • Add canonicalize option for Locale validator (phansys) #22353
  • Add option to pass custom values to Expression validator (ostrolucky) #25504

VarDumper

  • Add dd() helper == dump() + exit() (nicolas-grekas) #26970
  • Introduce a new way to collect dumps through a server dumper (ogizanagi, nicolas-grekas) #23831
  • Provide binary, allowing to start a server at any time (ogizanagi) #26654
  • Add a GMP caster in order to cast GMP resources into string or integer (Simperfit) #25237

WebProfiler

  • Live duration of AJAX request (ostrolucky) #26668
  • Expose dotenv variables (ro0NL) #25166
  • Make WDT follow ajax requests if header set (jeffreymb) #26655
  • Display the missing translation panel by default (javiereguiluz) #26398
  • Display orphaned events in profiler (kejwmen) #24392

Workflow

  • Added a new 'all' method on the registry (alexpozzi, lyrixx) #26656
  • Added a TransitionException (andrewtch, lyrixx) #26651
  • Add a MetadataStore to fetch some metadata (lyrixx) #26092
  • Add transition blockers (d-ph, lyrixx) #26076
  • Remove constraints on transition/place name (lyrixx) #26079
  • Add PlantUML dumper to workflow:dump command (Plopix) #24705
  • Workflow name as graph label (shdev) #25148
  • Introduce a Workflow interface (Simperfit) #24751

Miscellaneous

  • [Lock] Add a TTL to refresh lock (jderusse) #26232
  • [Monolog] Add a Monolog activation strategy for ignoring specific HTTP codes (simshaun, fabpot) #23707
  • [LDAP] Allow adding and removing values to/from multi-valued attributes (jean-gui) #21856
  • [BrowserKit] Add a way to switch to ajax for one request (Simperfit) #24778
  • [HttpKernel] Add Kernel::getAnnotatedClassesToCompile() (nicolas-grekas) #27168
  • [HttpKernel] LoggerDataCollector: splitting logs on different sub-requests (vtsykun) #23659
  • [HttpKernel] Make session-related services extra-lazy (nicolas-grekas) #25836
  • [Intl] Add polyfill for Locale::canonicalize() (nicolas-grekas) #26152
  • [Translation] Added support for name on the unit node (Nyholm) #26149
  • [PropertyInfo] Add hassers for accessors prefixes (sebdec) #23617
  • Unwrap errors in FlattenException (derrabus) #26028
  • More compact display of vendor code in exception pages (javiereguiluz) #26671
  • Add clean option to assets install command (robinlehrmann) #24216

You can read more about this new version by reading the Living on the Edge articles on 4.1 on this blog. Also read the UPGRADE guide for Symfony 4.1.

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/29/2018 09:47 pm   Symfony Blog   Mirror   Link  

This is the 41st and last post in the series of New features of Symfony 4.1, which will be released at the end of this month and will have support for bug fixes until January 2019 (see Symfony 4.1 roadmap).

Added getParameter() to ControllerTrait

Contributed by
Robin Chalas
in #25439.

Symfony comes with two optional base classes for controllers: Controller and AbstractController. They are similar but AbstractController is recommended because it's more restrictive: it does not allow you to access services directly via $this->get() or $this->container->get().

In Symfony 4.1, we improved AbstractController to add the commonly used helper getParameter() to get the value of any container config parameter. This change will allow to transition from Controller to AbstractController more easily.

Anonymous services in PHP DSL

Contributed by
Nikita Konstantinov
in #24632.

In Symfony 3.4 we introduced a PHP DSL to configure routes and services. In Symfony 4.1 we improved it adding support for anonymous services, which is useful when you don't care about the service name (e.g. when decorating services).

1
2
3
4
5
6
// app/config/services.php
return function (ContainerConfigurator $container) {
    $services = $container->services();
    // to create an anonymous service, pass null as its ID argument
    $services->set(null, stdClass::class)->tag('listener');
};

Added support for extracting type from constructor

Contributed by
Grégoire Pineau
in #25605.

In Symfony 4.1, the ReflectionExtractor class of the PropertyInfo component added a new $enableConstructorExtraction argument to allow introspecting property information using the constructor arguments.

Consider the following example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
class SomeClass
{
    public $property1;
    public $property2;

    public function __construct(string $property1, ?int $property2)
    {
        // ...
    }
}

In Symfony 4.1, when this option is enabled, PropertyInfo will tell you that property1 is a non-nullable string type and that property2 is a nullable integer.

Configurable PHP error log level

Contributed by
Hamza Amrouche
in #26504.

The framework.php_errors.log option allows to use the application logger instead of the PHP logger for logging PHP errors.

In Symfony 4.1, this option is no longer a boolean to enable/disable it. If you pass an integer value, you enable the feature and set the PHP logger to that logging level.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/29/2018 04:31 am   Symfony Blog   Mirror   Link  

Allow to set the rounding strategy for MoneyType

Contributed by
syastrebov
in #26767.

In Symfony 4.1, the MoneyType form field defines a new option called rounding_mode to control how the values are rounded. Before, all values were rounded towards "the nearest neighbor" (ROUND_HALF_UP) so 15.999 was rounded as 16.00. Now you can set it for example to ROUND_DOWN to display it as 15.99:

1
2
3
4
5
6
7
use Symfony\Component\Form\Extension\Core\DataTransformer\NumberToLocalizedStringTransformer;
use Symfony\Component\Form\Extension\Core\Type\MoneyType;
// ...

$builder->add('price', MoneyType::class, array(
    'rounding_mode' => NumberToLocalizedStringTransformer::ROUND_DOWN,
));

Adding and removing LDAP attributes more efficiently

Contributed by
Jean-Guilhem Rouel
in #21856.

Updating LDAP entries with the update() is slow in some scenarios. That's why in Symfony 4.1 there are two new methods called addAttributeValues() and removeAttributeValues() that add/remove values to a multi-valued attribute:

1
2
3
4
5
6
7
8
9
use Symfony\Component\Ldap\Ldap;
 use Symfony\Component\Ldap\Entry;
 // ...

$entry = $ldap->query('...', '...')->execute()[0];

$entityManager = $ldap->getEntryManager();
$entityManager->addAttributeValues($entry, 'telephoneNumber', ['+1.111.222.3333', '+1.222.333.4444']);
$entityManager->removeAttributeValues($entry, 'telephoneNumber', ['+1.111.222.3333', '+1.222.333.4444']);

Keep query string after redirecting

Contributed by
Hamza Amrouche
in #26281.

In Symfony 4.1, routes can define (in YAML, XML or PHP) a new option called keepQueryParams. By default it's false, but if you set it to true, the query parameters (if any) are added to the redirected URL:

1
2
3
4
5
6
7
legacy_search:
    path: /search-engine
    controller: Symfony\Bundle\FrameworkBundle\Controller\RedirectController::redirectAction
    defaults:
        route: search
        permanent: true
        keepQueryParams: true

In this example, if the original URL is /search-engine?q=symfony, the app redirects to /search?q=symfony

Added support for hasser accessors in PropertyInfo

Contributed by
Sébastien Decrême
in #23617.

The PropertyInfo component introspects information about class properties by using different sources of metadata. In Symfony 4.1, one of those sources (the ReflectionExtractor class) added support for hasser methods.

This will allow for example to make a property readable by defining methods like hasChildren() instead of just getChildren().


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/28/2018 08:45 am   Symfony Blog   Mirror   Link