eZecosystem / Mirror / Symfony Blog

This week, development activity focused on fixing the first reported issues about the Symfony 4.1 stable version. Meanwhile, work on Symfony 4.2 already started with the addition of a ServiceSubscriberTrait and the improvement of the performance of some Dependency Injection passes. Lastly, the Call for Papers for SymfonyCon 2018 conference was announced.

Symfony development highlights

2.8 changelog:

  • ae30a80: [Debug] pass previous exception to FatalErrorException

3.4 changelog:

  • af06990: [Cache] memcache connect should not add duplicate entries on sequential calls
  • 67d4e6d: [Cache] TagAwareAdapter should not corrupt memcached connection in ascii mode
  • 88098f3: [Cache] TagAwareAdapter over non-binary memcached connections corrupts memcache
  • 7f2cb73: [Lock] remove released semaphore

4.1 changelog:

  • 9660103: [FrameworkBundle] improved exception message when AbstractController::getParameter fails
  • 7605706: [DebugBundle] DebugBundle::registerCommands should be noop
  • 2521e7b: [Routing] don't reorder past variable-length placeholders
  • 0ed3d0d: [WebProfilerBundle] fixed getSession when no session has been set deprecation warnings
  • 8130f22: [DependencyInjection] ignore missing tree root nodes on validate
  • 6770630: [FrameworkBundle] fix test-container on kernel reboot and revert to returning the real container from Client::getContainer()

Master changelog:

  • fa022f0: [DependencyInjection] add ServiceSubscriberTrait
  • 4f197a5: [FrameworkBundle] deprecate auto-injection of the container in AbstractController instances
  • 4cd6477: [DependencyInjection] don't generate factories for errored services
  • d8739d1: [DependencyInjection] improved performance of removing/inlining passes

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-06-11 Paris - 2018-06-11 Paris - 2018-06-13 Paris
06/10/2018 03:09 am   Symfony Blog   Mirror   Link  

We’re so happy to announce SymfonyCon Lisbon 2018! We’ve just released the official website, the international Symfony conference will be held at the Lisbon Mariott Hotel on December 6-8!

Come to attend SymfonyCon Lisbon, conference days are on December 6th and 7th, and the hackday is on December 8th. Come for the conference, stay for the hackday! A lot of surprises are waiting for you, don’t miss the event.

Early bird to register to the conference is already available but limited to the first 100 attendees! If you want to enjoy it, hurry up to register before there are no early bird tickets left!

Call for Papers is also open, until June 22nd. If you want to speak at the SymfonyCon, send us your talk proposals. We are looking for highly technical talks related to Symfony and its ecosystem and original talks that haven't been delivered in previous conferences. All criteria regarding the CFP are listed on the website. Don’t hesitate to send more than one proposal to increase your chances of being selected.

Workshops will be organized before the conference, on December 4th and 5th. Grab your early bird combo ticket for workshop and conference to get a 20% discount!

We hope to see the entire Symfony community at SymfonyCon Lisbon, and we’d like to thank you for your involvement with Symfony.

See you in December!


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
06/04/2018 02:30 am   Symfony Blog   Mirror   Link  

This week, Symfony 4.1.0 was released, which includes more than 200 big and small new features. In addition, the registration for the SymfonyCon Lisbon 2018 conference opened with the first 100 early bird tickets available.

Symfony development highlights

3.4 changelog:

  • 3114ffb: [FrameworkBundle] changed priority of AddConsoleCommandPass to TYPE_BEFORE_REMOVING
  • 16ebf43: [Serializer] fixed serializer tries to denormalize null values on nullable properties

4.1 changelog:

  • ce616bf: [FrameworkBundle] insert correct parameter_bag service in AbstractController
  • 16ebf43: [Serializer] fixed serializer tries to denormalize null values on nullable properties
  • ca5e561: [FrameworkBundle] added a Twig runtime for the CsrfExtension

Master changelog:

  • 143628f: [FrameworkBundle] allow configuring taggable cache pools
  • 3bade96: [Finder] added a "use natural sort" option
  • c8ce780: [PropertyInfo] auto-enable PropertyInfo component
  • 5937566: [Messenger] show dispatch caller in the profiler
  • c81f88f: [Cache] removed TaggableCacheInterface and aliased cache.app.taggable to CacheInterface

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
06/03/2018 02:47 am   Symfony Blog   Mirror   Link  

Symfony 4.1.0 has just been released. Here is a list of the most important changes:

  • bug #27420 Revert "feature #26702 Mark ExceptionInterfaces throwable (ostrolucky)" (@nicolas-grekas)
  • bug #27415 Insert correct paramete _bag service in AbstractController (@curry684)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/30/2018 08:08 am   Symfony Blog   Mirror   Link  

Symfony 4.1.0 is going to be released later today. As for any other Symfony minor release, our backward compatibility promise applies and this means that you should be able to upgrade easily without changing anything in your code.

We've already blogged about the great 4.1 new features, but here is a curated list of the most relevant changes (this version has a total of 200 new small and big features):

New Components

  • Messenger (sroze) #24411 improved by many other pull requests:
    • Allow to scope handlers per bus (ogizanagi, sroze) #27275
    • Uses custom method names for handlers (sroze) #27034
    • Add debug:messenger CLI command (ro0NL, sroze) #26803
    • Support configuring messages when dispatching (ogizanagi) #26945
    • Add a time limit receiver (sdelicata) #27130
    • Add a memory limit option for ConsumeMessagesCommand (sdelicata) #26975
    • Define multiple buses from the framework.messenger.buses configuration (sroze) #26864
    • Allow to configure the transport (sroze) #26941
    • Add AMQP adapter (sroze) #26632
    • Add a MessageHandlerInterface (multiple messages + auto-configuration) #26685 (sroze)
    • Add a middleware that validates messages (Nyholm) #26648
    • Add a middleware that wraps all handlers in one Doctrine transaction. (Nyholm) #26647
    • Clone messages to show in profiler (Nyholm) #26650

Console

  • Add box-double table style (maidmaid) #26693
  • Add box style table (maidmaid) #25301
  • Modify console output and print multiple modifyable sections (pierredup) #24363
  • Add option to automatically run suggested command if there is only 1 alternative (pierredup) #25732

DependencyInjection

  • Validate env vars in config (ro0NL) #23888
  • Add a simple CSV env var processor (dunglas) #25627
  • Allow binary values in parameters (bburnichon) #25928
  • Anonymous services in PHP DSL (unkind) #24632
  • Add support for variadics in named arguments (PabloKowalczyk) #24937

Form

  • Add choice_translation_locale option for Intl choice types (yceruto, fabpot) #26825
  • Add a data_help method in Form (mpiot, Nyholm) #26332
  • Ability to set rounding strategy for MoneyType (syastrebov) #26767

FrameworkBundle

  • Add PSR-11 "ContainerBag" to access parameters as-a-service (nicolas-grekas, sroze) #25288
  • Add ControllerTrait::getParameter() (chalasr) #25439
  • Add support to 307/308 HTTP status codes in RedirectController (ZipoKing) #26213
  • Deprecate bundle:controller:action and service:method notation (Tobion) #26085
  • Allow fetching private services from test clients (nicolas-grekas) #26499
  • Add command to delete an item from a cache pool (pierredup) #26223
  • framework.php_errors.log now accept a log level (Simperfit) #26504
  • Keep query in redirect (Simperfit) #26281
  • Add the ability to search a route (Simperfit) #26121
  • Add cache.app.simple psr simple cache (dmaicher) #25710
  • Add email_validation_mode option (xabbuh) #25478
  • Add atom editor to ide config (lexcast) #25415

HttpFoundation

  • Add a migrating session handler (rossmotley) #26096
  • Add HeaderUtils class (c960657) #24699
  • Split FileException into specialized ones about upload handling (fmata) #26475
  • RedisSessionHandler (dkarlovi) #24781

Process

  • Introduce signaled process specific exception class (Soullivaneuh) #25775
  • Make PhpExecutableFinder look for the PHP_BINARY env var (nicolas-grekas) #25629
  • Create a "isTtySupported" static method (nesk) #25142

Routing

  • Allow no-slash root on imported routes (nicolas-grekas) #26284
  • Allow inline definition of requirements and defaults (nicolas-grekas) #26518
  • Implement i18n routing (frankdejonge, nicolas-grekas) #26143
  • Match 77.7x faster by compiling routes in one regexp (nicolas-grekas) #26059
  • Parse PHP constants in YAML routing files (ostrolucky) #25293

Serializer

  • Cache the normalizer to use when possible (dunglas, nicolas-grekas) #27049
  • Allow to access to the context and various other infos in callbacks and max depth handler (dunglas) #27017
  • Added a ConstraintViolationListNormalizer (lyrixx) #22150
  • Ignore comments when decoding XML (q0rban) #26445
  • Add a MaxDepth handler (dunglas) #26108
  • add a constructor argument to return csv always as collection (Simperfit) #25218
  • add a context key to return always as collection for XmlEncoder (Simperfit) #25369
  • Fix security issue on CsvEncoder about CSV injection (welcoMattic) #24508
  • default_constructor_arguments context option for denormalization (Nek-) #25493
  • Serialize and deserialize from abstract classes (sroze) #24375
  • Parse PHP constants in YAML mappings (ostrolucky) #25294

Twig

  • Make csrf_token() usable without forms (xabbuh) #25197
  • Add priority to twig extensions (Brunty) #24777
  • Do not normalize array keys in twig globals (lstrojny) #26770
  • Deprecate "false" in favor of "kernel.debug" as default value of "strict_variable" (yceruto) #25780

Security

  • Allow using custom function inside allow_if expressions (dmaicher) #26660
  • Deprecate AdvancedUserInterface (iltar) #23508
  • Add configuration for Argon2i encryption (CoalaJoe) #26175
  • Make security.providers optional (MatTheCat) #26787

Validator

  • Html5 Email Validation (PurpleBooth) #24442
  • Deprecated "checkDNS" option in Url constraint (ro0NL) #25516
  • Deprecate use of Locale validation constraint without setting "canonicalize" option to true (phansys) #26075
  • Support protocolless URLs validation (MyDigitalLife) #24308
  • Add canonicalize option for Locale validator (phansys) #22353
  • Add option to pass custom values to Expression validator (ostrolucky) #25504

VarDumper

  • Add dd() helper == dump() + exit() (nicolas-grekas) #26970
  • Introduce a new way to collect dumps through a server dumper (ogizanagi, nicolas-grekas) #23831
  • Provide binary, allowing to start a server at any time (ogizanagi) #26654
  • Add a GMP caster in order to cast GMP resources into string or integer (Simperfit) #25237

WebProfiler

  • Live duration of AJAX request (ostrolucky) #26668
  • Expose dotenv variables (ro0NL) #25166
  • Make WDT follow ajax requests if header set (jeffreymb) #26655
  • Display the missing translation panel by default (javiereguiluz) #26398
  • Display orphaned events in profiler (kejwmen) #24392

Workflow

  • Added a new 'all' method on the registry (alexpozzi, lyrixx) #26656
  • Added a TransitionException (andrewtch, lyrixx) #26651
  • Add a MetadataStore to fetch some metadata (lyrixx) #26092
  • Add transition blockers (d-ph, lyrixx) #26076
  • Remove constraints on transition/place name (lyrixx) #26079
  • Add PlantUML dumper to workflow:dump command (Plopix) #24705
  • Workflow name as graph label (shdev) #25148
  • Introduce a Workflow interface (Simperfit) #24751

Miscellaneous

  • [Lock] Add a TTL to refresh lock (jderusse) #26232
  • [Monolog] Add a Monolog activation strategy for ignoring specific HTTP codes (simshaun, fabpot) #23707
  • [LDAP] Allow adding and removing values to/from multi-valued attributes (jean-gui) #21856
  • [BrowserKit] Add a way to switch to ajax for one request (Simperfit) #24778
  • [HttpKernel] Add Kernel::getAnnotatedClassesToCompile() (nicolas-grekas) #27168
  • [HttpKernel] LoggerDataCollector: splitting logs on different sub-requests (vtsykun) #23659
  • [HttpKernel] Make session-related services extra-lazy (nicolas-grekas) #25836
  • [Intl] Add polyfill for Locale::canonicalize() (nicolas-grekas) #26152
  • [Translation] Added support for name on the unit node (Nyholm) #26149
  • [PropertyInfo] Add hassers for accessors prefixes (sebdec) #23617
  • Unwrap errors in FlattenException (derrabus) #26028
  • More compact display of vendor code in exception pages (javiereguiluz) #26671
  • Add clean option to assets install command (robinlehrmann) #24216

You can read more about this new version by reading the Living on the Edge articles on 4.1 on this blog. Also read the UPGRADE guide for Symfony 4.1.

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/29/2018 09:47 pm   Symfony Blog   Mirror   Link  

This is the 41st and last post in the series of New features of Symfony 4.1, which will be released at the end of this month and will have support for bug fixes until January 2019 (see Symfony 4.1 roadmap).

Added getParameter() to ControllerTrait

Contributed by
Robin Chalas
in #25439.

Symfony comes with two optional base classes for controllers: Controller and AbstractController. They are similar but AbstractController is recommended because it's more restrictive: it does not allow you to access services directly via $this->get() or $this->container->get().

In Symfony 4.1, we improved AbstractController to add the commonly used helper getParameter() to get the value of any container config parameter. This change will allow to transition from Controller to AbstractController more easily.

Anonymous services in PHP DSL

Contributed by
Nikita Konstantinov
in #24632.

In Symfony 3.4 we introduced a PHP DSL to configure routes and services. In Symfony 4.1 we improved it adding support for anonymous services, which is useful when you don't care about the service name (e.g. when decorating services).

1
2
3
4
5
6
// app/config/services.php
return function (ContainerConfigurator $container) {
    $services = $container->services();
    // to create an anonymous service, pass null as its ID argument
    $services->set(null, stdClass::class)->tag('listener');
};

Added support for extracting type from constructor

Contributed by
Grégoire Pineau
in #25605.

In Symfony 4.1, the ReflectionExtractor class of the PropertyInfo component added a new $enableConstructorExtraction argument to allow introspecting property information using the constructor arguments.

Consider the following example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
class SomeClass
{
    public $property1;
    public $property2;

    public function __construct(string $property1, ?int $property2)
    {
        // ...
    }
}

In Symfony 4.1, when this option is enabled, PropertyInfo will tell you that property1 is a non-nullable string type and that property2 is a nullable integer.

Configurable PHP error log level

Contributed by
Hamza Amrouche
in #26504.

The framework.php_errors.log option allows to use the application logger instead of the PHP logger for logging PHP errors.

In Symfony 4.1, this option is no longer a boolean to enable/disable it. If you pass an integer value, you enable the feature and set the PHP logger to that logging level.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/29/2018 04:31 am   Symfony Blog   Mirror   Link  

Allow to set the rounding strategy for MoneyType

Contributed by
syastrebov
in #26767.

In Symfony 4.1, the MoneyType form field defines a new option called rounding_mode to control how the values are rounded. Before, all values were rounded towards "the nearest neighbor" (ROUND_HALF_UP) so 15.999 was rounded as 16.00. Now you can set it for example to ROUND_DOWN to display it as 15.99:

1
2
3
4
5
6
7
use Symfony\Component\Form\Extension\Core\DataTransformer\NumberToLocalizedStringTransformer;
use Symfony\Component\Form\Extension\Core\Type\MoneyType;
// ...

$builder->add('price', MoneyType::class, array(
    'rounding_mode' => NumberToLocalizedStringTransformer::ROUND_DOWN,
));

Adding and removing LDAP attributes more efficiently

Contributed by
Jean-Guilhem Rouel
in #21856.

Updating LDAP entries with the update() is slow in some scenarios. That's why in Symfony 4.1 there are two new methods called addAttributeValues() and removeAttributeValues() that add/remove values to a multi-valued attribute:

1
2
3
4
5
6
7
8
9
use Symfony\Component\Ldap\Ldap;
 use Symfony\Component\Ldap\Entry;
 // ...

$entry = $ldap->query('...', '...')->execute()[0];

$entityManager = $ldap->getEntryManager();
$entityManager->addAttributeValues($entry, 'telephoneNumber', ['+1.111.222.3333', '+1.222.333.4444']);
$entityManager->removeAttributeValues($entry, 'telephoneNumber', ['+1.111.222.3333', '+1.222.333.4444']);

Keep query string after redirecting

Contributed by
Hamza Amrouche
in #26281.

In Symfony 4.1, routes can define (in YAML, XML or PHP) a new option called keepQueryParams. By default it's false, but if you set it to true, the query parameters (if any) are added to the redirected URL:

1
2
3
4
5
6
7
legacy_search:
    path: /search-engine
    controller: Symfony\Bundle\FrameworkBundle\Controller\RedirectController::redirectAction
    defaults:
        route: search
        permanent: true
        keepQueryParams: true

In this example, if the original URL is /search-engine?q=symfony, the app redirects to /search?q=symfony

Added support for hasser accessors in PropertyInfo

Contributed by
Sébastien Decrême
in #23617.

The PropertyInfo component introspects information about class properties by using different sources of metadata. In Symfony 4.1, one of those sources (the ReflectionExtractor class) added support for hasser methods.

This will allow for example to make a property readable by defining methods like hasChildren() instead of just getChildren().


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/28/2018 08:45 am   Symfony Blog   Mirror   Link  

This week Symfony released 2.7.48, 2.8.41, 3.3.17, 3.4.11 and 4.0.11 versions to address several security vulnerabilities. Meanwhile Symfony 4.1.0 beta3 was published in preparation for next week's final release. Lastly, it was announced that the SymfonyLive USA 2018 conference will take place in San Francisco on October 11th and 12th.

Symfony development highlights

2.7 changelog:

  • 47e7268: [HttpFoundation] break infinite loop in PdoSessionHandler when MySQL is in loose mode
  • fa5bf4b: [Security] added session strategy to ALL listeners to avoid any possible fixation
  • 319e1bd: [Security] clear CSRF tokens when the user is logged out
  • b20e835: [SecurityBundle] fail if security.http_utils cannot be configured
  • ab32125: [HttpFoundation] fixed a performance issue during MimeTypeGuesser initialization

3.4 changelog:

  • fad1e1f: [Security] added session authentication strategy to Guard to avoid session fixation
  • 194caff: [Security] migrated session for UsernamePasswordJsonAuthenticationListener
  • 46c2d4b: [DependencyInjection] fixed bad exception on uninitialized references to non-shared services
  • e2ba3af: [HttpFoundation] fixed cookie test with xdebug
  • 4279f53: [DependencyInjection] never inline lazy services
  • cb106fa: [Serializer] check the value of enable_max_depth if defined
  • 79bd461: [HttpKernel] reset kernel start time on reboot

4.1 changelog:

  • 70c70e2: [PhpUnit Bridge] supress deprecation notices thrown when getting private services from container in tests
  • 7fb7cf2: [Serializer] fixed and improved constraintViolationListNormalizer's RFC7807 compliance
  • 2fd30a6: [FrameworkBundle] fixed test.service_container usage when Client is rebooted
  • 7d23ac5: [HttpKernel] fixed deprecation in AbstractTestSessionListener
  • 9e6fbe8: [Routing] account for greediness when merging route patterns

Master changelog:

  • ec6d46c: [Security] added "is_granted()" to security expressions and deprecate "has_role()"
  • bd6769e: [Cache] added TaggableCacheInterface to simplify cache usage
  • f827fec: [DependencyInjection] allowed binding by type+name
  • eceabee: [DependencyInjection] allowed to select specific key from an array resolved env var
  • d314735: [Security] FirewallMap/FirewallContext deprecations
  • f557f94: [Security] no more support for custom anon/remember tokens based on FQCN

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/27/2018 04:28 am   Symfony Blog   Mirror   Link  

Symfony 4.1.0-BETA3 has just been released. Here is a list of the most important changes:

  • bug #27388 [Routing] Account for greediness when merging route patterns (@nicolas-grekas)
  • bug #27344 [HttpKernel] reset kernel start time on reboot (@kiler129)
  • bug #27365 [Serializer] Check the value of enabl _ma _depth if defined (@dunglas)
  • bug #27358 [PhpUnitBridge] silence some stderr outputs (@ostrolucky)
  • bug #27366 [DI] never inline lazy services (@nicolas-grekas)
  • bug #27352 Remove reference to the test container after kernel shutdown (@stof)
  • bug #27350 [HttpKernel] fix deprecation in AbstractTestSessionListener (@alekitto)
  • bug #27367 [FrameworkBundle] cleanup generated test container (@nicolas-grekas)
  • bug #27379 [FrameworkBundle] Fix using test.servic _container when Client is rebooted (@nicolas-grekas)
  • bug #27364 [DI] Fix bad exception on uninitialized references to non-shared services (@nicolas-grekas)
  • bug #27359 [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization (@nicolas-grekas)
  • security #cve-2018-11408 [SecurityBundle] Fail if security.htt _utils cannot be configured
  • security #cve-2018-11406 clear CSRF tokens when the user is logged out
  • security #cve-2018-11385 migrating session for UsernamePasswordJsonAuthenticationListener
  • security #cve-2018-11385 migrating session for UsernamePasswordJsonAuthenticationListener
  • security #cve-2018-11385 Adding session authentication strategy to Guard to avoid session fixation
  • security #cve-2018-11385 Adding session strategy to ALL listeners to avoid any possible fixation
  • security #cve-2018-11386 [HttpFoundation] Break infinite loop in PdoSessionHandler when MySQL is in loose mode
  • bug #27341 [WebProfilerBundle] Fixed validator/dump trace CSS (@yceruto)
  • bug #27337 [FrameworkBundle] fix typo in CacheClearCommand (@emilielorenzo)
  • bug #27292 [Serializer] Fix and improve constraintViolationListNormalizer's RFC7807 compliance (@dunglas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/26/2018 10:55 am   Symfony Blog   Mirror   Link  

Affected versions

Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony http-foundation component are affected by this security issue.

The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fixed before its final release.

Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.

Description

The PDOSessionHandler class allows to store sessions on a PDO connection. Under some configurations (see below) and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

An application is vulnerable when:

  • It is using PDOSessionHandler to store its sessions;

  • And it uses MySQL as a backend for sessions managed by PDOSessionHandler;

  • And the SQL mode does not contain STRICT_ALL_TABLES or STRICT_TRANS_TABLES (check via SELECT @@sql_mode).

When an application has this configuration, doing a denial of service is made easier as a well-crafted session leads to an infinite loop in the code.

Resolution

We fixed this issue by avoiding the inifinite loop.

Credits

I would like to thank Federico Stange for reporting this security issue and for working with us trying to figure out when this issue occurred, Nicolas Grekas for working on a fix, and the Symfony Core Team for reviewing the patch.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/25/2018 09:10 am   Symfony Blog   Mirror   Link  

Affected versions

Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue.

The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fixed before its final release.

Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.

Description

This is a continuation of CVE-2017-16652, where we missed an edge case (when the security.http_utils was inlined by the container).

Resolution

The fix solves the issue for the edge case.

Credits

I would like to thank Antal Áron for reporting this security issue, Nicolas Grekas for providing a fix, and the Symfony Core Team for reviewing the patch.


Be trained by Symfony experts - 2018-06-6 Clichy - 2018-06-11 Paris - 2018-06-11 Paris
05/25/2018 09:10 am   Symfony Blog   Mirror   Link  

Symfony 2.7.46 has just been released. Here is a list of the most important changes:

  • bug #26831 [Bridge/Doctrine] count(): Parameter must be an array or an object that implements Countable (@gpenverne)
  • bug #27044 [Security] Skip user checks if not implementing UserInterface (@chalasr)
  • bug #26910 Use new PHP7.2 functions in hasColorSupport (@johnstevenson)
  • bug #26999 [VarDumper] Fix dumping of SplObjectStorage (@corphi)
  • bug #26886 Don't assume that file binary exists on nix OS (@teohhanhui)
  • bug #26643 Fix that ESI/SSI processing can turn a "private" response "public" (@mpdude)
  • bug #26932 [Form] Fixed trimming choice values (@HeahDude)
  • bug #26875 [Console] Don't go past exact matches when autocompleting (@nicolas-grekas)
  • bug #26823 [Validator] Fix LazyLoadingMetadataFactory with PSR6Cache for non classname if tested values isn't existing class (@Pascal Montoya, @pmontoya)
  • bug #26834 [Yaml] Throw parse error on unfinished inline map (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-05-14 Paris - 2018-05-14 Paris - 2018-05-16 Paris
04/27/2018 04:17 am   Symfony Blog   Mirror   Link   @4

Deprecate some uses of Request::getSession()

Contributed by
Florent Mata
in #26564.

Using Request::getSession() when no session exists has been deprecated in Symfony 4.1 and it will throw an exception in Symfony 5.0. The solution is to always check first if a session exists with the Request::hasSession() method:

1
2
3
4
// ...
if ($request->hasSession() && ($session = $request->getSession())) {
    $session->set('some_key', 'some_value');
}

Allow to cache requests that use sessions

Contributed by
Yanick Witschi
in #26681.

Whenever the session is started during a request, Symfony turns the response into a private non-cacheable response to prevent leaking private information. However, even requests making use of the session can be cached under some circumstances.

For example, information related to some user group could be cached for all the users belonging to that group. Handling these advanced caching scenarios is out of the scope of Symfony, but they can be solved with the FOSHttpCacheBundle.

In order to disable the default Symfony behavior that makes requests using the session uncacheable, in Symfony 4.1 we added the NO_AUTO_CACHE_CONTROL_HEADER header that you can add to responses:

1
2
3
use Symfony\Component\HttpKernel\EventListener\AbstractSessionListener;

$response->headers->set(AbstractSessionListener::NO_AUTO_CACHE_CONTROL_HEADER, 'true');

Allow to migrate sessions

Contributed by
Ross Motley
in #26096.

Migrating sessions (e.g. from the filesystem to the database) is a tricky operation that usually ends up losing all the existing sessions. That's why in Symfony 4.1 we've introduced a new MigratingSessionHandler class to allow migrate between old and new save handlers without losing session data.

It's recommended to do the migration in three steps:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
use Symfony\Component\HttpFoundation\Session\Storage\Handler\MigratingSessionHandler;

$oldSessionStorage = ...;
$newSessionStorage = ...;

// The constructor of the migrating class are: MigratingSessionHandler($currentHandler, $writeOnlyHandler)
// Step 1. Do this during the "garbage collection period of time" to get all sessions in the new storage
$sessionStorage = new MigratingSessionHandler($oldSessionStorage, $newSessionStorage);

// Step 2. Do this while you verify that the new storage handler works as expected
$sessionStorage = new MigratingSessionHandler($newSessionStorage, $oldSessionStorage);

// Step 3. Your app is now ready to switch to the new storage handler
$sessionStorage = $newSessionStorage;

Be trained by Symfony experts - 2018-05-14 Paris - 2018-05-14 Paris - 2018-05-16 Paris
04/26/2018 06:33 am   Symfony Blog   Mirror   Link   @4

FlattenException now unwraps errors

Contributed by
Alexander M. Turek
in #26028.

Symfony wraps errors thrown by the application inside a FatalThrowableError. This makes the actual error class to not be displayed in the exception pages, where you see for example Symfony's FatalThrowableError instead of PHP's DivisionByZeroError when your code tries to divide by 0.

In Symfony 4.1, FlattenException now unwraps FatalThrowableError instances and logs the wrapped error. In consequence, the real error class is now always displayed in the exception page:

Introduced new exception classes

Contributed by
Sullivan Senechal and Florent Mata
in #25775 and #26475.

In Symfony 4.1 we've introduced a new ProcessSignaledException class in the Process component to properly catch signaled process errors. Also, in the HttpFoundation component, we've introduced new detailed exception classes for file upload handling to replace the generic catch-all FileException:

1
2
3
4
5
6
7
use Symfony\Component\HttpFoundation\File\Exception\CannotWriteFileException;
use Symfony\Component\HttpFoundation\File\Exception\ExtensionFileException;
use Symfony\Component\HttpFoundation\File\Exception\FormSizeFileException;
use Symfony\Component\HttpFoundation\File\Exception\IniSizeFileException;
use Symfony\Component\HttpFoundation\File\Exception\NoFileException;
use Symfony\Component\HttpFoundation\File\Exception\NoTmpDirFileException;
use Symfony\Component\HttpFoundation\File\Exception\PartialFileException;

Moreover, now that PHP 7.1 supports multi catch exception handling, you can process several exceptions with the same catch() block:

1
2
3
4
5
try {
    // ...
} catch (FormSizeFileException | IniSizeFileException $e) {
    // ...
}

Improved the exception page design

Contributed by
Javier Eguiluz
in #26671.

The exception pages have been improved in Symfony 4.1 to display less information about "vendor code". If some code belongs to the vendor/ folder, we compact its information to fit in a single line and we no longer display its arguments. The other code remains the same, which helps you focus more easily on your own application code:


Be trained by Symfony experts - 2018-05-14 Paris - 2018-05-14 Paris - 2018-05-16 Paris
04/24/2018 06:17 am   Symfony Blog   Mirror   Link  

Introduced a HeaderUtils class

Contributed by
Christian Schmidt
in #24699.

Parsing HTTP headers is not as trivial as some may think. It requires parsing quoted strings with backslash escaping and ignoring white-space in certain places. We did that in some methods of the HttpFoundation component but the repeated logic was starting to make the code hard to maintain.

That's why in Symfony 4.1 we've introduced a new HeaderUtils class that provides the most common utilities needed when parsing HTTP headers. This is not an internal class, so you can use it in your own code too:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
use Symfony\Component\HttpFoundation\HeaderUtils;

// Splits an HTTP header by one or more separators
HeaderUtils::split('da, en-gb;q=0.8', ',;')
// => array(array('da'), array('en-gb'), array('q', '0.8'))

// Combines an array of arrays into one associative array
HeaderUtils::combineParts(array(array('foo', 'abc'), array('bar')))
// => array('foo' => 'abc', 'bar' => true)

// Joins an associative array into a string for use in an HTTP header
HeaderUtils::joinAssoc(array('foo' => 'abc', 'bar' => true, 'baz' => 'a b c'), ',')
// => 'foo=abc, bar, baz="a b c"'

// Encodes a string as a quoted string, if necessary
HeaderUtils::quote('foo "bar"')
// => 'foo \"bar\"'

// Decodes a quoted string
HeaderUtils::unquote('foo \"bar\"')
// => 'foo "bar"'

Allow to bypass headers when submitting forms in tests

Contributed by
cfjulien
in #26791.

An issue reported by the Mink browser testing project made us realize that you cannot bypass HTTP header information when submitting forms in tests which use the BrowserKit component.

That's why in Symfony 4.1 the submit() method now accepts a third optional argument called $serverParameters which allows you to do things like this:

1
2
3
4
$crawler = $client->request('GET', 'http://www.example.com/foo');
$form = $crawler->filter('input')->form();
$client->submit($form, [], ['HTTP_ACCEPT_LANGUAGE' => 'de']);
// => $client->getRequest()->getServer()['HTTP_ACCEPT_LANGUAGE'] = 'de'

Added support for default values in Accept headers

Contributed by
Javier Eguiluz
in #26036.

When using the Accept HTTP header it's common to use expressions like .../*, */* and even * to define the default values:

1
Accept: text/plain;q=0.5, text/html, text/*;q=0.8, */*

However, in Symfony versions previous to 4.1 these default values weren't supported:

1
2
3
4
5
6
use Symfony\Component\HttpFoundation\AcceptHeader;

$acceptHeader = AcceptHeader::fromString('text/plain;q=0.5, text/html, text/*;q=0.8, */*');
$quality = $acceptHeader->get('text/xml')->getQuality();
// instead of returning '0.8', this code displays the following error message:
//   Call to a member function getQuality() on null

In Symfony 4.1 all these default values are now properly supported:

1
2
3
4
$acceptHeader = AcceptHeader::fromString('text/plain;q=0.5, text/html, text/*;q=0.8, */*');
$acceptHeader->get('text/xml')->getQuality();        // => 0.8 (because of text/*)
$acceptHeader->get('text/html')->getQuality();       // => 1.0
$acceptHeader->get('application/xml')->getQuality(); // => 1.0 (because of */*)

Be trained by Symfony experts - 2018-05-14 Paris - 2018-05-14 Paris - 2018-05-16 Paris
04/23/2018 06:03 am   Symfony Blog   Mirror   Link  

This week, Symfony improved the performance of the Cache component inlining some function calls and simplified the usage of the new Messenger component allowing to omit the sender tag name and to use the adapter name instead of the service name. In addition, we added a new dd() helper which is useful when you can't or don't want to use a debugger.

Symfony development highlights

2.7 changelog:

  • a3af3d3: [Form] fixed trimming choice values
  • d17d38d: [HttpKernel] fix that ESI/SSI processing can turn a private response public
  • b0410d4: [HttpFoundation] don't assume that file binary exists on *nix OS

3.4 changelog:

  • baeb1bf: [TwigBundle] fixed rendering exception stack traces
  • 8f2132f: [Routing] fixed loading multiple class annotations for invokable classes
  • 2a52963: [Console] fixed PSR exception context key
  • e984546: [TwigBundle] fixed formatting arguments in plaintext format
  • bf871f4: [Cache] inline some hot function calls
  • 09d1a2b: [TwigBridge] fixed PercentType error rendering in Bootstrap 4 theme
  • 733e813: [DoctrineBridge] fixed bug when indexBy is meta key in PropertyInfo\DoctrineExtractor

Master changelog:

  • 7e4de96: [Messenger] use the adapter name instead of the service name
  • d2f8df8: [Config] fix the valid placeholder types for variable node
  • 4af9003: [Messenger] allow sender tag name omission
  • fe19931: [Messenger] allow to configure the transport
  • 4429c9b: [Messenger] allow disabling the auto-setup of the AmqpExt connection
  • a59d0f6: [VarDumper] added dd() helper
  • 8c4fd12: [Security] made security.providers optional
  • 3450e47: [TwigBundle] do not normalize array keys in twig globals
  • 028e1e5: Declare type for arguments of anonymous functions
  • 1b1bbd4: [HttpKernel] Added support for timings in ArgumentValueResolvers
  • 306c599: [DependencyInjection] allow autoconfigured calls in PHP
  • d0db387: [HttpKernel] split logs on different sub-requests in LoggerDataCollector
  • 833909b: [DependencyInjection] hide service ids that start with a dot
  • 2ceef59: [Form] added choice_translation_locale option for Intl choice types
  • 9cb1f14: [BrowserKit] allow to bypass HTTP header information
  • cbc2376: [HttpFoundation] added a HeaderUtils class

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-05-14 Paris - 2018-05-14 Paris - 2018-05-16 Paris
04/22/2018 02:55 am   Symfony Blog   Mirror   Link  

Added a ConstraintViolationListNormalizer

Contributed by
Grégoire Pineau
in #22150.

When working on APIs with Symfony, it's common to use code like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
/**
 * @Route("/blog/new", name="api_blog_new")
 * @Method("POST")
 * @Security("is_granted('ROLE_ADMIN')")
 */
public function new(Request $request, SerializerInterface $serializer, ValidatorInterface $validator)
{
    $data = $request->getContent();
    $post = $serializer->deserialize($data, Post::class, 'json', ['groups' => ['post_write']]);
    $post->setAuthor($this->getUser());

    $violations = $validator->validate($post);
    if (count($violations) > 0) {
        $repr = $serializer->serialize($violations, 'json');

        return JsonResponse::fromJsonString($repr, 400);
    }

    // ...
}

The $violations variable contains a ConstraintViolationList object and it's common to transform it into a list of errors and serialize the list to include it in a JSON response. That's why in Symfony 4.1 we've added a ConstraintViolationListNormalizer which does that for you automatically. The normalizer follows the RFC 7807 specification to generate the list of errors.

Getting the XML and CSV results as a collection

Contributed by
Hamza Amrouche
in #25218 and #25369.

The CsvEncoder and XmlEncoder now define a new config option called as_collection. If you pass that option as part of the context argument and set it to true, the results will be a collection.

Default constructor arguments for denormalization

Contributed by
Maxime Veber
in #25493.

If the constructor of a class defines arguments, as usually happens when using Value Objects, the serializer won't be able to create the object. In Symfony 4.1 we've introduced a new default_constructor_arguments context option to solve this problem.

In the following example, both foo and bar are required constructor arguments but only foo is provided. The value of bar is taken from the default_constructor_arguments option:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
use Symfony\Component\Serializer\Serializer;
use Symfony\Component\Serializer\Normalizer\ObjectNormalizer;

class MyObj
{
    private $foo;
    private $bar;

    public function __construct($foo, $bar)
    {
        $this->foo = $foo;
        $this->bar = $bar;
    }
}

$normalizer = new ObjectNormalizer($classMetadataFactory);
$serializer = new Serializer(array($normalizer));

// this is equivalent to $data = new MyObj('Hello', '');
$data = $serializer->denormalize(['foo' => 'Hello'], 'MyObj', [
    'default_constructor_arguments' => [
        'MyObj' => ['foo' => '', 'bar' => ''],
    ]
]);

Added a MaxDepth handler

Contributed by
Kévin Dunglas
in #26108.

Sometimes, instead of just stopping the serialization process when the configured max depth is reached, it's better to let the developer handle this situation to return something (e.g. the identifier of the entity).

In Symfony 4.1 you can solve this problem defining a custom handler with the new setMaxDepthHandler() method:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
use Doctrine\Common\Annotations\AnnotationReader;
use Symfony\Component\Serializer\Serializer;
use Symfony\Component\Serializer\Annotation\MaxDepth;
use Symfony\Component\Serializer\Mapping\Factory\ClassMetadataFactory;
use Symfony\Component\Serializer\Mapping\Loader\AnnotationLoader;
use Symfony\Component\Serializer\Normalizer\ObjectNormalizer;

class Foo
{
    public $id;

    /** @MaxDepth(1) */
    public $child;
}

$level1 = new Foo();
$level1->id = 1;

$level2 = new Foo();
$level2->id = 2;
$level1->child = $level2;

$level3 = new Foo();
$level3->id = 3;
$level2->child = $level3;

$classMetadataFactory = new ClassMetadataFactory(new AnnotationLoader(new AnnotationReader()));
$normalizer = new ObjectNormalizer($classMetadataFactory);
$normalizer->setMaxDepthHandler(function ($foo) {
    return '/foos/'.$foo->id;
});

$serializer = new Serializer(array($normalizer));
$result = $serializer->normalize($level1, null, array(ObjectNormalizer::ENABLE_MAX_DEPTH => true));
/*
$result = array[
    'id' => 1,
    'child' => [
        'id' => 2,
        'child' => '/foos/3',
    ]
];
*/

Ignore comments when decoding XML

Contributed by
James Sansbury
in #26445.

In previous Symfony versions, XML comments were processed when decoding contents. Also, if the first line of the XML content was a comment, it was used as the root node of the decoded XML.

In Symfony 4.1, XML comments are removed by default but you can control this behavior with the new optional third constructor argument:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
class XmlEncoder
{
    public function __construct(
        string $rootNodeName = 'response',
        int $loadOptions = null,
        array $ignoredNodeTypes = array(XML_PI_NODE, XML_COMMENT_NODE)
    ) {
        // ...
    }
}

Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/20/2018 03:54 am   Symfony Blog   Mirror   Link   @20

A simpler way to test Ajax requests

Contributed by
Hamza Amrouche
in #26381.

The BrowserKit component used in Symfony functional tests provides lots of utilities to simulate the behavior of a web browser. In Symfony 4.1 we've added a new utility to make Ajax requests simpler: xmlHttpRequest().

This method works the same as the current request() method and accepts the same arguments, but it adds the required HTTP_X_REQUESTED_WITH header automatically so you don't have to do that yourself:

1
2
3
4
5
6
7
// Before
$crawler = $client->request('GET', '/some/path', [], [], [
    'HTTP_X-Requested-With' => 'XMLHttpRequest',
]);

// After
$crawler = $client->xmlHttpRequest('GET', '/some/path');

Improved the Ajax panel in the debug toolbar

The first minor but noticeable change is that the link to the Ajax request profile has been moved to the first column of the table, so it's easier to click on it.

In addition, when the Ajax request results in an exception (HTTP status of 400 or higher) the profiler link points to the exception profiler panel instead of the default request/response panel:

In any case, the biggest new feature of the Ajax panel is that requests now display their duration in real-time, so you always know which requests are still pending to finish:


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/19/2018 03:15 am   Symfony Blog   Mirror   Link   @6

Contributed by
Shaun Simmons
in #23707.

Logging as much information as possible is essential to help you debug the issues found in your applications. However, logging too much information can be as bad as logging too little, because of all the "noise" added to your logs.

That's why in Symfony 4.1 we've improved the Monolog integration to allow you exclude log messages related to specific HTTP codes. For example, when using a fingers_crossed handler, use the following configuration to ignore the logs about 403 and 404 errors:

1
2
3
4
5
6
7
# config/packages/monolog.yaml
monolog:
    handlers:
        main:
            # ...
            type: 'fingers_crossed'
            excluded_http_codes: [403, 404]

For more complex needs, it's also possible to exclude logs only for certain URLs, defined as regular expression patterns:

1
2
3
4
5
6
# config/packages/monolog.yaml
monolog:
    handlers:
        main:
            # ...
            excluded_http_codes: [{ 400: ['^/foo', '^/bar'] }, 403, 404]

If you prefer XML configuration, this is how the previous example would look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
<!-- config/packages/monolog.xml -->
<monolog:config>
    <monolog:handler type="fingers_crossed" name="main" handler="...">
        <!-- ... -->
        <monolog:excluded-http-code code="400">
            <monolog:url>^/foo</monolog:url>
            <monolog:url>^/bar</monolog:url>
        </monolog:excluded-http-code>
        <monolog:excluded-http-code code="403" />
        <monolog:excluded-http-code code="404" />
    </monolog:handler>
</monolog:config>

Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/17/2018 04:33 am   Symfony Blog   Mirror   Link   @8

This week, Symfony continued working on the new features of the upcoming 4.1 version, such as iterable support in the SymfonyStyle methods and a new AMQP adapter for the Messenger component. In addition, we opened the Call for Papers for SymfonyLive London 2018 conference.

Symfony development highlights

2.7 changelog:

  • 0f9c45e: [Validator] fixed LazyLoadingMetadataFactory with PSR6Cache for non classname if tested values isn't existing class
  • 1067468: [Console] don't go past exact matches when autocompleting

3.4 changelog:

  • 11bdd80: [DependencyInjection] improve error message for non-autowirable scalar argument
  • 16ae720: [HttpKernel] don't create mock cookie for new sessions in tests
  • 811c4dd: [HttpKernel] made ServiceValueResolver work if controller namespace starts with a backslash in routing

Master changelog:

  • 5736321: [Console] support iterable in SymfonyStyle::write/writeln
  • a726f05: [Messenger] rename the middleware tag
  • 9a99955: [FrameworkBundle] fixed configuration of php_errors.log
  • aa04d06: [Messenger] added AMQP adapter

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/15/2018 03:09 am   Symfony Blog   Mirror   Link   @10

This week was the first of the "feature freeze" period of Symfony 4.1. Development activity focused on finishing and polishing some of the pending features, such as a middleware that validates Messenger messages, a Monolog activation strategy for ignoring specific HTTP codes, the ability to set the rounding strategy for MoneyType and a feature to use custom functions inside allow_if security expressions.

Symfony development highlights

2.7 changelog:

  • d73f491: [Console] fixed check of color support on Windows
  • eac5ede: added PHPDbg support to HTTP components
  • 7c4676a: [Finder] removed duplicate slashes in filenames
  • c415e4c: [EventDispatcher] fixed wrong listener in stopEventPropagation test

3.4 changelog:

  • c48af7c: [FrameworkBundle] added PHP errors options to XML schema definition
  • ea69cc2: [Yaml] fixed regression when trying to parse multiline
  • 341682e: [WebProfilerBundle] made FileLinkFormatter URL format generation lazy
  • 3c54c4a: [SecurityBundle] added missing argument to security.authentication.provider.simple
  • 0e67060: [Routing] fixed throwing NoConfigurationException instead of 405
  • 1605684: [Security] load the user before pre/post auth checks when needed
  • 603f3ab: [PhpUnitBridge] catch deprecation error handler
  • 5fa9a58: [Security] register custom providers on ExpressionLanguage directly

Master changelog:

  • 0ff2f8e: [Workflow] added a new all() method to Registry
  • 382b586: [FrameworkBundle] fixed log level support config handling
  • 9fda6d3: mark ExceptionInterfaces throwable
  • 8912754: [HttpFoundation] split FileException into specialized ones about upload handling
  • 56cd3d2: [Messenger] added a middleware that validates messages
  • d5b88eb: [Messenger] added a MessageHandlerInterface (multiple messages + auto-configuration)
  • ee51f74: [Monolog Bridge] added a Monolog activation strategy for ignoring specific HTTP codes
  • fe6aa64: [Form] ability to set rounding strategy for MoneyType
  • 2a4d024: [Ldap] allow adding and removing values to/from multi-valued attributes
  • 572042c: [Messenger] remove the Doctrine middleware configuration from the FrameworkBundle
  • f738013: [PhpUnitBridge] search for other SYMFONY_* env vars in phpunit.xml then phpunit.xml.dist
  • 179fe2f: [FrameworkBundle] removed CSRF Twig extension when class is missing
  • 3a37e41: [Messenger] moved collector and command into the component and other minor tweaks
  • 47e2bd3: [Debug] support any Throwable object in FlattenException
  • 0f4c0e9: [HttpFoundation] added a migrating session handler
  • dc29b27: [SecurityBundle] allow using custom function inside allow_if expressions
  • ec999c7: [Console] added support for iterable in output
  • 629e82d: [HttpFoundation] have MigratingSessionHandler implement SessionUpdateTimestampHandlerInterface

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/08/2018 02:26 am   Symfony Blog   Mirror   Link   @8

Symfony 4.0.8 has just been released. Here is a list of the most important changes:

  • bug #26802 [Security] register custom providers on ExpressionLanguage directly (@dmaicher)
  • bug #26794 [PhpUnitBridge] Catch deprecation error handler (@cvilleger)
  • bug #26788 [Security] Load the user before pre/post auth checks when needed (@chalasr)
  • bug #26792 [Routing] Fix throwing NoConfigurationException instead of 405 (@nicolas-grekas)
  • bug #26774 [SecurityBundle] Add missing argument to security.authentication.provider.simple (@i3or1s, @chalasr)
  • bug #26763 [Finder] Remove duplicate slashes in filenames (@helhum)
  • bug #26758 [WebProfilerBundle][HttpKernel] Make FileLinkFormatter URL format generation lazy (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/06/2018 11:49 am   Symfony Blog   Mirror   Link   @8

Symfony 3.4.8 has just been released. Here is a list of the most important changes:

  • bug #26802 [Security] register custom providers on ExpressionLanguage directly (@dmaicher)
  • bug #26794 [PhpUnitBridge] Catch deprecation error handler (@cvilleger)
  • bug #26788 [Security] Load the user before pre/post auth checks when needed (@chalasr)
  • bug #26792 [Routing] Fix throwing NoConfigurationException instead of 405 (@nicolas-grekas)
  • bug #26774 [SecurityBundle] Add missing argument to security.authentication.provider.simple (@i3or1s, @chalasr)
  • bug #26763 [Finder] Remove duplicate slashes in filenames (@helhum)
  • bug #26758 [WebProfilerBundle][HttpKernel] Make FileLinkFormatter URL format generation lazy (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/06/2018 11:24 am   Symfony Blog   Mirror   Link   @6

Symfony 2.8.38 has just been released. Here is a list of the most important changes:

  • bug #26788 [Security] Load the user before pre/post auth checks when needed (@chalasr)
  • bug #26774 [SecurityBundle] Add missing argument to security.authentication.provider.simple (@i3or1s, @chalasr)
  • bug #26763 [Finder] Remove duplicate slashes in filenames (@helhum)
  • bug #26749 Add PHPDbg support to HTTP components (@hkdobrev)
  • bug #26609 [Console] Fix check of color support on Windows (@mlocati)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/06/2018 10:19 am   Symfony Blog   Mirror   Link   @12

Symfony 2.7.45 has just been released. Here is a list of the most important changes:

  • bug #26763 [Finder] Remove duplicate slashes in filenames (@helhum)
  • bug #26749 Add PHPDbg support to HTTP components (@hkdobrev)
  • bug #26609 [Console] Fix check of color support on Windows (@mlocati)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/06/2018 09:50 am   Symfony Blog   Mirror   Link   @8

Security is the hardest part of most applications. Even if you follow the latest best practices about security in your own code, there's still the issue of inspecting the third-party code of the dependencies used in your projects.

You can't review every single line of external code used in your application. That's why we've created Symfony Security Monitoring, a service that checks your dependencies continuously for known security vulnerabilities and it's compatible with any PHP project that uses Composer.

The service is simple to use: upload the contents of your composer.lock file and we'll start monitoring those packages and those exact versions continuously to alert you as soon as a vulnerability is disclosed for them.

This continuous security monitoring is better than checking your dependencies automatically on your continuous integration platform. Instead of checking for vulnerabilities when building or deploying the project, we check them 24 hours a day, every day.

This service is also great for projects that you don't work on anymore or with a low maintenance. In those cases, continuous integration is not interesting anymore, and it's useful to have instead a bot that alerts you whenever a new vulnerability is discovered and impacts your project.

The pricing of the service is simple too. Instead of a monthly subscription, the service charges you once for three years of unlimited alerts and security checks for one project. The equivalent monthly price is as low as 2 euros.

This is another way to help Symfony

The service on its own is useful for lots of freelancers, agencies and tech companies, but there's another compelling reason to use it: revenues generated by this service fund the development of Open-Source projects like Symfony and Twig.

The Symfony project is lucky to have a very committed community. Out of the 25 million active GitHub repositories, Symfony is the 9th repository with most reviews. However, lots of people ask us how they can give something back to Symfony without contributing code.

Subscribing to Symfony Security Monitoring is the simplest way to contribute to Symfony: you get a valuable service and, at the same time, you are funding the development of Symfony. That's why we made the pricing of the service flexible, so you can decide how much you want to help Symfony.


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/05/2018 05:15 am   Symfony Blog   Mirror   Link   @10

Symfony 4.0.7 has just been released. Here is a list of the most important changes:

  • bug #26387 [Yaml] Fix regression when trying to parse multiline (@antograssiot)
  • bug #26749 Add PHPDbg support to HTTP components (@hkdobrev)
  • bug #26609 [Console] Fix check of color support on Windows (@mlocati)
  • bug #26727 [HttpCache] Unlink tmp file on error (@Chansig)
  • bug #26675 [HttpKernel] DumpDataCollector: do not flush when a dumper is provided (@ogizanagi)
  • bug #26663 [TwigBridge] Fix rendering of currency by MoneyType (@ro0NL)
  • bug #26595 [DI] Do not suggest writing an implementation when multiple exist (@chalasr)
  • bug #26662 [DI] Fix hardcoded cache dir for warmups (@nicolas-grekas)
  • bug #26677 Support phpdbg SAPI in Debug::enable() (@hkdobrev)
  • bug #26600 [Routing] Fixed the importing of files using glob patterns that match multiple resources (@skalpa)
  • bug #26589 [Ldap] cast to string when checking empty passwords (@ismail1432)
  • bug #26626 [WebProfilerBundle] use the router to resolve file links (@nicolas-grekas)
  • bug #26634 [DI] Cleanup remainings from autoregistration (@nicolas-grekas)
  • bug #26635 [DI] Dont tell about autoregistration in strict autowiring mode (@nicolas-grekas)
  • bug #26621 [Form] no type errors with invalid submitted data types (@xabbuh)
  • bug #26612 [PHPunit] suite variable should be used (@prisis)
  • bug #26337 [Finder] Fixed leading/trailing / in filename (@lyrixx)
  • bug #26584 [TwigBridge] allow html5 compatible rendering of forms with null names (@systemist)
  • bug #24401 [Form] Change datetime to datetime-local for HTML5 datetime input (@pierredup)
  • bug #26513 [FrameworkBundle] Respect debug mode when warm up annotations (@Strate)
  • bug #26370 [Security] added userChecker to SimpleAuthenticationProvider (@i3or1s)
  • bug #26569 [BrowserKit] Fix cookie path handling when $domain is null (@dunglas)
  • bug #26273 [Security][Profiler] Display the original expression in 'Access decision log' (@lyrixx)
  • bug #26427 [DependencyInjection] fix regression when extending the Container class without a constructor (@lsmith77)
  • bug #26562 [BridgePhpUnit] Cannot autoload class "SymfonyBridgePhpUnitSymfonyTestsListener" (@Jake Bishop)
  • bug #26598 Fixes #26563 (open_basedir restriction in effect) (@temperatur)
  • bug #26568 [Debug] Reset previous exception handler earlier to prevent infinite loop (@nicolas-grekas)
  • bug #26590 Make sure form errors is valid HTML (@Nyholm)
  • bug #26567 [DoctrineBridge] Don't rely on ClassMetadataInfo->hasField in DoctrineOrmTypeGuesser anymore (@fancyweb)
  • feature #26408 Readd 'form_label_errors' block to disable errors on form labels (@birkof)
  • bug #26591 [TwigBridge] Make sure we always render errors. Eventhough labels are disabled (@Nyholm)
  • bug #26356 [FrameworkBundle] HttpCache is not longer abstract (@lyrixx)
  • bug #26548 [DomCrawler] Change bad wording in ChoiceFormField::untick (@dunglas)
  • bug #26482 [PhpUnitBridge] Ability to use different composer.json file (@amcastror)
  • bug #26443 [Fix][HttpFoundation] Fix the updating of timestamp in the MemcachedSessionHandler (@Alessandro Loffredo)
  • bug #26400 [Config] ReflectionClassResource check abstract class (@andrey1s)
  • bug #26433 [DomCrawler] extract(): fix a bug when the attribute list is empty (@dunglas)
  • bug #26041 Display the Welcome Page when there is no homepage defined (@javiereguiluz)
  • bug #26452 [Intl] Load locale aliases to support alias fallbacks (@jakzal)
  • bug #26450 [CssSelector] Fix CSS identifiers parsing - they can start with dash (@jakubkulhan)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/03/2018 01:44 am   Symfony Blog   Mirror   Link   @8

Symfony 3.4.7 has just been released. Here is a list of the most important changes:

  • bug #26387 [Yaml] Fix regression when trying to parse multiline (@antograssiot)
  • bug #26749 Add PHPDbg support to HTTP components (@hkdobrev)
  • bug #26609 [Console] Fix check of color support on Windows (@mlocati)
  • bug #26727 [HttpCache] Unlink tmp file on error (@Chansig)
  • bug #26675 [HttpKernel] DumpDataCollector: do not flush when a dumper is provided (@ogizanagi)
  • bug #26663 [TwigBridge] Fix rendering of currency by MoneyType (@ro0NL)
  • bug #26595 [DI] Do not suggest writing an implementation when multiple exist (@chalasr)
  • bug #26662 [DI] Fix hardcoded cache dir for warmups (@nicolas-grekas)
  • bug #26677 Support phpdbg SAPI in Debug::enable() (@hkdobrev)
  • bug #26600 [Routing] Fixed the importing of files using glob patterns that match multiple resources (@skalpa)
  • bug #26589 [Ldap] cast to string when checking empty passwords (@ismail1432)
  • bug #26626 [WebProfilerBundle] use the router to resolve file links (@nicolas-grekas)
  • bug #26635 [DI] Dont tell about autoregistration in strict autowiring mode (@nicolas-grekas)
  • bug #26621 [Form] no type errors with invalid submitted data types (@xabbuh)
  • bug #26612 [PHPunit] suite variable should be used (@prisis)
  • bug #26337 [Finder] Fixed leading/trailing / in filename (@lyrixx)
  • bug #26584 [TwigBridge] allow html5 compatible rendering of forms with null names (@systemist)
  • bug #24401 [Form] Change datetime to datetime-local for HTML5 datetime input (@pierredup)
  • bug #26513 [FrameworkBundle] Respect debug mode when warm up annotations (@Strate)
  • bug #26370 [Security] added userChecker to SimpleAuthenticationProvider (@i3or1s)
  • bug #26569 [BrowserKit] Fix cookie path handling when $domain is null (@dunglas)
  • bug #26273 [Security][Profiler] Display the original expression in 'Access decision log' (@lyrixx)
  • bug #26427 [DependencyInjection] fix regression when extending the Container class without a constructor (@lsmith77)
  • bug #26562 [BridgePhpUnit] Cannot autoload class "SymfonyBridgePhpUnitSymfonyTestsListener" (@Jake Bishop)
  • bug #26598 Fixes #26563 (open_basedir restriction in effect) (@temperatur)
  • bug #26568 [Debug] Reset previous exception handler earlier to prevent infinite loop (@nicolas-grekas)
  • bug #26590 Make sure form errors is valid HTML (@Nyholm)
  • bug #26567 [DoctrineBridge] Don't rely on ClassMetadataInfo->hasField in DoctrineOrmTypeGuesser anymore (@fancyweb)
  • feature #26408 Readd 'form_label_errors' block to disable errors on form labels (@birkof)
  • bug #26591 [TwigBridge] Make sure we always render errors. Eventhough labels are disabled (@Nyholm)
  • bug #26356 [FrameworkBundle] HttpCache is not longer abstract (@lyrixx)
  • bug #26548 [DomCrawler] Change bad wording in ChoiceFormField::untick (@dunglas)
  • bug #26482 [PhpUnitBridge] Ability to use different composer.json file (@amcastror)
  • bug #26443 [Fix][HttpFoundation] Fix the updating of timestamp in the MemcachedSessionHandler (@Alessandro Loffredo)
  • bug #26400 [Config] ReflectionClassResource check abstract class (@andrey1s)
  • bug #26433 [DomCrawler] extract(): fix a bug when the attribute list is empty (@dunglas)
  • bug #26041 Display the Welcome Page when there is no homepage defined (@javiereguiluz)
  • bug #26452 [Intl] Load locale aliases to support alias fallbacks (@jakzal)
  • bug #26450 [CssSelector] Fix CSS identifiers parsing - they can start with dash (@jakubkulhan)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/03/2018 01:18 am   Symfony Blog   Mirror   Link   @8

Symfony 2.7.44 has just been released. Here is a list of the most important changes:

  • bug #26727 [HttpCache] Unlink tmp file on error (@Chansig)
  • bug #26675 [HttpKernel] DumpDataCollector: do not flush when a dumper is provided (@ogizanagi)
  • bug #26663 [TwigBridge] Fix rendering of currency by MoneyType (@ro0NL)
  • bug #26677 Support phpdbg SAPI in Debug::enable() (@hkdobrev)
  • bug #26621 [Form] no type errors with invalid submitted data types (@xabbuh)
  • bug #26337 [Finder] Fixed leading/trailing / in filename (@lyrixx)
  • bug #26584 [TwigBridge] allow html5 compatible rendering of forms with null names (@systemist)
  • bug #24401 [Form] Change datetime to datetime-local for HTML5 datetime input (@pierredup)
  • bug #26370 [Security] added userChecker to SimpleAuthenticationProvider (@i3or1s)
  • bug #26569 [BrowserKit] Fix cookie path handling when $domain is null (@dunglas)
  • bug #26598 Fixes #26563 (open_basedir restriction in effect) (@temperatur)
  • bug #26568 [Debug] Reset previous exception handler earlier to prevent infinite loop (@nicolas-grekas)
  • bug #26567 [DoctrineBridge] Don't rely on ClassMetadataInfo->hasField in DoctrineOrmTypeGuesser anymore (@fancyweb)
  • bug #26356 [FrameworkBundle] HttpCache is not longer abstract (@lyrixx)
  • bug #26548 [DomCrawler] Change bad wording in ChoiceFormField::untick (@dunglas)
  • bug #26433 [DomCrawler] extract(): fix a bug when the attribute list is empty (@dunglas)
  • bug #26452 [Intl] Load locale aliases to support alias fallbacks (@jakzal)
  • bug #26450 [CssSelector] Fix CSS identifiers parsing - they can start with dash (@jakubkulhan)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.


Be trained by Symfony experts - 2018-04-23 Lyon - 2018-04-23 Lyon - 2018-04-25 Clichy
04/02/2018 06:57 am   Symfony Blog   Mirror   Link   @8

This week Symfony focused on finishing important features before the Symfony 4.1 feature freeze starts next week: introduced a new Messenger component, internationalized routing, inlined routing config, transition blockers for workflows, allow to define multiple sections in Console output and added a server to collect VarDumper dumps. In addition, we updated the status of our diversity initiative.

Symfony development highlights

2.7 changelog:

  • 567cbaa: [Debug] reset previous exception handler earlier to prevent infinite loop
  • bd49884: [BrowserKit] fixed cookie path handling when $domain is null
  • 7753282: [Security] added userChecker to SimpleAuthenticationProvider
  • 7323372: [Config] handle nullable node name
  • a1be12e: [TwigBridge] allow HTML5 compatible rendering of forms with null names
  • 25c2f91: [Finder] fixed leading and trailing slashes in filename
  • 2349e97: [Form] no type errors with invalid submitted data types

3.4 changelog:

  • d818636: [DependencyInjection] added tests for EnvVarProcessor
  • ba2e6ed: [DependencyInjection] fix regression when extending the Container class without a constructor
  • 7ae5292: [Security] display the original expression in the access decision log panel
  • 7753282: [Security] added userChecker to SimpleAuthenticationProvider
  • 28f4662: [FrameworkBundle] respect debug mode when warm up annotations
  • 2faaf11: [WebProfilerBundle] used the router to resolve file links
  • 723d26f: [DependencyInjection] don't tell about autoregistration in strict autowiring mode
  • 1ad4596: [Routing] fixed the importing of files using glob patterns that match multiple resources

4.0 changelog:

  • 07512bb: [DependencyInjection] cleanup remainings from autoregistration

Master changelog:

  • b2fafc6: [Routing] implemented internationalized routing
  • e32c1da: [Routing] fixed name-prefixing when using PHP DSL
  • 0f9246f: [Routing] allowed inline definition of requirements and defaults
  • b79f29e: [Routing] remove capturing groups from requirements to avoid breaking the merged regex
  • 4cc8cf6: [Console] made ProgressBar::setMaxSteps public
  • 1fffb85: [BrowserKit] transform both switchToXHR() and removeXhr() to xmlHttpRequest()
  • a5dbc68: [Console] modify console output and print multiple modifyable sections
  • 5605d2f: [Workflow] added transition blockers
  • d4bfbb8: [DependencyInjection] autowire the inner service when decorating services
  • a1b1a44: [FrameworkBundle, TwigBridge] made csrf_token() usable without forms
  • 14ab56e: [FrameworkBundle] added the ability to search a route in debug:router command
  • 07a2f6c: [Workflow] added a MetadataStore to fetch some metadata
  • 7262c59: [Routing] allow no-slash root on imported routes
  • bbeca51: [Serializer] ignore comments when decoding XML
  • 61da487: [DependencyInjection] deprecate TypedReference::canBeAutoregistered() and getRequiringClass()
  • 7eae6af: [SecurityBundle] added an alias from RoleHierarchyInterface to security.role_hierarchy
  • acf49e9: [Serializer] added a ConstraintViolationListNormalizer
  • e157ded: [Messenger] added a new Messenger component
  • 4bbdf06: [VarDumper] introduced a new way to collect dumps through a server dumper
  • d5a55a5: [Workflow] added a TransitionException

Newest issues and pull requests

They talked about us


Be trained by Symfony experts - 2018-04-3 Paris - 2018-04-3 Paris - 2018-04-3 Paris
03/25/2018 04:13 am   Symfony Blog   Mirror   Link   @14