From d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Thu, 3 Mar 2022 11:39:01 +0100 Subject: [PATCH 01/13] [HttpKernel] Remove private headers before storing responses with HttpCache --- .../Component/HttpKernel/HttpCache/Store.php | 20 ++++++++++++++++--- .../HttpKernel/Tests/HttpCache/StoreTest.php | 13 ++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/HttpCache/Store.php b/src/Symfony/Component/HttpKernel/HttpCache/Store.php index eeb7a6ef948b1..43bd7c808252c 100644 --- a/src/Symfony/Component/HttpKernel/HttpCache/Store.php +++ b/src/Symfony/Component/HttpKernel/HttpCache/Store.php @@ -26,19 +26,29 @@ class Store implements StoreInterface { protected $root; private $keyCache; - private $locks; + private $locks = []; + private $options; /** + * Constructor. + * + * The available options are: + * + * * private_headers Set of response headers that should not be stored + * when a response is cached. (default: Set-Cookie) + * * @throws \RuntimeException */ - public function __construct(string $root) + public function __construct(string $root, array $options = []) { $this->root = $root; if (!file_exists($this->root) && !@mkdir($this->root, 0777, true) && !is_dir($this->root)) { throw new \RuntimeException(sprintf('Unable to create the store directory (%s).', $this->root)); } $this->keyCache = new \SplObjectStorage(); - $this->locks = []; + $this->options = array_merge([ + 'private_headers' => ['Set-Cookie'], + ], $options); } /** @@ -215,6 +225,10 @@ public function write(Request $request, Response $response) $headers = $this->persistResponse($response); unset($headers['age']); + foreach ($this->options['private_headers'] as $h) { + unset($headers[strtolower($h)]); + } + array_unshift($entries, [$storedEnv, $headers]); if (!$this->save($key, serialize($entries))) { diff --git a/src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php b/src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php index da1f649127405..239361bc8c337 100644 --- a/src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php +++ b/src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php @@ -12,8 +12,10 @@ namespace Symfony\Component\HttpKernel\Tests\HttpCache; use PHPUnit\Framework\TestCase; +use Symfony\Component\HttpFoundation\Cookie; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; +use Symfony\Component\HttpKernel\HttpCache\HttpCache; use Symfony\Component\HttpKernel\HttpCache\Store; class StoreTest extends TestCase @@ -317,6 +319,17 @@ public function testPurgeHttpAndHttps() $this->assertEmpty($this->getStoreMetadata($requestHttps)); } + public function testDoesNotStorePrivateHeaders() + { + $request = Request::create('https://example.com/foo'); + $response = new Response('foo'); + $response->headers->setCookie(Cookie::fromString('foo=bar')); + + $this->store->write($request, $response); + $this->assertArrayNotHasKey('set-cookie', $this->getStoreMetadata($request)[0][1]); + $this->assertNotEmpty($response->headers->getCookies()); + } + protected function storeSimpleEntry($path = null, $headers = []) { if (null === $path) { From 5909d74ecee359ea4982fcf4331aaf2e489a1fd4 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Mon, 23 Jan 2023 19:43:46 +0100 Subject: [PATCH 02/13] [Security/Http] Remove CSRF tokens from storage on successful login --- .../SecurityBundle/Resources/config/security.xml | 1 + .../Tests/Functional/CsrfFormLoginTest.php | 6 ++++++ .../SecurityBundle/Tests/Functional/LogoutTest.php | 4 +--- src/Symfony/Bundle/SecurityBundle/composer.json | 2 +- .../Http/Session/SessionAuthenticationStrategy.php | 14 +++++++++++--- .../Session/SessionAuthenticationStrategyTest.php | 13 +++++++++++++ 6 files changed, 33 insertions(+), 7 deletions(-) diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml index 3491383b8bba6..eabe5e547fada 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml @@ -63,6 +63,7 @@ %security.authentication.session_strategy.strategy% + diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/CsrfFormLoginTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/CsrfFormLoginTest.php index 1a672d70f8335..08ea67a6416fa 100644 --- a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/CsrfFormLoginTest.php +++ b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/CsrfFormLoginTest.php @@ -19,12 +19,15 @@ class CsrfFormLoginTest extends AbstractWebTestCase public function testFormLoginAndLogoutWithCsrfTokens($config) { $client = $this->createClient(['test_case' => 'CsrfFormLogin', 'root_config' => $config]); + static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar'); $form = $client->request('GET', '/login')->selectButton('login')->form(); $form['user_login[username]'] = 'johannes'; $form['user_login[password]'] = 'test'; $client->submit($form); + $this->assertFalse(static::$container->get('security.csrf.token_storage')->hasToken('foo')); + $this->assertRedirect($client->getResponse(), '/profile'); $crawler = $client->followRedirect(); @@ -48,11 +51,14 @@ public function testFormLoginAndLogoutWithCsrfTokens($config) public function testFormLoginWithInvalidCsrfToken($config) { $client = $this->createClient(['test_case' => 'CsrfFormLogin', 'root_config' => $config]); + static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar'); $form = $client->request('GET', '/login')->selectButton('login')->form(); $form['user_login[_token]'] = ''; $client->submit($form); + $this->assertTrue(static::$container->get('security.csrf.token_storage')->hasToken('foo')); + $this->assertRedirect($client->getResponse(), '/login'); $text = $client->followRedirect()->text(null, true); diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php index cb7868f3256ef..465027f42f0c8 100644 --- a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php +++ b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php @@ -36,15 +36,13 @@ public function testSessionLessRememberMeLogout() public function testCsrfTokensAreClearedOnLogout() { $client = $this->createClient(['test_case' => 'LogoutWithoutSessionInvalidation', 'root_config' => 'config.yml']); - static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar'); $client->request('POST', '/login', [ '_username' => 'johannes', '_password' => 'test', ]); - $this->assertTrue(static::$container->get('security.csrf.token_storage')->hasToken('foo')); - $this->assertSame('bar', static::$container->get('security.csrf.token_storage')->getToken('foo')); + static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar'); $client->request('GET', '/logout'); diff --git a/src/Symfony/Bundle/SecurityBundle/composer.json b/src/Symfony/Bundle/SecurityBundle/composer.json index 1106acfa008c6..4061646f399ff 100644 --- a/src/Symfony/Bundle/SecurityBundle/composer.json +++ b/src/Symfony/Bundle/SecurityBundle/composer.json @@ -25,7 +25,7 @@ "symfony/security-core": "^4.4", "symfony/security-csrf": "^4.2|^5.0", "symfony/security-guard": "^4.2|^5.0", - "symfony/security-http": "^4.4.5" + "symfony/security-http": "^4.4.50" }, "require-dev": { "doctrine/annotations": "^1.10.4", diff --git a/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php b/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php index a4bb88818d452..73691058d0ce6 100644 --- a/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php +++ b/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php @@ -13,6 +13,7 @@ use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface; /** * The default session strategy implementation. @@ -31,10 +32,15 @@ class SessionAuthenticationStrategy implements SessionAuthenticationStrategyInte public const INVALIDATE = 'invalidate'; private $strategy; + private $csrfTokenStorage = null; - public function __construct(string $strategy) + public function __construct(string $strategy, ClearableTokenStorageInterface $csrfTokenStorage = null) { $this->strategy = $strategy; + + if (self::MIGRATE === $strategy) { + $this->csrfTokenStorage = $csrfTokenStorage; + } } /** @@ -47,10 +53,12 @@ public function onAuthentication(Request $request, TokenInterface $token) return; case self::MIGRATE: - // Note: this logic is duplicated in several authentication listeners - // until Symfony 5.0 due to a security fix with BC compat $request->getSession()->migrate(true); + if ($this->csrfTokenStorage) { + $this->csrfTokenStorage->clear(); + } + return; case self::INVALIDATE: diff --git a/src/Symfony/Component/Security/Http/Tests/Session/SessionAuthenticationStrategyTest.php b/src/Symfony/Component/Security/Http/Tests/Session/SessionAuthenticationStrategyTest.php index 010bb0edf2cfd..2051f34239144 100644 --- a/src/Symfony/Component/Security/Http/Tests/Session/SessionAuthenticationStrategyTest.php +++ b/src/Symfony/Component/Security/Http/Tests/Session/SessionAuthenticationStrategyTest.php @@ -14,6 +14,7 @@ use PHPUnit\Framework\TestCase; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Session\SessionInterface; +use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface; use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy; use Symfony\Component\Security\Http\Tests\Fixtures\TokenInterface; @@ -57,6 +58,18 @@ public function testSessionIsInvalidated() $strategy->onAuthentication($this->getRequest($session), $this->createMock(TokenInterface::class)); } + public function testCsrfTokensAreCleared() + { + $session = $this->createMock(SessionInterface::class); + $session->expects($this->once())->method('migrate')->with($this->equalTo(true)); + + $csrfStorage = $this->createMock(ClearableTokenStorageInterface::class); + $csrfStorage->expects($this->once())->method('clear'); + + $strategy = new SessionAuthenticationStrategy(SessionAuthenticationStrategy::MIGRATE, $csrfStorage); + $strategy->onAuthentication($this->getRequest($session), $this->createMock(TokenInterface::class)); + } + private function getRequest($session = null) { $request = $this->createMock(Request::class); From 5574133750a4e19a9e651753ef3c0db40aa2bd1f Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Tue, 24 Jan 2023 14:37:36 +0100 Subject: [PATCH 03/13] Update CHANGELOG for 5.4.19 --- CHANGELOG-5.4.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/CHANGELOG-5.4.md b/CHANGELOG-5.4.md index 50d58aacaef5b..8c687fa6ef99e 100644 --- a/CHANGELOG-5.4.md +++ b/CHANGELOG-5.4.md @@ -7,6 +7,32 @@ in 5.4 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v5.4.0...v5.4.1 +* 5.4.19 (2023-01-24) + + * bug #49078 [Security/Http] Check tokens before loading users from providers (nicolas-grekas) + * bug #49077 [DependencyInjection] Fix named arguments when using ContainerBuilder before compilation (nicolas-grekas) + * bug #49031 [Cache] fix collecting cache stats when nesting computations (nicolas-grekas) + * bug #49046 Fix for Windows when projects are deployed on junctions/symlinks (nerdgod) + * bug #49025 [Notifier] [OvhCloud] handle invalid receiver (seferov) + * bug #48993 [VarDumper] Fix JS to expand / collapse (nicolas-grekas) + * bug #48983 Fix BC user_identifier support after deprecation username (vtsykun) + * bug #48986 [Validator] Fix Email validator logic (fabpot) + * bug #48969 [PropertyInfo] Fixes constructor extractor for mixed type (michael.kubovic) + * bug #48978 [Serializer] use method_exists() instead of catching reflection exceptions (xabbuh) + * bug #48937 [SecurityBundle] Fix using same handler for multiple authenticators (RobertMe) + * bug #48971 [DependencyInjection] Fix dump order of inlined deps (nicolas-grekas) + * bug #48966 [HttpClient] Let curl handle content-length headers (nicolas-grekas) + * bug #48968 [VarExporter] Fix exporting enums (nicolas-grekas) + * bug #48926 [DependencyInjection] Fix support for named arguments on non-autowired services (nicolas-grekas) + * bug #48943 [FrameworkBundle] Fix deprecation when accessing a "container.private" service from the test container (nicolas-grekas) + * bug #48931 [DependencyInjection] Fix dumping inlined withers (nicolas-grekas) + * bug #48898 [HttpClient] Move Http clients data collecting at a late level (pforesi) + * bug #48896 [DoctrineBridge] Fix detecting mapping with one line annotations (franmomu) + * bug #48916 [FrameworkBundle] restore call to addGlobalIgnoredName (alexislefebvre) + * bug #48917 [Config] Fix XML dump when node example is an array (alexandre-daubois) + * bug #48904 [Validator] Allow egulias/email-validator v4 (chalasr) + * bug #48831 [Uid] Fix validating nil and max uuid (fancyweb) + * 5.4.18 (2022-12-29) * bug #48823 [Cache] Fix possibly null value passed to preg_match() in RedisTrait (chalasr) From 46b2043606a55a1461c5ec3e41cdbd41ca665d1d Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Tue, 24 Jan 2023 14:37:40 +0100 Subject: [PATCH 04/13] Update CONTRIBUTORS for 5.4.19 --- CONTRIBUTORS.md | 57 +++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 94862ab99db42..016a12f53a9c9 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -23,8 +23,8 @@ The Symfony Connect username in parenthesis allows to get more information - Victor Berchet (victor) - Yonel Ceruto (yonelceruto) - Tobias Nyholm (tobias) - - Oskar Stark (oskarstark) - Javier Eguiluz (javier.eguiluz) + - Oskar Stark (oskarstark) - Ryan Weaver (weaverryan) - Johannes S (johannes) - Jakub Zalas (jakubzalas) @@ -33,8 +33,8 @@ The Symfony Connect username in parenthesis allows to get more information - Hamza Amrouche (simperfit) - Samuel ROZE (sroze) - Pascal Borreli (pborreli) - - Romain Neutron - Jules Pietri (heah) + - Romain Neutron - Joseph Bielawski (stloyd) - Drak (drak) - Abdellatif Ait boudad (aitboudad) @@ -57,12 +57,12 @@ The Symfony Connect username in parenthesis allows to get more information - Grégoire Paris (greg0ire) - Gabriel Ostrolucký (gadelat) - Jonathan Wage (jwage) + - Alexandre Daubois (alexandre-daubois) - Titouan Galopin (tgalopin) - David Maicher (dmaicher) - - Alexandre Daubois (alexandre-daubois) + - Alexander Schranz (alexander-schranz) - Alexandre Salomé (alexandresalome) - William DURAND - - Alexander Schranz (alexander-schranz) - ornicar - Dany Maillard (maidmaid) - Mathieu Santostefano (welcomattic) @@ -80,13 +80,13 @@ The Symfony Connect username in parenthesis allows to get more information - Saša Stamenković (umpirsky) - Antoine Lamirault - Alex Pott - - Vincent Langlet (deviling) - Mathieu Lechat (mat_the_cat) + - Vincent Langlet (deviling) - Guilhem N (guilhemn) - Vladimir Reznichenko (kalessil) - Sarah Khalil (saro0h) - - Konstantin Kudryashov (everzet) - Tomas Norkūnas (norkunas) + - Konstantin Kudryashov (everzet) - Bilal Amarni (bamarni) - Eriksen Costa - Florin Patan (florinpatan) @@ -99,13 +99,13 @@ The Symfony Connect username in parenthesis allows to get more information - Massimiliano Arione (garak) - Douglas Greenshields (shieldo) - Christian Raue + - Fran Moreno (franmomu) - Jáchym Toušek (enumag) - Mathias Arlaud (mtarld) - Graham Campbell (graham) - Michel Weimerskirch (mweimerskirch) - Eric Clemmons (ericclemmons) - Issei Murasawa (issei_m) - - Fran Moreno (franmomu) - Malte Schlüter (maltemaltesich) - Vasilij Dusko - Denis (yethee) @@ -218,7 +218,9 @@ The Symfony Connect username in parenthesis allows to get more information - Juti Noppornpitak (shiroyuki) - Joe Bennett (kralos) - Nate Wiebe (natewiebe13) + - Farhad Safarov (safarov) - Anthony MARTIN + - Nicolas Philippe (nikophil) - Colin O'Dell (colinodell) - Sebastian Hörl (blogsh) - Ben Davies (bendavies) @@ -229,11 +231,11 @@ The Symfony Connect username in parenthesis allows to get more information - Albert Casademont (acasademont) - Arnaud Kleinpeter (nanocom) - Guilherme Blanco (guilhermeblanco) + - Sergey (upyx) - Michael Voříšek - - Farhad Safarov (safarov) - SpacePossum - - Nicolas Philippe (nikophil) - Pablo Godel (pgodel) + - Hubert Lenoir (hubert_lenoir) - Denis Brumann (dbrumann) - Romaric Drigon (romaricdrigon) - Andréia Bohner (andreia) @@ -248,9 +250,7 @@ The Symfony Connect username in parenthesis allows to get more information - Vincent Touzet (vincenttouzet) - Fabien Bourigault (fbourigault) - soyuka - - Sergey (upyx) - Jérémy Derussé - - Hubert Lenoir (hubert_lenoir) - Florent Mata (fmata) - mcfedr (mcfedr) - Maciej Malarz (malarzm) @@ -298,6 +298,7 @@ The Symfony Connect username in parenthesis allows to get more information - Yoann RENARD (yrenard) - Thomas Lallement (raziel057) - Timothée Barray (tyx) + - Alexis Lefebvre - James Halsall (jaitsu) - Mikael Pajunen - Warnar Boekkooi (boekkooi) @@ -323,6 +324,7 @@ The Symfony Connect username in parenthesis allows to get more information - D (denderello) - Jonathan Scheiber (jmsche) - DQNEO + - Romain Monteil (ker0x) - Andrii Bodnar - gnito-org - Artem (artemgenvald) @@ -370,7 +372,6 @@ The Symfony Connect username in parenthesis allows to get more information - Pierre Minnieur (pminnieur) - Kyle - Dominique Bongiraud - - Romain Monteil (ker0x) - Hidde Wieringa (hiddewie) - Christopher Davis (chrisguitarguy) - Lukáš Holeczy (holicz) @@ -379,7 +380,6 @@ The Symfony Connect username in parenthesis allows to get more information - Emanuele Panzeri (thepanz) - Matthew Smeets - François Zaninotto (fzaninotto) - - Alexis Lefebvre - Dustin Whittle (dustinwhittle) - jeff - John Kary (johnkary) @@ -500,6 +500,7 @@ The Symfony Connect username in parenthesis allows to get more information - Thomas Schulz (king2500) - Benjamin Morel - Bernd Stellwag + - Philippe SEGATORI (tigitz) - Frank de Jonge - Chris Tanaskoski - julien57 @@ -563,6 +564,7 @@ The Symfony Connect username in parenthesis allows to get more information - Gabor Toth (tgabi333) - realmfoo - Thomas Tourlourat (armetiz) + - Gasan Guseynov (gassan) - Andrey Esaulov (andremaha) - Grégoire Passault (gregwar) - Jerzy Zawadzki (jzawadzki) @@ -607,7 +609,6 @@ The Symfony Connect username in parenthesis allows to get more information - Tri Pham (phamuyentri) - marie - Erkhembayar Gantulga (erheme318) - - Philippe SEGATORI (tigitz) - Fractal Zombie - Gunnstein Lye (glye) - Thomas Talbot (ioni) @@ -620,6 +621,7 @@ The Symfony Connect username in parenthesis allows to get more information - Jérôme Tamarelle (jtamarelle-prismamedia) - Emil Masiakowski - Alexandre Parent + - Angelov Dejan (angelov) - DT Inier (gam6itko) - Matthew Lewinski (lewinski) - Magnus Nordlander (magnusnordlander) @@ -671,6 +673,7 @@ The Symfony Connect username in parenthesis allows to get more information - mondrake (mondrake) - Yaroslav Kiliba - “Filip + - FORT Pierre-Louis (plfort) - Simon Watiau (simonwatiau) - Ruben Jacobs (rubenj) - Arkadius Stefanski (arkadius) @@ -861,7 +864,6 @@ The Symfony Connect username in parenthesis allows to get more information - Arturs Vonda - Xavier Briand (xavierbriand) - Daniel Badura - - Angelov Dejan (angelov) - vagrant - Asier Illarramendi (doup) - AKeeman (akeeman) @@ -869,10 +871,10 @@ The Symfony Connect username in parenthesis allows to get more information - Restless-ET - Vlad Gregurco (vgregurco) - Boris Vujicic (boris.vujicic) + - Vladimir Tsykun (vtsykun) - Chris Sedlmayr (catchamonkey) - Kamil Kokot (pamil) - Seb Koelen - - FORT Pierre-Louis (plfort) - Christoph Mewes (xrstf) - Vitaliy Tverdokhlib (vitaliytv) - Ariel Ferrandini (aferrandini) @@ -984,7 +986,6 @@ The Symfony Connect username in parenthesis allows to get more information - Rodrigo Borrego Bernabé (rodrigobb) - John Bafford (jbafford) - Emanuele Iannone - - Gasan Guseynov (gassan) - Ondrej Machulda (ondram) - Denis Gorbachev (starfall) - Martin Morávek (keeo) @@ -1075,6 +1076,7 @@ The Symfony Connect username in parenthesis allows to get more information - Arnaud Frézet - Nicolas Martin (cocorambo) - luffy1727 + - Allison Guilhem (a_guilhem) - LHommet Nicolas (nicolaslh) - Sebastian Blum - Amirreza Shafaat (amirrezashafaat) @@ -1140,10 +1142,10 @@ The Symfony Connect username in parenthesis allows to get more information - Javier López (loalf) - tamar peled - Reinier Kip + - Robert Meijers - Geoffrey Brier (geoffrey-brier) - Sofien Naas - Christophe Meneses (c77men) - - Vladimir Tsykun - Andrei O - Dustin Dobervich (dustin10) - Alejandro Diaz Torres @@ -1603,6 +1605,7 @@ The Symfony Connect username in parenthesis allows to get more information - Patrick Dawkins (pjcdawkins) - Paul Kamer (pkamer) - Rafał Wrzeszcz (rafalwrzeszcz) + - Reyo Stallenberg (reyostallenberg) - Rémi Faivre (rfv) - Nguyen Xuan Quynh - Reen Lokum @@ -2007,7 +2010,6 @@ The Symfony Connect username in parenthesis allows to get more information - Chris Jones (leek) - neghmurken - stefan.r - - Allison Guilhem (a_guilhem) - xaav - Jean-Christophe Cuvelier [Artack] - Mahmoud Mostafa (mahmoud) @@ -2090,6 +2092,7 @@ The Symfony Connect username in parenthesis allows to get more information - Ole Rößner (basster) - Faton (notaf) - Tom Houdmont + - mark burdett - Per Sandström (per) - Goran Juric - Laurent G. (laurentg) @@ -2116,6 +2119,7 @@ The Symfony Connect username in parenthesis allows to get more information - Norbert Schultheisz - Maximilian Berghoff (electricmaxxx) - SOEDJEDE Felix (fsoedjede) + - otsch - Piotr Antosik (antek88) - Nacho Martin (nacmartin) - Sergey Novikov (s12v) @@ -2125,6 +2129,7 @@ The Symfony Connect username in parenthesis allows to get more information - MARYNICH Mikhail (mmarynich-ext) - Viktor Novikov (nowiko) - Paul Mitchum (paul-m) + - Phil E. Taylor (philetaylor) - Angel Koilov (po_taka) - Dan Finnie - Ken Marfilla (marfillaster) @@ -2140,6 +2145,7 @@ The Symfony Connect username in parenthesis allows to get more information - Martijn Evers - Benjamin Paap (benjaminpaap) - Christian + - ju1ius - Denis Golubovskiy (bukashk0zzz) - Serge (nfx) - Mikkel Paulson @@ -2288,6 +2294,7 @@ The Symfony Connect username in parenthesis allows to get more information - Jay Klehr - Sergey Yuferev - Monet Emilien + - voodooism - Tobias Stöckler - Mario Young - martkop26 @@ -2296,7 +2303,7 @@ The Symfony Connect username in parenthesis allows to get more information - cilefen (cilefen) - Mo Di (modi) - Pablo Schläpfer - - Robert Meijers + - Nikos Charalampidis - Xavier RENAUDIN - Christian Wahler (christian) - Jelte Steijaert (jelte) @@ -2413,6 +2420,7 @@ The Symfony Connect username in parenthesis allows to get more information - Ilya Biryukov (ibiryukov) - Roma (memphys) - Giorgio Premi + - Matthias Bilger - Krzysztof Pyrkosz - ncou - Ian Carroll @@ -2458,6 +2466,7 @@ The Symfony Connect username in parenthesis allows to get more information - Nicolas Eeckeloo (neeckeloo) - Andriy Prokopenko (sleepyboy) - Dariusz Ruminski + - Thomas Hanke - Daniel Tschinder - Arnaud CHASSEUX - Wojciech Gorczyca @@ -2469,6 +2478,7 @@ The Symfony Connect username in parenthesis allows to get more information - Mara Blaga - Rick Prent - skalpa + - Pierre Foresi - Pieter Jordaan - Tournoud (damientournoud) - Michael Dowling (mtdowling) @@ -2543,6 +2553,7 @@ The Symfony Connect username in parenthesis allows to get more information - Cédric Anne - LubenZA - Flavian Sierk + - Rik van der Heijden - Michael Bessolov - Zdeněk Drahoš - Dan Harper @@ -2621,7 +2632,6 @@ The Symfony Connect username in parenthesis allows to get more information - Jakub Janata (janatjak) - Jibé Barth (jibbarth) - Matthew Foster (mfoster) - - Reyo Stallenberg (reyostallenberg) - Paul Seiffert (seiffert) - Vasily Khayrulin (sirian) - Stas Soroka (stasyan) @@ -2685,6 +2695,7 @@ The Symfony Connect username in parenthesis allows to get more information - Radek Wionczek (rwionczek) - Nick Stemerdink - David Stone + - Vincent Bouzeran - Grayson Koonce - Wissame MEKHILEF - Romain Dorgueil @@ -2792,6 +2803,7 @@ The Symfony Connect username in parenthesis allows to get more information - Adam - Ivo - Sören Bernstein + - michael.kubovic - devel - taiiiraaa - gedrox @@ -2982,6 +2994,7 @@ The Symfony Connect username in parenthesis allows to get more information - Pablo Monterde Perez (plebs) - Jimmy Leger (redpanda) - Mokhtar Tlili (sf-djuba) + - Gregor Nathanael Meyer (spackmat) - Marcin Szepczynski (szepczynski) - Simone Di Maulo (toretto460) - Cyrille Jouineau (tuxosaurus) @@ -3100,6 +3113,7 @@ The Symfony Connect username in parenthesis allows to get more information - Alexis BOYER - Kaipi Yann - adam-mospan + - nerdgod - Sam Williams - Guillaume Aveline - Adrian Philipp @@ -3184,6 +3198,7 @@ The Symfony Connect username in parenthesis allows to get more information - Sam Anthony - Christian Stocker - Oussama Elgoumri + - Gert de Pagter - David Lima - Dawid Nowak - Lesnykh Ilia From 8ae97daf60c596f6723729d3d451c17e1752cbdb Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Tue, 24 Jan 2023 14:37:42 +0100 Subject: [PATCH 05/13] Update VERSION for 5.4.19 --- src/Symfony/Component/HttpKernel/Kernel.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 8f12b88e81022..d354205eb14a8 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -78,12 +78,12 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl */ private static $freshCache = []; - public const VERSION = '5.4.19-DEV'; + public const VERSION = '5.4.19'; public const VERSION_ID = 50419; public const MAJOR_VERSION = 5; public const MINOR_VERSION = 4; public const RELEASE_VERSION = 19; - public const EXTRA_VERSION = 'DEV'; + public const EXTRA_VERSION = ''; public const END_OF_MAINTENANCE = '11/2024'; public const END_OF_LIFE = '11/2025'; From aa82db9b1ad07c553efe13b83ed757ead6c0487d Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Tue, 24 Jan 2023 14:41:59 +0100 Subject: [PATCH 06/13] Bump Symfony version to 5.4.20 --- src/Symfony/Component/HttpKernel/Kernel.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index d354205eb14a8..3126ebd31ab1f 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -78,12 +78,12 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl */ private static $freshCache = []; - public const VERSION = '5.4.19'; - public const VERSION_ID = 50419; + public const VERSION = '5.4.20-DEV'; + public const VERSION_ID = 50420; public const MAJOR_VERSION = 5; public const MINOR_VERSION = 4; - public const RELEASE_VERSION = 19; - public const EXTRA_VERSION = ''; + public const RELEASE_VERSION = 20; + public const EXTRA_VERSION = 'DEV'; public const END_OF_MAINTENANCE = '11/2024'; public const END_OF_LIFE = '11/2025'; From 1d8e65494b1c977b676071f0f36259e01e01e774 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Tue, 24 Jan 2023 16:21:34 +0100 Subject: [PATCH 07/13] Bump Symfony version to 6.0.20 --- src/Symfony/Component/HttpKernel/Kernel.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index a874adba56063..075bb8aa3c18e 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -78,12 +78,12 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl */ private static array $freshCache = []; - public const VERSION = '6.0.19'; - public const VERSION_ID = 60019; + public const VERSION = '6.0.20-DEV'; + public const VERSION_ID = 60020; public const MAJOR_VERSION = 6; public const MINOR_VERSION = 0; - public const RELEASE_VERSION = 19; - public const EXTRA_VERSION = ''; + public const RELEASE_VERSION = 20; + public const EXTRA_VERSION = 'DEV'; public const END_OF_MAINTENANCE = '01/2023'; public const END_OF_LIFE = '01/2023'; From 538d660c6aa02b0bbc020e3bee708c16171b96aa Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Wed, 25 Jan 2023 14:58:30 +0100 Subject: [PATCH 08/13] [Security/Http] Fix compat of persistent remember-me with legacy tokens --- .../RememberMe/PersistentRememberMeHandler.php | 2 -- .../Http/RememberMe/RememberMeDetails.php | 3 +++ .../PersistentRememberMeHandlerTest.php | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php index 75fd6b582a6a4..6e43dbf5feec7 100644 --- a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php +++ b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php @@ -34,7 +34,6 @@ final class PersistentRememberMeHandler extends AbstractRememberMeHandler { private $tokenProvider; private $tokenVerifier; - private $secret; public function __construct(TokenProviderInterface $tokenProvider, string $secret, UserProviderInterface $userProvider, RequestStack $requestStack, array $options, LoggerInterface $logger = null, TokenVerifierInterface $tokenVerifier = null) { @@ -45,7 +44,6 @@ public function __construct(TokenProviderInterface $tokenProvider, string $secre } $this->tokenProvider = $tokenProvider; $this->tokenVerifier = $tokenVerifier; - $this->secret = $secret; } /** diff --git a/src/Symfony/Component/Security/Http/RememberMe/RememberMeDetails.php b/src/Symfony/Component/Security/Http/RememberMe/RememberMeDetails.php index fea0955ca80e1..6aa65ec4d2187 100644 --- a/src/Symfony/Component/Security/Http/RememberMe/RememberMeDetails.php +++ b/src/Symfony/Component/Security/Http/RememberMe/RememberMeDetails.php @@ -36,6 +36,9 @@ public function __construct(string $userFqcn, string $userIdentifier, int $expir public static function fromRawCookie(string $rawCookie): self { + if (!str_contains($rawCookie, self::COOKIE_DELIMITER)) { + $rawCookie = base64_decode($rawCookie); + } $cookieParts = explode(self::COOKIE_DELIMITER, $rawCookie, 4); if (4 !== \count($cookieParts)) { throw new AuthenticationException('The cookie contains invalid data.'); diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php index da4f26eaaf6d4..76472b1d5733c 100644 --- a/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php @@ -156,4 +156,19 @@ public function testConsumeRememberMeCookieExpired() $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue')); } + + public function testBase64EncodedTokens() + { + $this->tokenProvider->expects($this->any()) + ->method('loadTokenBySeries') + ->with('series1') + ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTime('-10 min'))) + ; + + $this->tokenProvider->expects($this->once())->method('updateToken')->with('series1'); + + $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue'); + $rememberMeDetails = RememberMeDetails::fromRawCookie(base64_encode($rememberMeDetails->toString())); + $this->handler->consumeRememberMeCookie($rememberMeDetails); + } } From 3cb1d70f215f52ff281a4935eef01bf2775f6edd Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Wed, 25 Jan 2023 16:03:53 +0100 Subject: [PATCH 09/13] [HttpClient] Fix collecting data non-late for the profiler --- .../DataCollector/HttpClientDataCollector.php | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/Symfony/Component/HttpClient/DataCollector/HttpClientDataCollector.php b/src/Symfony/Component/HttpClient/DataCollector/HttpClientDataCollector.php index cd065961b936e..edd9d1c201be7 100644 --- a/src/Symfony/Component/HttpClient/DataCollector/HttpClientDataCollector.php +++ b/src/Symfony/Component/HttpClient/DataCollector/HttpClientDataCollector.php @@ -38,22 +38,28 @@ public function registerClient(string $name, TraceableHttpClient $client) */ public function collect(Request $request, Response $response, \Throwable $exception = null) { + $this->lateCollect(); } public function lateCollect() { - $this->reset(); + $this->data['request_count'] = 0; + $this->data['error_count'] = 0; + $this->data += ['clients' => []]; foreach ($this->clients as $name => $client) { [$errorCount, $traces] = $this->collectOnClient($client); - $this->data['clients'][$name] = [ - 'traces' => $traces, - 'error_count' => $errorCount, + $this->data['clients'] += [ + $name => [ + 'traces' => [], + 'error_count' => 0, + ], ]; + $this->data['clients'][$name]['traces'] = array_merge($this->data['clients'][$name]['traces'], $traces); $this->data['request_count'] += \count($traces); - $this->data['error_count'] += $errorCount; + $this->data['error_count'] += $this->data['clients'][$name]['error_count'] += $errorCount; $client->reset(); } From 45d614df79856e57496f3d6ef926c07bcbe903a9 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Thu, 26 Jan 2023 18:36:15 +0100 Subject: [PATCH 10/13] [DependencyInjection] Fix order of arguments when mixing positional and named ones --- .../Compiler/AutowirePass.php | 6 +++++- .../Compiler/ResolveBindingsPass.php | 16 ++++++++++++++- .../Tests/Compiler/AutowirePassTest.php | 15 ++++++++++++++ .../Compiler/ResolveBindingsPassTest.php | 20 +++++++++++++++++++ 4 files changed, 55 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/DependencyInjection/Compiler/AutowirePass.php b/src/Symfony/Component/DependencyInjection/Compiler/AutowirePass.php index c2b80770c880f..5418268756fe6 100644 --- a/src/Symfony/Component/DependencyInjection/Compiler/AutowirePass.php +++ b/src/Symfony/Component/DependencyInjection/Compiler/AutowirePass.php @@ -240,6 +240,10 @@ private function autowireMethod(\ReflectionFunctionAbstract $reflectionMethod, a foreach ($parameters as $index => $parameter) { $this->defaultArgument->names[$index] = $parameter->name; + if (\array_key_exists($parameter->name, $arguments)) { + $arguments[$index] = $arguments[$parameter->name]; + unset($arguments[$parameter->name]); + } if (\array_key_exists($index, $arguments) && '' !== $arguments[$index]) { continue; } @@ -341,7 +345,7 @@ private function autowireMethod(\ReflectionFunctionAbstract $reflectionMethod, a // it's possible index 1 was set, then index 0, then 2, etc // make sure that we re-order so they're injected as expected - ksort($arguments); + ksort($arguments, \SORT_NATURAL); return $arguments; } diff --git a/src/Symfony/Component/DependencyInjection/Compiler/ResolveBindingsPass.php b/src/Symfony/Component/DependencyInjection/Compiler/ResolveBindingsPass.php index 5bc379153a19e..5f0d93711af24 100644 --- a/src/Symfony/Component/DependencyInjection/Compiler/ResolveBindingsPass.php +++ b/src/Symfony/Component/DependencyInjection/Compiler/ResolveBindingsPass.php @@ -177,10 +177,17 @@ protected function processValue($value, bool $isRoot = false) } } + $names = []; + foreach ($reflectionMethod->getParameters() as $key => $parameter) { + $names[$key] = $parameter->name; + if (\array_key_exists($key, $arguments) && '' !== $arguments[$key]) { continue; } + if (\array_key_exists($parameter->name, $arguments) && '' !== $arguments[$parameter->name]) { + continue; + } $typeHint = ProxyHelper::getTypeHint($reflectionMethod, $parameter); $name = Target::parseName($parameter); @@ -210,8 +217,15 @@ protected function processValue($value, bool $isRoot = false) } } + foreach ($names as $key => $name) { + if (\array_key_exists($name, $arguments) && (0 === $key || \array_key_exists($key - 1, $arguments))) { + $arguments[$key] = $arguments[$name]; + unset($arguments[$name]); + } + } + if ($arguments !== $call[1]) { - ksort($arguments); + ksort($arguments, \SORT_NATURAL); $calls[$i][1] = $arguments; } } diff --git a/src/Symfony/Component/DependencyInjection/Tests/Compiler/AutowirePassTest.php b/src/Symfony/Component/DependencyInjection/Tests/Compiler/AutowirePassTest.php index bdac6781072d6..6dcc9d220efde 100644 --- a/src/Symfony/Component/DependencyInjection/Tests/Compiler/AutowirePassTest.php +++ b/src/Symfony/Component/DependencyInjection/Tests/Compiler/AutowirePassTest.php @@ -1204,4 +1204,19 @@ public function testDecorationWithServiceAndAliasedInterface() static::assertInstanceOf(DecoratedDecorator::class, $container->get(DecoratorInterface::class)); static::assertInstanceOf(DecoratedDecorator::class, $container->get(DecoratorImpl::class)); } + + public function testAutowireWithNamedArgs() + { + $container = new ContainerBuilder(); + + $container->register('foo', MultipleArgumentsOptionalScalar::class) + ->setArguments(['foo' => 'abc']) + ->setAutowired(true) + ->setPublic(true); + $container->register(A::class, A::class); + + (new AutowirePass())->process($container); + + $this->assertEquals([new TypedReference(A::class, A::class), 'abc'], $container->getDefinition('foo')->getArguments()); + } } diff --git a/src/Symfony/Component/DependencyInjection/Tests/Compiler/ResolveBindingsPassTest.php b/src/Symfony/Component/DependencyInjection/Tests/Compiler/ResolveBindingsPassTest.php index fc48bf0723312..600c8e036c4cd 100644 --- a/src/Symfony/Component/DependencyInjection/Tests/Compiler/ResolveBindingsPassTest.php +++ b/src/Symfony/Component/DependencyInjection/Tests/Compiler/ResolveBindingsPassTest.php @@ -249,4 +249,24 @@ public function testBindWithTarget() $this->assertSame('bar', (string) $container->getDefinition('with_target')->getArgument(0)); } + + public function testBindWithNamedArgs() + { + $container = new ContainerBuilder(); + + $bindings = [ + '$apiKey' => new BoundArgument('K'), + ]; + + $definition = $container->register(NamedArgumentsDummy::class, NamedArgumentsDummy::class); + $definition->setArguments(['c' => 'C', 'hostName' => 'H']); + $definition->setBindings($bindings); + + $container->register('foo', CaseSensitiveClass::class); + + $pass = new ResolveBindingsPass(); + $pass->process($container); + + $this->assertEquals(['C', 'K', 'H'], $definition->getArguments()); + } } From f694aa82c20348cda857be29c1427abc446ed1d2 Mon Sep 17 00:00:00 2001 From: Tristan Kretzer Date: Fri, 27 Jan 2023 23:00:03 +0100 Subject: [PATCH 11/13] [HttpFoundation] Fix bad return type in IpUtils::checkIp4() --- .../Component/HttpFoundation/IpUtils.php | 2 +- .../HttpFoundation/Tests/IpUtilsTest.php | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/Symfony/Component/HttpFoundation/IpUtils.php b/src/Symfony/Component/HttpFoundation/IpUtils.php index 9a1afa7bf498a..2f31284e36c69 100644 --- a/src/Symfony/Component/HttpFoundation/IpUtils.php +++ b/src/Symfony/Component/HttpFoundation/IpUtils.php @@ -86,7 +86,7 @@ public static function checkIp4(?string $requestIp, string $ip) [$address, $netmask] = explode('/', $ip, 2); if ('0' === $netmask) { - return self::$checkedIps[$cacheKey] = filter_var($address, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV4); + return self::$checkedIps[$cacheKey] = false !== filter_var($address, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV4); } if ($netmask < 0 || $netmask > 32) { diff --git a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php index d6d3728db1401..33d67303a831d 100644 --- a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php +++ b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php @@ -164,4 +164,21 @@ public function anonymizedIpData() ['::123.234.235.236', '::123.234.235.0'], // deprecated IPv4-compatible IPv6 address ]; } + + /** + * @dataProvider getIp4SubnetMaskZeroData + */ + public function testIp4SubnetMaskZero($matches, $remoteAddr, $cidr) + { + $this->assertSame($matches, IpUtils::checkIp4($remoteAddr, $cidr)); + } + + public function getIp4SubnetMaskZeroData() + { + return [ + [true, '1.2.3.4', '0.0.0.0/0'], + [true, '1.2.3.4', '192.168.1.0/0'], + [false, '1.2.3.4', '256.256.256/0'], // invalid CIDR notation + ]; + } } From f9adfa3dd07113fbf9c3e4e927ecb2b53fe51e24 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 1 Feb 2023 09:22:51 +0100 Subject: [PATCH 12/13] Update CHANGELOG for 6.0.20 --- CHANGELOG-6.0.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG-6.0.md b/CHANGELOG-6.0.md index 07005e3077334..35d40eb9f92e3 100644 --- a/CHANGELOG-6.0.md +++ b/CHANGELOG-6.0.md @@ -7,6 +7,15 @@ in 6.0 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v6.0.0...v6.0.1 +* 6.0.20 (2023-02-01) + + * bug #49141 [HttpFoundation] Fix bad return type in IpUtils::checkIp4() (tristankretzer) + * bug #49126 [DependencyInjection] Fix order of arguments when mixing positional and named ones (nicolas-grekas) + * bug #49104 [HttpClient] Fix collecting data non-late for the profiler (nicolas-grekas) + * bug #49103 [Security/Http] Fix compat of persistent remember-me with legacy tokens (nicolas-grekas) + * security #cve-2022-24895 [Security/Http] Remove CSRF tokens from storage on successful login (nicolas-grekas) + * security #cve-2022-24894 [HttpKernel] Remove private headers before storing responses with HttpCache (nicolas-grekas) + * 6.0.19 (2023-01-24) * bug #49078 [Security/Http] Check tokens before loading users from providers (nicolas-grekas) From f536d8cd1c1636ef1538a703709c9e0b5269717e Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 1 Feb 2023 09:22:55 +0100 Subject: [PATCH 13/13] Update VERSION for 6.0.20 --- src/Symfony/Component/HttpKernel/Kernel.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 075bb8aa3c18e..9383fc1f22e79 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -78,12 +78,12 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl */ private static array $freshCache = []; - public const VERSION = '6.0.20-DEV'; + public const VERSION = '6.0.20'; public const VERSION_ID = 60020; public const MAJOR_VERSION = 6; public const MINOR_VERSION = 0; public const RELEASE_VERSION = 20; - public const EXTRA_VERSION = 'DEV'; + public const EXTRA_VERSION = ''; public const END_OF_MAINTENANCE = '01/2023'; public const END_OF_LIFE = '01/2023';