[HttpFoundation] Allow set samesite cookie flag to 'None' value #31474
+199,031
−62,260
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ribute failed to denormalize when possible
* 3.4: Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" [FrameworkBundle] minor: remove a typo from changelog [VarDumper][Ldap] relax some locally failing tests [Validator] #30192 Added the missing translations for the Tagalog ("tl") locale. Make MimeTypeExtensionGuesser case insensitive
This PR was merged into the 4.2 branch. Discussion ---------- [VarDumper] fix tests with ICU 64.1 | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Commits ------- 474a756 [VarDumper] fix tests with ICU 64.1
…ty (yceruto) This PR was merged into the 4.2 branch. Discussion ---------- [HttpKernel] Fix get session when the request stack is empty | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT This bug happen behind an exception on a kernel response event, when one collector (e.g. `RequestDataCollector`) is trying to get the request session and the request stack is currently empty. **Reproducer** https://github.com/yceruto/get-session-bug (`GET /`) See logs on terminal: ```bash Apr 15 20:29:03 |ERROR| PHP 2019-04-15T20:29:03-04:00 Call to a member function isSecure() on null Apr 15 20:29:03 |ERROR| PHP PHP Fatal error: Uncaught Symfony\Component\Debug\Exception\FatalThrowableError: Call to a member function isSecure() on null in /home/yceruto/demos/getsession/vendor/symfony/http-kernel/EventListener/SessionListener.php:43 Apr 15 20:29:03 |DEBUG| PHP Stack trace: Apr 15 20:29:03 |DEBUG| PHP #0 /home/yceruto/demos/getsession/vendor/symfony/http-kernel/EventListener/AbstractSessionListener.php(59): Symfony\Component\HttpKernel\EventListener\SessionListener->getSession() Apr 15 20:29:03 |DEBUG| PHP #1 /home/yceruto/demos/getsession/vendor/symfony/http-foundation/Request.php(707): Symfony\Component\HttpKernel\EventListener\AbstractSessionListener->Symfony\Component\HttpKernel\EventListener\{closure}() Apr 15 20:29:03 |DEBUG| PHP #2 /home/yceruto/demos/getsession/vendor/symfony/http-kernel/DataCollector/RequestDataCollector.php(65): Symfony\Component\HttpFoundation\Request->getSession() Apr 15 20:29:03 |DEBUG| PHP #3 /home/yceruto/demos/getsession/vendor/symfony/http-kernel/Profiler/Profiler.php(167): Symfony\Component\HttpKernel\DataCollector\RequestDataCollector->collect(Object(Symfony\Component\HttpFoundation\Request), Object(Symfony\Component\HttpFoundation\Respo in /home/yceruto/demos/getsession/vendor/symfony/http-kernel/EventListener/SessionListener.php on line 43 ``` Friendly ping @nicolas-grekas as author of the previous PR #28244 Commits ------- d62ca37 Fix get session when the request stack is empty
…or with LegacyTranslatorProxy (nicolas-grekas) This PR was merged into the 4.2 branch. Discussion ---------- [FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #31092, #31025 | License | MIT | Doc PR | - This allows defining a translator that implements only the new interface and use it with ValidatorBuilder. ping @dvdknaap, @snebes since you were affected. Commits ------- a12656e [FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy
…railing vars (nicolas-grekas) This PR was merged into the 4.2 branch. Discussion ---------- [Routing] fix trailing slash redirection with non-greedy trailing vars | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #30863, #31066 | License | MIT | Doc PR | - Fixes redirecting `/123/` to `/123` when the route is defined as `/{foo<\d+>}` Commits ------- d88833d [Routing] fix trailing slash redirection with non-greedy trailing vars
* 4.2: Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" [FrameworkBundle] minor: remove a typo from changelog [VarDumper] fix tests with ICU 64.1 [VarDumper][Ldap] relax some locally failing tests [Validator] #30192 Added the missing translations for the Tagalog ("tl") locale. Make MimeTypeExtensionGuesser case insensitive Fix get session when the request stack is empty [Routing] fix trailing slash redirection with non-greedy trailing vars [FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy
released v4.2.7
…ly (xabbuh) This PR was merged into the 4.2 branch. Discussion ---------- [FrameworkBundle] call method with Translator component only | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #31152 | License | MIT | Doc PR | Commits ------- f49881d call method with Translator component only
…PHP 7.4 (nicolas-grekas) This PR was merged into the 4.3-dev branch. Discussion ---------- [VarDumper] add caster for WeakReference instances of PHP 7.4 | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | -  Commits ------- 0cdb808 [VarDumper] add caster for WeakReference instances of PHP 7.4
This PR was merged into the 4.2 branch. Discussion ---------- [Validator] fix LegacyTranslatorProxy | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #31161 | License | MIT | Doc PR | - Commits ------- b1f3284 [Validator] fix LegacyTranslatorProxy
…s-grekas) This PR was merged into the 4.2 branch. Discussion ---------- [Routing] fix matching trailing vars with defaults | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #31158 | License | MIT | Doc PR | - Commits ------- 177dfbc [Routing] fix matching trailing vars with defaults
This PR was merged into the 4.3-dev branch. Discussion ---------- [Security] Add NativePasswordEncoder | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - This PR adds a new `NativePasswordEncoder` that defaults to the best available hashing algo to `password_hash()`. Best is determined by "us" or "php", the goal being that this will change in the future as new algos are published. This provides a native encoder that we should recommend using by default. Commits ------- 28f7961 [Security] Add NativePasswordEncoder
An undefined SYMFONY_DEPRECATION_HELPER environment variable translates to false, and that was previously interpreted as 0, which means strict mode. This restores backwards compatibility with the previous behavior, which got broken in 1c73f9c .
This PR was merged into the 4.3-dev branch. Discussion ---------- Treat undefined env var as strict mode | Q | A | ------------- | --- | Branch? | master | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | n/a An undefined SYMFONY_DEPRECATION_HELPER environment variable translates to false, and that was previously interpreted as 0, which means strict mode. This restores backwards compatibility with the previous behavior, which got broken in 1c73f9c . Commits ------- 6c3c199 Treat undefined env var as strict mode
… NativePasswordEncoder (nicolas-grekas) This PR was merged into the 4.3-dev branch. Discussion ---------- [Security] deprecate BCryptPasswordEncoder in favor of NativePasswordEncoder | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Follow up of #31140 Commits ------- e197398 [Security] deprecate BCryptPasswordEncoder in favor of NativePasswordEncoder
* 3.4: [HttpFoundation] fix tests bumped Symfony version to 3.4.27 updated VERSION for 3.4.26 updated CHANGELOG for 3.4.26
…trailing vars (nicolas-grekas) This PR was merged into the 4.2 branch. Discussion ---------- [Routing] fix trailing slash matching with empty-matching trailing vars | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Reported by @bmack in #31107 (comment) This highlights a small inconsistency that exists for a long time (checked on 2.7 at least): `new Route('/en-en/{b}', ['b' => 'bbb'], ['b' => '.*'])` matches `/en-en/` `new Route('/en-en/{b}', ['b' => 'bbb'], ['b' => '.+'])` doesn't match it (while both match `/en-en` and `/en-en/foo`) This PR ensures the former behavior is preserved, while #31167 redirects the later to `/en-en`. Commits ------- d6da21a [Routing] fix trailing slash matching with empty-matching trailing vars
* 4.2: [HttpFoundation] fix tests [Routing] fix trailing slash matching with empty-matching trailing vars [Routing] fix matching trailing vars with defaults [Validator] fix LegacyTranslatorProxy call method with Translator component only bumped Symfony version to 4.2.8 updated VERSION for 4.2.7 updated CHANGELOG for 4.2.7 bumped Symfony version to 3.4.27 updated VERSION for 3.4.26 updated CHANGELOG for 3.4.26
…ulnet) This PR was merged into the 4.2 branch. Discussion ---------- [FrameworkBundle] fix math depth handler configuration | Q | A | ------------- | --- | Branch? | 4.2 f | Bug fix? | no "fix deprecated" | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #30998 | License | MIT | Doc PR | fix serializer configuration max_deep_handler Commits ------- fb9fc80 fix math depth handler
…ceruto) This PR was merged into the 4.2 branch. Discussion ---------- [Routing] Fixed unexpected 404 NoConfigurationException | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #31199 | License | MIT This is the patch for 4.2+ We need a different patch for 3.4 that is more complex, I think. Commits ------- aa71a42 [Routing] Fixed unexpected 404 NoConfigurationException
* 3.4: [DI] Removes number of elements information in debug mode Update PR template for 4.3 [Intl] Add FallbackTrait for data generation [Console] Commands with an alias should not be recognized as ambiguous clarify the possible class/interface of the cache
* 4.2: [Routing] Fixed unexpected 404 NoConfigurationException [DI] Removes number of elements information in debug mode [Contracts] Simplify implementation declarations Update PR template for 4.3 [Intl] Add FallbackTrait for data generation [Console] Commands with an alias should not be recognized as ambiguous clarify the possible class/interface of the cache
* 4.3: [Routing] Fixed unexpected 404 NoConfigurationException [DI] Removes number of elements information in debug mode [Contracts] Simplify implementation declarations Update PR template for 4.3 [Intl] Add FallbackTrait for data generation [Console] Commands with an alias should not be recognized as ambiguous clarify the possible class/interface of the cache
…h handlers transport (weaverryan) This PR was merged into the 4.3 branch. Discussion ---------- [Messenger] Simplifying SyncTransport and fixing bug with handlers transport | Q | A | ------------- | --- | Branch? | master | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | none | License | MIT | Doc PR | not needed This is still a WIP, because it's not quite working and tests are a TODO. However, the basic idea is there. This makes SyncTransport less "weird". It acts more like a real transport... except that it "receives" and re-dispatches its message immediately. The bug I'm trying to fix is related to the transport-based handling config that @sroze introduced. It doesn't currently play nice with the sync transport due to the unnatural way that I made it originally. Cheers! Commits ------- 8a49eb8 Simplifying SyncTransport and fixing bug with handlers transport
This PR was merged into the 4.3 branch. Discussion ---------- [Doctrine\Bridge] fix tests | Q | A | ------------- | --- | Branch? | 4.3 | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Once merged, one issue will remain, which will be fixed by doctrine/dbal#3543 Commits ------- 10da231 [Doctrine\Bridge] fix tests
This PR was merged into the 4.3 branch. Discussion ---------- [Intl] Revise timezone name generation | Q | A | ------------- | --- | Branch? | master | Bug fix? | yes | New feature? | no | BC breaks? | no <!-- see https://symfony.com/bc --> | Deprecations? | no | Tests pass? | yes (inlcluding intl-data group) | Fixed tickets | #... <!-- #-prefixed issue number(s), if any --> | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> This is the final polishing needed for #31294 :) I've realized it's much easier to de-duplicate by processing fallback locales separate, and then only keep the diff compared to a specific locale. More or less the same approach `LocaleDataGenerator` already follows. I was trying to be clever and filter based on inheritance in a single process; bad idea. Includes https://github.com/ro0NL/symfony/commit/31591d0 (ref #31432) Commits ------- bfdb4ed [Intl] Revise timezone name generation
This PR was merged into the 4.3 branch. Discussion ---------- [DomCrawler] fix HTML5 parser integration | Q | A | ------------- | --- | Branch? | master | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Spotted while reviewing #30892 The current logic is context-dependent: by changing the order of calls, you can get different behaviors. Commits ------- ba83bda [DomCrawler] fix HTML5 parser integration
* 4.3: [Doctrine\Bridge] fix tests [Intl] Revise timezone name generation Simplifying SyncTransport and fixing bug with handlers transport [DomCrawler] fix HTML5 parser integration
* 3.4: [Form] Restore default locale during tests
* 4.2: Fix typo: depreciation -> deprecation [Form] Restore default locale during tests
* 4.3: Fix typo: depreciation -> deprecation [Form] Restore default locale during tests
This PR was merged into the 4.2 branch. Discussion ---------- Remove deprecated usage of some Twig features | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | BC breaks? | no <!-- see https://symfony.com/bc --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tests pass? | yes <!-- please add some, will be required by reviewers --> | Fixed tickets | n/a | License | MIT | Doc PR | n/a <!-- Replace this notice by a short README for your feature/bugfix. This will help people understand your PR and can be used as a start for the documentation. Additionally (see https://symfony.com/roadmap): - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against the master branch. --> Commits ------- 74afcd6 removed deprecated usage of some Twig features
* 4.2: removed deprecated usage of some Twig features
* 4.3: removed deprecated usage of some Twig features
Allow set samesite cookie flag to 'None' value
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow set samesite cookie flag to 'None' value
Google introduces new Chrome policy, marking all none setted samesite flag to 'Strict' by default. If you want to allow third party cookies you must set samesite flag to None.
This PR fixes #31467, allow to put samesite Cookie flag to None.