Update dependency symfony/symfony to v2.8.52 [SECURITY]

[shokohsc]

This PR contains the following updates:

Package	Type	Update	Change
symfony/symfony (source)	require	patch	2.8.8 -> 2.8.52

GitHub Vulnerability Alerts

CVE-2019-10909

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

CVE-2019-10913

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

CVE-2019-18888

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

CVE-2019-10912

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

CVE-2019-10911

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.

CVE-2019-18887

When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

---

Release Notes

symfony/symfony

v2.8.52

Compare Source

Changelog (since symfony/symfony@v2.8.51...v2.8.52)

• security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (@​nicolas-grekas)
• security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (@​stof)

[PR]https://github.com/symfony/symfony/pull/343499
[SECURITY] Security release

v2.8.51

Compare Source

v2.8.50

Compare Source

Changelog (since symfony/symfony@v2.8.49...v2.8.50)

• security #cve-2019-10910 [DI] Check service IDs are valid (@​nicolas-grekas)
• security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (@​stof)
• security #cve-2019-10912 [PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (@​nicolas-grekas)
• security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (@​pborreli)
• security #cve-2019-10913 [HttpFoundation] reject invalid method override (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/311455
[SECURITY] Security release

v2.8.49

Compare Source

Changelog (since symfony/symfony@v2.8.48...v2.8.49)

• security #cve-2018-19790 [Security\Http] detect bad redirect targets using backslashes (@​xabbuh)
• security #cve-2018-19789 [Form] Filter file uploads out of regular form types (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/294877
[SECURITY] Security release

v2.8.48

Compare Source

Changelog (since symfony/symfony@v2.8.47...v2.8.48)

• bug #​28917 [DoctrineBridge] catch errors while converting to db values in data collector (@​alekitto)
• bug #​27314 [DoctrineBridge] fix case sensitivity issue in RememberMe\DoctrineTokenProvider (@​PF4Public)
• bug #​29308 [Translation] Use XLIFF source rather than resname when there's no target (@​thewilkybarkid)
• bug #​26244 [BrowserKit] fixed BC Break for HTTP_HOST header (@​brizzz)
• bug #​28147 [DomCrawler] exclude fields inside "template" tags (@​Gorjunov)
• bug #​29271 [HttpFoundation] Fix trailing space for mime-type with parameters (@​Sascha Dens)
• bug #​29223 [Validator] Added the missing constraints instance checks (@​thomasbisignani)
• bug #​29182 [Form] Fixed empty data for compound date types (@​HeahDude)
• bug #​29185 [Form] Fixed keeping hash of equal \DateTimeInterface on submit (@​HeahDude)
• bug #​28731 [Form] invalidate forms on transformation failures (@​xabbuh)
• bug #​29152 [Config] Unset key during normalization (@​ro0NL)
• bug #​29057 [HttpFoundation] replace any preexisting Content-Type headers (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/293333

v2.8.47

Compare Source

Changelog (since symfony/symfony@v2.8.46...v2.8.47)

• bug #​29020 Fix ini_get() for boolean values (@​deguif)
• bug #​28861 [DependencyInjection] Skip empty proxy code (@​olvlvl)
• bug #​28801 Convert InsufficientAuthenticationException to HttpException with 401 status code (@​vincentchalamon)
• bug #​28840 add missing double-quotes to extra_fields output message (@​danielkay)
• bug #​28712 [Form] reverse transform RFC 3339 formatted dates (@​xabbuh)
• bug #​28813 Fix for race condition in console output stream write (@​rudolfratusinski)
• bug #​27772 [Console] Fixes multiselect choice question defaults in non-interactive mode (@​veewee)
• bug #​28689 [Process] fix locking of pipe files on Windows (@​nicolas-grekas)
• bug #​28704 [Form] fix multi-digit seconds fraction handling (@​xabbuh)
• bug #​28648 [PHPUnitBridge] Fix ClockMock microtime() format (@​acasademont)

[PR]https://github.com/symfony/symfony/pull/290699

v2.8.46

Compare Source

Changelog (since symfony/symfony@v2.8.45...v2.8.46)

• bug #​28376 [TwigBundle] Fixed caching of templates in src/Resources//views on cache warmup (@​yceruto)
• bug #​28565 [HttpFoundation][Security] forward locale and format to subrequests (@​nicolas-grekas)
• bug #​28545 [Console] Send the right exit code to console.terminate listeners (@​mpdude)
• bug #​28466 [Form] fail reverse transforming invalid RFC 3339 dates (@​xabbuh)
• bug #​28540 [Intl] parse numbers terminated with decimal separator (@​xabbuh)
• bug #​28548 [Console] Fixed boxed table style with colspan (@​ro0NL)
• bug #​28433 [HttpFoundation] Allow reuse of Session between requests if ID did not change (@​tgalopin)
• bug #​28508 [Form] forward false label option to nested types (@​xabbuh)
• bug #​28464 [Form] forward the invalid_message option in date types (@​xabbuh)
• bug #​28499 [Ldap] Use shut up operator on connection errors at ldap_start_tls (@​Andras Debreczeni)
• bug #​28372 [Form] Fix DateTimeType html5 input format (@​franzwilding, @​mcfedr)
• bug #​28396 [Intl] Blacklist Eurozone and United Nations in Region Data Generator (@​gregurco)
• bug #​28393 [Console] fixed corrupt error output for unknown multibyte short option (@​downace)
• bug #​28401 [Console] Fix SymfonyQuestionHelper::askQuestion() with choice value as default (@​chalasr)
• bug #​28377 fix fopen flags (@​SpacePossum)
• bug #​27970 [FileValidator] Format file size in validation message according to binaryFormat option (@​jfredon)
• bug #​28029 [TwigBundle] remove cache warmers when Twig cache is disabled (@​xabbuh)
• bug #​28344 [HttpKernel][FrameworkBundle] Fix escaping of serialized payloads passed to test clients (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/286400

v2.8.45

Compare Source

Changelog (since symfony/symfony@v2.8.44...v2.8.45)

• bug #​28278 [HttpFoundation] Fix unprepared BinaryFileResponse sends empty file (@​wackymole)
• bug #​28241 [HttpKernel] fix forwarding trusted headers as server parameters (@​nicolas-grekas)
• bug #​28220 [PropertyAccess] fix type error handling when writing values (@​xabbuh)
• bug #​28100 [Security] Call AccessListener after LogoutListener (@​chalasr)
• bug #​28144 [HttpFoundation] fix false-positive ConflictingHeadersException (@​nicolas-grekas)
• bug #​28055 [PropertyInfo] Allow nested collections (@​jderusse)
• bug #​28083 Remove the Expires header when calling Response::expire() (@​javiereguiluz)

[PR]https://github.com/symfony/symfony/pull/282866

v2.8.44

Compare Source

Changelog (since symfony/symfony@v2.8.43...v2.8.44)

• security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@​nicolas-grekas)
• security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@​nicolas-grekas)
• bug #​28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (@​netiul)
• bug #​28045 [HttpFoundation] Fix Cookie::isCleared (@​ro0NL)
• bug #​28080 [HttpFoundation] fixed using _method parameter with invalid type (@​Phobetor)

[PR]https://github.com/symfony/symfony/pull/281011
[SECURITY] Security release

v2.8.43

Compare Source

Changelog (since symfony/symfony@v2.8.42...v2.8.43)

• bug #​28005 [HttpKernel] Fixed templateExists on parse error of the template name (@​yceruto)
• bug #​27997 Serbo-Croatian has Serbian plural rule (@​kylekatarnls)
• bug #​27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (@​jmsche)
• bug #​27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (@​rubencm)
• bug #​27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (@​webnet-fr)
• bug #​27904 [Filesystem] fix lock file permissions (@​fritzmg)
• bug #​27758 [WebProfilerBundle] Prevent toolbar links color override by css (@​alcalyn)
• bug #​27831 Check for Hyper terminal on all operating systems. (@​azjezz)
• bug #​27794 Add color support for Hyper terminal . (@​azjezz)
• bug #​27809 [HttpFoundation] Fix tests: new message for status 425 (@​dunglas)
• bug #​27716 [DI] fix dumping deprecated service in yaml (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/280311

v2.8.42

Compare Source

Changelog (since symfony/symfony@v2.8.41...v2.8.42)

• bug #​27669 [Filesystem] fix file lock on SunOS (@​fritzmg)
• bug #​27309 Fix surrogate not using original request (@​Toflar)
• bug #​27630 [Validator][Form] Remove BOM in some xlf files (@​gautierderuette)
• bug #​27591 [VarDumper] Fix dumping ArrayObject and ArrayIterator instances (@​nicolas-grekas)
• bug #​27581 Fix bad method call with guard authentication + session migration (@​weaverryan)
• bug #​27452 Avoid migration on stateless firewalls (@​weaverryan)
• bug #​27514 [Debug] Pass previous exception to FatalErrorException (@​pmontoya)
• bug #​26973 [HttpKernel] Set first trusted proxy as REMOTE_ADDR in InlineFragmentRenderer. (@​kmadejski)
• bug #​27303 [Process] Consider "executable" suffixes first on Windows (@​sanmai)
• bug #​27297 Triggering RememberMe's loginFail() when token cannot be created (@​weaverryan)
• bug #​27366 [DI] never inline lazy services (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/277033

v2.8.41

Compare Source

Changelog (since symfony/symfony@v2.8.40...v2.8.41)

• bug #​27359 [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization (@​nicolas-grekas)
• security #cve-2018-11408 [SecurityBundle] Fail if security.http_utils cannot be configured
• security #cve-2018-11406 clear CSRF tokens when the user is logged out
• security #cve-2018-11385 Adding session authentication strategy to Guard to avoid session fixation
• security #cve-2018-11385 Adding session strategy to ALL listeners to avoid any possible fixation
• security #cve-2018-11386 [HttpFoundation] Break infinite loop in PdoSessionHandler when MySQL is in loose mode

[PR]https://github.com/symfony/symfony/pull/273755
[SECURITY] Security release

v2.8.40

Compare Source

Changelog (since symfony/symfony@v2.8.39...v2.8.40)

• bug #​26781 [Form] Fix precision of MoneyToLocalizedStringTransformer's divisions on transform() (@​syastrebov)
• bug #​27286 [Translation] Add Occitan plural rule (@​kylekatarnls)
• bug #​27246 Disallow invalid characters in session.name (@​ostrolucky)
• bug #​24805 [Security] Fix logout (@​MatTheCat)
• bug #​27141 [Process] Suppress warnings when open_basedir is non-empty (@​cbj4074)
• bug #​27250 [Session] limiting :key for GET_LOCK to 64 chars (@​oleg-andreyev)
• bug #​27237 [Debug] Fix populating error_get_last() for handled silent errors (@​nicolas-grekas)
• bug #​27236 [Filesystem] Fix usages of error_get_last() (@​nicolas-grekas)
• bug #​27152 [HttpFoundation] use brace-style regex delimiters (@​xabbuh)
• feature #​24896 Add CODE_OF_CONDUCT.md (@​egircys)

[PR]https://github.com/symfony/symfony/pull/273288

v2.8.39

Compare Source

Changelog (since symfony/symfony@v2.8.38...v2.8.39)

• bug #​27067 [HttpFoundation] Fix setting session-related ini settings (@​e-moe)
• bug #​27016 [Security][Guard] GuardAuthenticationProvider::authenticate cannot return null (@​biomedia-thomas)
• bug #​26831 [Bridge/Doctrine] count(): Parameter must be an array or an object that implements Countable (@​gpenverne)
• bug #​27044 [Security] Skip user checks if not implementing UserInterface (@​chalasr)
• bug #​26014 [Security] Fixed being logged out on failed attempt in guard (@​iltar)
• bug #​26910 Use new PHP7.2 functions in hasColorSupport (@​johnstevenson)
• bug #​26999 [VarDumper] Fix dumping of SplObjectStorage (@​corphi)
• bug #​25841 [DoctrineBridge] Fix bug when indexBy is meta key in PropertyInfo\DoctrineExtractor (@​insekticid)
• bug #​26886 Don't assume that file binary exists on *nix OS (@​teohhanhui)
• bug #​26643 Fix that ESI/SSI processing can turn a "private" response "public" (@​mpdude)
• bug #​26932 [Form] Fixed trimming choice values (@​HeahDude)
• bug #​26875 [Console] Don't go past exact matches when autocompleting (@​nicolas-grekas)
• bug #​26823 [Validator] Fix LazyLoadingMetadataFactory with PSR6Cache for non classname if tested values isn't existing class (@​Pascal Montoya, @​pmontoya)
• bug #​26834 [Yaml] Throw parse error on unfinished inline map (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/270955

v2.8.38

Compare Source

Changelog (since symfony/symfony@v2.8.37...v2.8.38)

• bug #​26788 [Security] Load the user before pre/post auth checks when needed (@​chalasr)
• bug #​26774 [SecurityBundle] Add missing argument to security.authentication.provider.simple (@​i3or1s, @​chalasr)
• bug #​26763 [Finder] Remove duplicate slashes in filenames (@​helhum)
• bug #​26749 Add PHPDbg support to HTTP components (@​hkdobrev)
• bug #​26609 [Console] Fix check of color support on Windows (@​mlocati)

[PR]https://github.com/symfony/symfony/pull/268411

v2.8.37

Compare Source

Changelog (since symfony/symfony@v2.8.36...v2.8.37)

• bug #​26727 [HttpCache] Unlink tmp file on error (@​Chansig)
• bug #​26675 [HttpKernel] DumpDataCollector: do not flush when a dumper is provided (@​ogizanagi)
• bug #​26663 [TwigBridge] Fix rendering of currency by MoneyType (@​ro0NL)
• bug #​26677 Support phpdbg SAPI in Debug::enable() (@​hkdobrev)
• bug #​26589 [Ldap] cast to string when checking empty passwords (@​ismail1432)
• bug #​26621 [Form] no type errors with invalid submitted data types (@​xabbuh)
• bug #​26337 [Finder] Fixed leading/trailing / in filename (@​lyrixx)
• bug #​26584 [TwigBridge] allow html5 compatible rendering of forms with null names (@​systemist)
• bug #​24401 [Form] Change datetime to datetime-local for HTML5 datetime input (@​pierredup)
• bug #​26370 [Security] added userChecker to SimpleAuthenticationProvider (@​i3or1s)
• bug #​26569 [BrowserKit] Fix cookie path handling when $domain is null (@​dunglas)
• bug #​26598 Fixes #​26563 (open_basedir restriction in effect) (@​temperatur)
• bug #​26568 [Debug] Reset previous exception handler earlier to prevent infinite loop (@​nicolas-grekas)
• bug #​26567 [DoctrineBridge] Don't rely on ClassMetadataInfo->hasField in DoctrineOrmTypeGuesser anymore (@​fancyweb)
• bug #​26356 [FrameworkBundle] HttpCache is not longer abstract (@​lyrixx)
• bug #​26548 [DomCrawler] Change bad wording in ChoiceFormField::untick (@​dunglas)
• bug #​26433 [DomCrawler] extract(): fix a bug when the attribute list is empty (@​dunglas)
• bug #​26452 [Intl] Load locale aliases to support alias fallbacks (@​jakzal)
• bug #​26450 [CssSelector] Fix CSS identifiers parsing - they can start with dash (@​jakubkulhan)

[PR]https://github.com/symfony/symfony/pull/267422

v2.8.36

Compare Source

Changelog (since symfony/symfony@v2.8.35...v2.8.36)

• bug #​26368 [WebProfilerBundle] Fix Debug toolbar breaks app (@​xkobal)

[PR]https://github.com/symfony/symfony/pull/264155

v2.8.35

Compare Source

Changelog (since symfony/symfony@v2.8.34...v2.8.35)

• bug #​26338 [Debug] Keep previous errors of Error instances (@​Philipp91)
• bug #​26312 [Routing] Don't throw 405 when scheme requirement doesn't match (@​nicolas-grekas)
• bug #​26298 Fix ArrayInput::toString() for InputArgument::IS_ARRAY args (@​maximium)
• bug #​26236 [PropertyInfo] ReflectionExtractor: give a chance to other extractors if no properties (@​dunglas)
• bug #​25557 [WebProfilerBundle] add a way to limit ajax request (@​Simperfit)
• bug #​26228 [HttpFoundation] Fix missing "throw" in JsonResponse (@​nicolas-grekas)
• bug #​26211 [Console] Suppress warning from sapi_windows_vt100_support (@​adawolfa)
• bug #​26156 Fixes #​26136: Avoid emitting warning in hasParameterOption() (@​greg-1-anderson)
• bug #​26183 [DI] Add null check for removeChild (@​changmin.keum)
• bug #​26173 [Security] fix accessing request values (@​xabbuh)
• bug #​26159 created validator.tl.xlf for Form/Translations (@​ergiegonzaga)
• bug #​26100 [Routing] Throw 405 instead of 404 when redirect is not possible (@​nicolas-grekas)
• bug #​26040 [Process] Check PHP_BINDIR before $PATH in PhpExecutableFinder (@​nicolas-grekas)
• bug #​26012 Exit as late as possible (@​greg0ire)
• bug #​26111 [Security] fix merge of 2.7 into 2.8 + add test case (@​dmaicher)
• bug #​25893 [Console] Fix hasParameterOption / getParameterOption when used with multiple flags (@​greg-1-anderson)
• bug #​25940 [Form] keep the context when validating forms (@​xabbuh)
• bug #​25373 Use the PCRE_DOLLAR_ENDONLY modifier in route regexes (@​mpdude)
• bug #​26010 [CssSelector] For AND operator, the left operand should have parentheses, not only right operand (@​Arnaud CHASSEUX)
• bug #​25971 [Debug] Fix bad registration of exception handler, leading to mem leak (@​nicolas-grekas)
• bug #​25962 [Routing] Fix trailing slash redirection for non-safe verbs (@​nicolas-grekas)
• bug #​25948 [Form] Fixed empty data on expanded ChoiceType and FileType (@​HeahDude)
• bug #​25972 support sapi_windows_vt100_support for php 7.2+ (@​jhdxr)
• bug #​25744 [TwigBridge] Allow label translation to be safe (@​MatTheCat)

[PR]https://github.com/symfony/symfony/pull/263611

v2.8.34

Compare Source

Changelog (since symfony/symfony@v2.8.33...v2.8.34)

• bug #​25922 [HttpFoundation] Use the correct syntax for session gc based on Pdo driver (@​tanasecosminromeo)
• bug #​25933 Disable CSP header on exception pages only in debug (@​ostrolucky)
• bug #​25926 [Form] Fixed Button::setParent() when already submitted (@​HeahDude)
• bug #​25927 [Form] Fixed submitting disabled buttons (@​HeahDude)
• bug #​25891 [DependencyInjection] allow null values for root nodes in YAML configs (@​xabbuh)
• bug #​25848 [Validator] add missing parent isset and add test (@​Simperfit)
• bug #​25861 do not conflict with egulias/email-validator 2.0+ (@​xabbuh)
• bug #​25851 [Validator] Conflict with egulias/email-validator 2.0 (@​emodric)
• bug #​25837 [SecurityBundle] Don't register in memory users as services (@​chalasr)
• bug #​25835 [HttpKernel] DebugHandlersListener should always replace the existing exception handler (@​nicolas-grekas)
• bug #​25829 [Debug] Always decorate existing exception handlers to deal with fatal errors (@​nicolas-grekas)
• bug #​25824 Fixing a bug where the dump() function depended on bundle ordering (@​weaverryan)
• bug #​25789 Enableable ArrayNodeDefinition is disabled for empty configuration (@​kejwmen)
• bug #​25816 Problem in phar see mergerequest #​25579 (@​betzholz)
• bug #​25781 [Form] Disallow transform dates beyond the year 9999 (@​curry684)
• bug #​25812 Copied NO language files to the new NB locale (@​derrabus)
• bug #​25801 [Router] Skip anonymous classes when loading annotated routes (@​pierredup)
• bug #​25657 [Security] Fix fatal error on non string username (@​chalasr)
• bug #​25799 Fixed Request::__toString ignoring cookies (@​Toflar)
• bug #​25755 [Debug] prevent infinite loop with faulty exception handlers (@​nicolas-grekas)
• bug #​25771 [Validator] 19 digits VISA card numbers are valid (@​xabbuh)
• bug #​25751 [FrameworkBundle] Add the missing enabled session attribute (@​sroze)
• bug #​25750 [HttpKernel] Turn bad hosts into 400 instead of 500 (@​nicolas-grekas)
• bug #​25490 [Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR (@​diversantvlz)
• bug #​25709 Tweaked some styles in the profiler tables (@​javiereguiluz)
• feature #​25669 [Security] Fail gracefully if the security token cannot be unserialized from the session (@​thewilkybarkid)

[PR]https://github.com/symfony/symfony/pull/259544

v2.8.33

Compare Source

Changelog (since symfony/symfony@v2.8.32...v2.8.33)

• bug #​25532 [HttpKernel] Disable CSP header on exception pages (@​ostrolucky)
• bug #​25491 [Routing] Use the default host even if context is empty (@​sroze)
• bug #​25662 Dumper shouldn't use html format for phpdbg / cli-server (@​jhoff)
• bug #​25529 [Validator] Fix access to root object when using composite constraint (@​ostrolucky)
• bug #​25430 Fixes for Oracle in PdoSessionHandler (@​elislenio)
• bug #​25599 Add application/ld+json format associated to json (@​vincentchalamon)
• bug #​25407 [Console] Commands with an alias should not be recognized as ambiguous (@​Simperfit)
• bug #​25521 [Console] fix a bug when you are passing a default value and passing -n would output the index (@​Simperfit)
• bug #​25489 [FrameworkBundle] remove esi/ssi renderers if inactive (@​dmaicher)
• bug #​25427 Preserve percent-encoding in URLs when performing redirects in the UrlMatcher (@​mpdude)
• bug #​25480 [FrameworkBundle] add missing validation options to XSD file (@​xabbuh)
• bug #​25487 [Console] Fix a bug when passing a letter that could be an alias (@​Simperfit)
• bug #​25233 [TwigBridge][Form] Fix hidden currency element with Bootstrap 3 theme (@​julienfalque)
• bug #​25408 [Debug] Fix catching fatal errors in case of nested error handlers (@​nicolas-grekas)
• bug #​25330 [HttpFoundation] Support 0 bit netmask in IPv6 (::/0) (@​stephank)
• bug #​25410 [HttpKernel] Fix logging of post-terminate errors/exceptions (@​nicolas-grekas)
• bug #​25323 [ExpressionLanguage] throw an SyntaxError instead of an undefined index notice (@​Simperfit)

[PR]https://github.com/symfony/symfony/pull/256899

v2.8.32

Compare Source

Changelog (since symfony/symfony@v2.8.31...v2.8.32)

• bug #​25278 Fix for missing whitespace control modifier in form layout (@​kubawerlos)
• bug #​25236 [Form][TwigBridge] Fix collision between view properties and form fields (@​yceruto)
• bug #​25258 [link] Prevent warnings when running link with 2.7 (@​dunglas)
• bug #​24750 [Validator] ExpressionValidator should use OBJECT_TO_STRING (@​Simperfit)
• bug #​25182 [HttpFoundation] AutExpireFlashBag should not clear new flashes (@​Simperfit, @​sroze)
• bug #​25152 [Form] Don't rely on Symfony\Component\HttpFoundation\File\File if http-foundation isn't in FileType (@​issei-m)
• bug #​24987 [Console] Fix global console flag when used in chain (@​Simperfit)
• bug #​25043 [Yaml] added ability for substitute aliases when mapping is on single line (@​Michał Strzelecki, @​xabbuh)
• bug #​25102 [Form] Fixed ContextErrorException in FileType (@​chihiro-adachi)
• bug #​25130 [DI] Fix handling of inlined definitions by ContainerBuilder (@​nicolas-grekas)
• bug #​25072 [Bridge/PhpUnit] Remove trailing "\n" from ClockMock::microtime(false) (@​joky)
• bug #​24956 Fix ambiguous pattern (@​weltling)

[PR]https://github.com/symfony/symfony/pull/253188

v2.8.31

Compare Source

Changelog (since symfony/symfony@v2.8.30...v2.8.31)

• security #​24995 Validate redirect targets using the session cookie domain (@​nicolas-grekas)
• security #​24994 Prevent bundle readers from breaking out of paths (@​xabbuh)
• security #​24993 Ensure that submitted data are uploaded files (@​xabbuh)
• security #​24992 Namespace generated CSRF tokens depending of the current scheme (@​dunglas)

[PR]https://github.com/symfony/symfony/pull/250000
[SECURITY] Security release

v2.8.30

Compare Source

Changelog (since symfony/symfony@v2.8.29...v2.8.30)

• bug #​24952 [HttpFoundation] Fix session-related BC break (@​nicolas-grekas, @​sroze)
• bug #​24929 [Console] Fix traversable autocomplete values (@​ro0NL)

[PR]https://github.com/symfony/symfony/pull/249577

v2.8.29

Compare Source

Changelog (since symfony/symfony@v2.8.28...v2.8.29)

• bug #​24888 [FrameworkBundle] Specifically inject the debug dispatcher in the collector (@​ogizanagi)
• bug #​24909 [Intl] Update ICU data to 60.1 (@​jakzal)
• bug #​24906 [Bridge/ProxyManager] Remove direct reference to value holder property (@​nicolas-grekas)
• bug #​24900 [Validator] Fix Costa Rica IBAN format (@​Bozhidar Hristov)
• bug #​24904 [Validator] Add Belarus IBAN format (@​Bozhidar Hristov)
• bug #​24531 [HttpFoundation] Fix forward-compat of NativeSessionStorage with PHP 7.2 (@​sroze)
• bug #​24665 Fix dump panel hidden when closing a dump (@​julienfalque)
• bug #​24814 [Intl] Make intl-data tests pass and save language aliases again (@​jakzal)
• bug #​24764 [HttpFoundation] add Early Hints to Reponse to fix test (@​Simperfit)
• bug #​24605 [FrameworkBundle] Do not load property_access.xml if the component isn't installed (@​ogizanagi)
• bug #​24606 [HttpFoundation] Fix FileBag issue with associative arrays (@​enumag)
• bug #​24660 Escape trailing \ in QuestionHelper autocompletion (@​kamazee)
• bug #​24644 [Security] Fixed auth provider authenticate() cannot return void (@​glye)
• bug #​24642 [Routing] Fix resource miss (@​dunglas)
• bug #​24608 Adding the Form default theme files to be warmed up in Twig's cache (@​weaverryan)
• bug #​24626 streamed response should return $this (@​DQNEO)
• bug #​24589 Username and password in basic auth are allowed to contain '.' (@​Richard Quadling)
• bug #​24566 Fixed unsetting from loosely equal keys OrderedHashMap (@​maryo)
• bug #​24570 [Debug] Fix same vendor detection in class loader (@​Jean-Beru)
• bug #​24563 [Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed (@​dunglas)
• bug #​24571 [PropertyInfo] Add support for the iterable type (@​dunglas)
• bug #​24579 pdo session fix (@​mxp100)
• bug #​24536 [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails (@​kbond)
• bug #​24519 [Validator] [Twig] added magic method __isset() to File Constraint class (@​loru88)
• bug #​24532 [DI] Fix possible incorrect php-code when dumped strings contains newlines (@​Strate)
• bug #​24502 [HttpFoundation] never match invalid IP addresses (@​xabbuh)
• bug #​24460 [Form] fix parsing invalid floating point numbers (@​xabbuh)
• bug #​24490 [HttpFoundation] Combine Cache-Control headers (@​c960657)
• bug #​23711 Fix support for PHP 7.2 (@​Simperfit, @​nicolas-grekas)
• bug #​24494 [HttpFoundation] Add missing session.lazy_write config option (@​nicolas-grekas)
• bug #​24434 [Form] Use for=ID on radio/checkbox label. (@​Nyholm)
• bug #​24455 [Console] Escape command usage (@​sroze)

[PR]https://github.com/symfony/symfony/pull/249155

v2.8.28

Compare Source

Changelog (since symfony/symfony@v2.8.27...v2.8.28)

• bug #​24448 [Session] fix MongoDb session handler to gc all expired sessions (@​Tobion)
• bug #​24417 [Yaml] parse references on merge keys (@​xabbuh)
• bug #​24421 [Config] Fix dumped files invalidation by OPCache (@​nicolas-grekas)
• bug [#​23980](https://togithub.com/sym

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Renovate Bot.