Merge branch '2.8' into 3.4

* 2.8:
  do not mock the session in token storage tests
  Add Occitan plural rule
  Fix security/* cross-dependencies
  Disallow illegal characters like "." in session.name
  fix rounding from string

Author: fabpot

DependencyInjection/Configuration.php

@@ -461,7 +461,16 @@ private function addSessionSection(ArrayNodeDefinition $rootNode)
                     ->children()
                         ->scalarNode('storage_id')->defaultValue('session.storage.native')->end()
                         ->scalarNode('handler_id')->defaultValue('session.handler.native_file')->end()
-                        ->scalarNode('name')->end()
+                        ->scalarNode('name')
+                            ->validate()
+                                ->ifTrue(function ($v) {
+                                    parse_str($v, $parsed);
+
+                                    return implode('&', array_keys($parsed)) !== (string) $v;
+                                })
+                                ->thenInvalid('Session name %s contains illegal character(s)')
+                            ->end()
+                        ->end()
                         ->scalarNode('cookie_lifetime')->end()
                         ->scalarNode('cookie_path')->end()
                         ->scalarNode('cookie_domain')->end()

Tests/DependencyInjection/ConfigurationTest.php

@@ -79,6 +79,55 @@ public function testTrustedProxiesSetToNonEmptyArrayIsInvalid()
 
     /**
      * @group legacy
+     * @dataProvider getTestValidSessionName
+     */
+    public function testValidSessionName($sessionName)
+    {
+        $processor = new Processor();
+        $config = $processor->processConfiguration(
+            new Configuration(true),
+            array(array('session' => array('name' => $sessionName)))
+        );
+
+        $this->assertEquals($sessionName, $config['session']['name']);
+    }
+
+    public function getTestValidSessionName()
+    {
+        return array(
+            array(null),
+            array('PHPSESSID'),
+            array('a&b'),
+            array(',_-!@#$%^*(){}:<>/?'),
+        );
+    }
+
+    /**
+     * @dataProvider getTestInvalidSessionName
+     * @expectedException \Symfony\Component\Config\Definition\Exception\InvalidConfigurationException
+     */
+    public function testInvalidSessionName($sessionName)
+    {
+        $processor = new Processor();
+        $processor->processConfiguration(
+            new Configuration(true),
+            array(array('session' => array('name' => $sessionName)))
+        );
+    }
+
+    public function getTestInvalidSessionName()
+    {
+        return array(
+            array('a.b'),
+            array('a['),
+            array('a[]'),
+            array('a[b]'),
+            array('a=b'),
+            array('a+b'),
+        );
+    }
+
+    /**
      * @dataProvider getTestValidTrustedProxiesData
      */
     public function testValidTrustedProxies($trustedProxies, $processedProxies)

composer.json

@@ -39,12 +39,11 @@
         "symfony/css-selector": "~2.8|~3.0|~4.0",
         "symfony/dom-crawler": "~2.8|~3.0|~4.0",
         "symfony/polyfill-intl-icu": "~1.0",
-        "symfony/security": "~2.8|~3.0|~4.0",
         "symfony/form": "~3.4|~4.0",
         "symfony/expression-language": "~2.8|~3.0|~4.0",
         "symfony/process": "~2.8|~3.0|~4.0",
         "symfony/security-core": "~3.2|~4.0",
-        "symfony/security-csrf": "~2.8|~3.0|~4.0",
+        "symfony/security-csrf": "^2.8.31|^3.3.13|~4.0",
         "symfony/serializer": "~3.3|~4.0",
         "symfony/stopwatch": "~3.4|~4.0",
         "symfony/translation": "~3.4|~4.0",