Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: symfony/framework-bundle
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v6.4.0-BETA2
Choose a base ref
...
head repository: symfony/framework-bundle
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v6.4.0-BETA3
Choose a head ref
  • 15 commits
  • 31 files changed
  • 9 contributors

Commits on Oct 29, 2023

  1. Add annotation -> attribute aliases

    @wouterj
    wouterj committed Oct 29, 2023
    Configuration menu
    Copy the full SHA
    e5ef00a View commit details
    Browse the repository at this point in the history

Commits on Oct 30, 2023

  1. Add test for autoconfigured schedule

    @valtzu
    valtzu committed Oct 30, 2023
    Configuration menu
    Copy the full SHA
    29d3278 View commit details
    Browse the repository at this point in the history

  2. [FrameworkBundle] Fix BC break about enable_annotations in validation… 

    … and serializer configuration
    @lyrixx
    lyrixx committed Oct 30, 2023
    Configuration menu
    Copy the full SHA
    c90c081 View commit details
    Browse the repository at this point in the history

Commits on Oct 31, 2023

  1. [Tests] Streamline

    @OskarStark @nicolas-grekas
    OskarStark authored and nicolas-grekas committed Oct 31, 2023
    Configuration menu
    Copy the full SHA
    4eeac66 View commit details
    Browse the repository at this point in the history

  2. Merge branch '5.4' into 6.3 

    * 5.4:
  [Tests] Streamline
  [Validator] updated Romanian translation
    @nicolas-grekas
    nicolas-grekas committed Oct 31, 2023
    Configuration menu
    Copy the full SHA
    f7042aa View commit details
    Browse the repository at this point in the history

  3. Merge branch '6.3' into 6.4 

    * 6.3:
  [Console] Fix horizontal table top border is incorrectly rendered
  [Tests] Streamline
  [Uid] Fix UuidV7 collisions within the same ms
  [Validator] updated Romanian translation
    @nicolas-grekas
    nicolas-grekas committed Oct 31, 2023
    Configuration menu
    Copy the full SHA
    4942e74 View commit details
    Browse the repository at this point in the history

  4. [Tests] Move expectException closer to the place of the expectation t… 

    …o avoid false positives
    @OskarStark
    OskarStark committed Oct 31, 2023
    Configuration menu
    Copy the full SHA
    fccfb9f View commit details
    Browse the repository at this point in the history

Commits on Nov 1, 2023

  1. DX: re-apply PHP CS Fixer, partially

    @keradus @nicolas-grekas
    keradus authored and nicolas-grekas committed Nov 1, 2023
    Configuration menu
    Copy the full SHA
    79174a4 View commit details
    Browse the repository at this point in the history

Commits on Nov 3, 2023

  1. Fix missing profile option for console commands 

    Fixes symfony/symfony#52433
    @keulinho
    keulinho authored Nov 3, 2023
    Configuration menu
    Copy the full SHA
    4e78c6e View commit details
    Browse the repository at this point in the history

  2. minor #52313 [FrameworkBundle][Scheduler] Add test for autoconfigured… 

    … schedule (valtzu)

This PR was merged into the 6.4 branch.

Discussion
----------

[FrameworkBundle][Scheduler] Add test for autoconfigured schedule

| Q             | A
| ------------- | ---
| Branch?       | 6.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| License       | MIT

Add functional tests for autoconfigured schedules / tasks, as discussed in symfony/symfony#51525 (comment).

Commits
-------

ea2a8cd7255 Add test for autoconfigured schedule
    @fabpot
    fabpot committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    f75ebd3 View commit details
    Browse the repository at this point in the history

Commits on Nov 6, 2023

  1. [HttpKernel] Add ControllerResolver::allowControllers() to define w… 

    …hich callables are legit controllers when the `_check_controller_is_allowed` request attribute is set
    @nicolas-grekas
    nicolas-grekas committed Nov 6, 2023
    Configuration menu
    Copy the full SHA
    c77e1a4 View commit details
    Browse the repository at this point in the history

Commits on Nov 7, 2023

  1. bug #52434 [Console][FrameworkBundle] Fix missing profile option fo… 

    …r console commands (keulinho)

This PR was merged into the 6.4 branch.

Discussion
----------

[Console][FrameworkBundle] Fix missing `profile` option for console commands

| Q             | A
| ------------- | ---
| Branch?       | 6.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Issues        | Fix symfony/symfony#52433
| License       | MIT

Commits
-------

0e0848bc27 Fix missing `profile` option for console commands
    @chalasr
    chalasr committed Nov 7, 2023
    Configuration menu
    Copy the full SHA
    6d6bd2b View commit details
    Browse the repository at this point in the history

  2. feature #52471 [HttpKernel] Add `ControllerResolver::allowControllers… 

    …()` to define which callables are legit controllers when the `_check_controller_is_allowed` request attribute is set (nicolas-grekas)

This PR was merged into the 6.4 branch.

Discussion
----------

[HttpKernel] Add `ControllerResolver::allowControllers()` to define which callables are legit controllers when the `_check_controller_is_allowed` request attribute is set

| Q             | A
| ------------- | ---
| Branch?       | 6.4
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Issues        | -
| License       | MIT

Right now, when one doesn't configure properly their APP_SECRET, this can too easily lead to an RCE.

This PR proposes to harden security by rejecting any not-allowed controllers when the `_check_controller_is_allowed` request attribute is set. We leverage this in FragmentListener to close the RCE gap.

In order to allow a controller, one should call `ControllerResolver::allowControllers()` during instantiation to tell which types or attributes should be accepted. #[AsController] is always allowed, and FrameworkBundle also allows instances of `AbstractController`.

Third-party bundles that provide controllers meant to be used as fragments should ensure their controllers are allowed by adding the method call to the `controller_resolver` service definition.

I propose this as a late 6.4 feature so that we can provide this hardening right away in 7.0. In 6.4, this would be only a deprecation.

Commits
-------

893aba9032 [HttpKernel] Add `ControllerResolver::allowControllers()` to define which callables are legit controllers when the `_check_controller_is_allowed` request attribute is set
    @nicolas-grekas
    nicolas-grekas committed Nov 7, 2023
    Configuration menu
    Copy the full SHA
    b69f794 View commit details
    Browse the repository at this point in the history

Commits on Nov 9, 2023

  1. [FrameworkBundle] Don't reference SYMFONY_IDE env var in non-debug mode

    @nicolas-grekas
    nicolas-grekas committed Nov 9, 2023
    Configuration menu
    Copy the full SHA
    e88be13 View commit details
    Browse the repository at this point in the history

  2. Merge branch '6.3' into 6.4 

    * 6.3:
  [FrameworkBundle] Don't reference SYMFONY_IDE env var in non-debug mode
  wire the secret for Symfony 6.4 compatibility
    @nicolas-grekas
    nicolas-grekas committed Nov 9, 2023
    Configuration menu
    Copy the full SHA
    d19d1ab View commit details
    Browse the repository at this point in the history
Loading