Commits · symfony/symfony

released v6.1.12

* 6.0: [HttpFoundation] Fix bad return type in IpUtils::checkIp4() [DependencyInjection] Fix order of arguments when mixing positional and named ones [HttpClient] Fix collecting data non-late for the profiler [Security/Http] Fix compat of persistent remember-me with legacy tokens Bump Symfony version to 6.0.20 Update VERSION for 6.0.19 Update CHANGELOG for 6.0.19 Bump Symfony version to 5.4.20 Update VERSION for 5.4.19 Update CONTRIBUTORS for 5.4.19 Update CHANGELOG for 5.4.19 [Security/Http] Remove CSRF tokens from storage on successful login [HttpKernel] Remove private headers before storing responses with HttpCache

* 5.4: [HttpFoundation] Fix bad return type in IpUtils::checkIp4() [DependencyInjection] Fix order of arguments when mixing positional and named ones [HttpClient] Fix collecting data non-late for the profiler [Security/Http] Fix compat of persistent remember-me with legacy tokens Bump Symfony version to 5.4.20 Update VERSION for 5.4.19 Update CONTRIBUTORS for 5.4.19 Update CHANGELOG for 5.4.19 [Security/Http] Remove CSRF tokens from storage on successful login [HttpKernel] Remove private headers before storing responses with HttpCache

* 4.4: [Security/Http] Remove CSRF tokens from storage on successful login [HttpKernel] Remove private headers before storing responses with HttpCache

…) (tristankretzer) This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [HttpFoundation] Fix bad return type in IpUtils::checkIp4() | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | see below | License | MIT | Doc PR | - `filter_var` returns the value if it passes the applied filters. This leads to `IpUtils::checkIp4()` returning the address part of the CIDR notation (instead of `true` which is expected) if it is a valid IPv4 address with subnet mask 0. This change fixes this behaviour. Commits ------- f694aa8 [HttpFoundation] Fix bad return type in IpUtils::checkIp4()

…ositional and named ones (nicolas-grekas) This PR was merged into the 5.4 branch. Discussion ---------- [DependencyInjection] Fix order of arguments when mixing positional and named ones | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49118 | License | MIT | Doc PR | - Commits ------- 45d614d [DependencyInjection] Fix order of arguments when mixing positional and named ones

…nd named ones

… (nicolas-grekas) This PR was merged into the 5.4 branch. Discussion ---------- [HttpClient] Fix collecting data non-late for the profiler | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49096 | License | MIT | Doc PR | - `@silverbackdan` `@pforesi` could you please confirm that this fixes both your use cases? Commits ------- 3cb1d70 [HttpClient] Fix collecting data non-late for the profiler

…legacy tokens (nicolas-grekas) This PR was merged into the 5.4 branch. Discussion ---------- [Security/Http] Fix compat of persistent remember-me with legacy tokens | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #49100 | License | MIT | Doc PR | - In #49078, we changed the format of remember-me tokens, effectively invalidating them all. While the invalidation is intentional for signature-based remember-me handlers, persistent remember-me handlers could accept both legacy and updated tokens. This PR fixes compat with legacy tokens for persistent remember-me handlers. Commits ------- 538d660 [Security/Http] Fix compat of persistent remember-me with legacy tokens

released v6.1.11

released v6.0.19

released v5.4.19

* 6.0: [Security/Http] Check tokens before loading users from providers

* 5.4: [Security/Http] Check tokens before loading users from providers

…viders (nicolas-grekas) This PR was merged into the 5.4 branch. Discussion ---------- [Security/Http] Check tokens before loading users from providers | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Remember me cookies and login link handler tokens contain an expiry but we check this expiry only after we've loaded a user from a provider. This can create unneeded load on the provider. Note that the now legacy security subsystem was free from this issue so this PR is fixing a regression. For persistent tokens, I've removed any logic to sign them in `PersistentRememberMeHandler` because we never validate the signature, so it's just useless. Commits ------- 889d739 [Security/Http] Check tokens before loading users from providers

…age on successful login (nicolas-grekas) This PR was merged into the 4.4 branch.

…toring responses with HttpCache (nicolas-grekas) This PR was merged into the 4.4 branch.

* 6.0: [DependencyInjection] Fix named arguments when using ContainerBuilder before compilation

Commits on Feb 1, 2023

Merge pull request #49181 from fabpot/release-6.1.12

released v6.1.12

fabpot committed Feb 1, 2023

cd4fd18

Update VERSION for 6.1.12

fabpot committed Feb 1, 2023

8ce5733

Update CHANGELOG for 6.1.12

fabpot committed Feb 1, 2023

88a5374

Commits on Jan 23, 2023

Merge branch '6.0' into 6.1

* 6.0: [DependencyInjection] Fix named arguments when using ContainerBuilder before compilation

nicolas-grekas committed Jan 23, 2023

116d8a2

Commits on Feb 1, 2023

Commits on Jan 30, 2023

Commits on Jan 29, 2023

Commits on Jan 27, 2023

Commits on Jan 25, 2023

Commits on Jan 24, 2023

Commits on Jan 23, 2023