Package: symfony / 2.8.7+dfsg-1.3+deb9u1

Metadata

Package Version Patches format
symfony 2.8.7+dfsg-1.3+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
group online for test failing without network.patch | (download)

src/Symfony/Component/Filesystem/Tests/FilesystemTest.php | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 '@group online' for test failing without network

Add more tests to group tty.patch | (download)

src/Symfony/Component/Process/Tests/ProcessTest.php | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 add more tests to '@group tty'

Not all tests using a tty are in @group tty. This should be reported (and
fixed) upstream but needs further investigation:
 - There might be more tests needing a tty.
 - It could be that some tests in group tty may not need a tty.

Increasing timeout in test AbstractProcessTest testS.patch | (download)

src/Symfony/Component/Process/Tests/ProcessTest.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 increasing timeout in test
 AbstractProcessTest::testStartAfterATimeout()

This hopefully will allow ci.debian.net to run DEP-8 as installed tests
and might prevent FTBFS #775625 from hitting us again.

FrameworkBundle SecurityBundle Don t try to include .patch | (download)

src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php | 10 0 + 10 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AppKernel.php | 10 0 + 10 - 0 !
2 files changed, 20 deletions(-)

 frameworkbundle+securitybundle: don't try to include legacy autoload
 files

The AppKernel.php used for some functional tests still tries to load
./autoload.php(.dist), which is no longer shipped with Symfony in favour
of using vendor/autoload.php.

This is harmless for the normal testsuite, but becomes problematic for the
Debian packaging of Symfony:
In Debian the autoloading for Symfony currently does not make use of
composer's autoloading mechanism. Instead an own autoloading is implemented,
that uses phpab to generate autoload.php files for each single component,
bride and bundle. Since AppKernel.php, which is provided for functional tests
in FrameworkBundle and SecurityBundle would load those generated autoload.php
files instead of /vendor/autoload.php, the testsuite fails for the Debian
packaging. Additionally for DEP-8 (as-installed) tests not including
vendor/autoload.php means, that instead of installed classes, classes from
the source code are loaded, which is wrong.

Example for tests in the Symfony SecurityBundle:
Instead of loading [SYMFONY]/vendor.autoload.php, the file
[SYMFONY]/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AppKernel.php
would load [SYMFONY]/src/Symfony/Bundle/SecurityBundle/autoload.php without
this patch, making the tests fail.

HttpFoundation Fix incompatibility with php memcache.patch | (download)

src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MemcacheSessionHandler.php | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 httpfoundation fix incompatibility with php-memcache from debian

The version of php-memcache (3.0.9~20151130.fdbd46b-1) in Debian makes
the test MemcacheSessionHandlerTest::testReadSession fail, complaining
about missing arguments. This commit solves this issue.

fix php 7.1 related failures | (download)

.travis.yml | 10 5 + 5 - 0 !
src/Symfony/Bridge/ProxyManager/Tests/LazyProxy/Fixtures/php/lazy_service_structure.txt | 4 2 + 2 - 0 !
src/Symfony/Component/Console/Helper/Table.php | 2 1 + 1 - 0 !
src/Symfony/Component/DependencyInjection/Tests/CrossCheckTest.php | 2 1 + 1 - 0 !
src/Symfony/Component/Form/Util/OrderedHashMap.php | 2 1 + 1 - 0 !
src/Symfony/Component/HttpKernel/CacheWarmer/CacheWarmer.php | 2 1 + 1 - 0 !
src/Symfony/Component/Validator/Constraints/File.php | 12 7 + 5 - 0 !
7 files changed, 18 insertions(+), 16 deletions(-)

 fix php 7.1 related failures

do not depend on a fixed date in layout | (download)

src/Symfony/Component/Form/Tests/AbstractBootstrap3LayoutTest.php | 16 8 + 8 - 0 !
src/Symfony/Component/Form/Tests/AbstractLayoutTest.php | 16 8 + 8 - 0 !
2 files changed, 16 insertions(+), 16 deletions(-)

 do not depend on a fixed date in layout tests

By default, the `DateType` as well as the `DateTimeType` set the choices
being available for the year to a range starting five years in the past.
After some time, this will make tests fail when the year of the fixed
date being used as the initial data is before the first year being part
of the choices.

update ipvalidatortest data set with a v | (download)

src/Symfony/Component/Validator/Tests/Constraints/IpValidatorTest.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 update ipvalidatortest data set with a valid reserved ip

The validator uses PHP filter which was recently fixed (see https://bugs.php.net/bug.php?id=72972).

relax 1 test failing with latest php ver | (download)

src/Symfony/Component/VarDumper/Tests/Caster/SplCasterTest.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 relax 1 test failing with latest php versions

Related to php bug #52646 which is fixed in 5.6.25RC1, 7.0.10RC1, 7.1.0beta2

vardumper relax tests to adapt for php 7 | (download)

src/Symfony/Component/VarDumper/Tests/CliDumperTest.php | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 [vardumper] relax tests to adapt for php 7.1rc4

vardumper relax line number for clidumpe | (download)

src/Symfony/Component/VarDumper/Tests/CliDumperTest.php | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [vardumper] relax line number for clidumpertest

Security Validate redirect targets using the session cook.patch | (download)

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php | 40 40 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/SecurityBundle.php | 3 3 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php | 131 131 + 0 - 0 !
src/Symfony/Component/Security/Http/HttpUtils.php | 9 8 + 1 - 0 !
src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php | 32 32 + 0 - 0 !
5 files changed, 214 insertions(+), 1 deletion(-)

 [security] validate redirect targets using the session cookie domain

[CVE-2017-16652] https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers

Security Namespace generated CSRF tokens depending of the.patch | (download)

src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.xml | 1 1 + 0 - 0 !
src/Symfony/Component/Security/Csrf/CsrfTokenManager.php | 58 45 + 13 - 0 !
src/Symfony/Component/Security/Csrf/Tests/CsrfTokenManagerTest.php | 193 126 + 67 - 0 !
3 files changed, 172 insertions(+), 80 deletions(-)

 [security] namespace generated csrf tokens depending of the current
 scheme

prevent bundle readers from breaking out of paths.patch | (download)

src/Symfony/Component/Intl/Data/Bundle/Reader/JsonBundleReader.php | 5 5 + 0 - 0 !
src/Symfony/Component/Intl/Data/Bundle/Reader/PhpBundleReader.php | 5 5 + 0 - 0 !
src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/Fixtures/invalid_directory/en.json | 1 1 + 0 - 0 !
src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/Fixtures/invalid_directory/en.php | 14 14 + 0 - 0 !
src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/JsonBundleReaderTest.php | 8 8 + 0 - 0 !
src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/PhpBundleReaderTest.php | 8 8 + 0 - 0 !
6 files changed, 41 insertions(+)

 prevent bundle readers from breaking out of paths

[CVE-2017-16654] https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths

Form DX FileType multiple fixes.patch | (download)

src/Symfony/Component/Form/Extension/Core/Type/FileType.php | 41 36 + 5 - 0 !
src/Symfony/Component/Form/Tests/Extension/Core/Type/FileTypeTest.php | 27 27 + 0 - 0 !
2 files changed, 63 insertions(+), 5 deletions(-)

 [form][dx] filetype "multiple" fixes

ensure that submitted data are uploaded files.patch | (download)

UPGRADE-2.7.md | 2 2 + 0 - 0 !
src/Symfony/Component/Form/CHANGELOG.md | 5 5 + 0 - 0 !
src/Symfony/Component/Form/Extension/Core/Type/FileType.php | 31 23 + 8 - 0 !
src/Symfony/Component/Form/Extension/HttpFoundation/HttpFoundationRequestHandler.php | 9 6 + 3 - 0 !
src/Symfony/Component/Form/NativeRequestHandler.php | 21 13 + 8 - 0 !
src/Symfony/Component/Form/RequestHandlerInterface.php | 7 7 + 0 - 0 !
src/Symfony/Component/Form/Tests/AbstractRequestHandlerTest.php | 12 12 + 0 - 0 !
src/Symfony/Component/Form/Tests/Extension/Core/Type/FileTypeTest.php | 132 91 + 41 - 0 !
src/Symfony/Component/Form/Tests/Extension/HttpFoundation/HttpFoundationRequestHandlerTest.php | 5 5 + 0 - 0 !
src/Symfony/Component/Form/Tests/NativeRequestHandlerTest.php | 11 11 + 0 - 0 !
10 files changed, 175 insertions(+), 60 deletions(-)

 ensure that submitted data are uploaded files

[CVE-2017-16790] https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files

Adding session strategy to ALL listeners to avoid any pos.patch | (download)

src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php | 15 15 + 0 - 0 !
src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php | 16 16 + 0 - 0 !
src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php | 14 14 + 0 - 0 !
src/Symfony/Component/Security/Http/Firewall/SimplePreAuthenticationListener.php | 16 16 + 0 - 0 !
src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php | 7 5 + 2 - 0 !
src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategyInterface.php | 7 2 + 5 - 0 !
6 files changed, 68 insertions(+), 7 deletions(-)

 adding session strategy to all listeners to avoid *any* possible
 fixation

[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication

Adding session authentication strategy to Guard to avoid .patch | (download)

src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php | 13 13 + 0 - 0 !
1 file changed, 13 insertions(+)

 adding session authentication strategy to guard to avoid session
 fixation

[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication

HttpFoundation Break infinite loop in PdoSessionHandler w.patch | (download)

src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [httpfoundation] break infinite loop in pdosessionhandler when mysql
 is in loose mode

[CVE-2018-11386] https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler

Security Fix logout.patch | (download)

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php | 25 13 + 12 - 0 !
src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml | 1 1 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Security/FirewallContext.php | 7 5 + 2 - 0 !
src/Symfony/Bundle/SecurityBundle/Security/FirewallMap.php | 2 1 + 1 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php | 1 0 + 1 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php | 34 34 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeLogout/bundles.php | 18 18 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeLogout/config.yml | 25 25 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeLogout/routing.yml | 5 5 + 0 - 0 !
src/Symfony/Component/Security/Http/Firewall.php | 13 11 + 2 - 0 !
src/Symfony/Component/Security/Http/FirewallMap.php | 14 5 + 9 - 0 !
11 files changed, 118 insertions(+), 27 deletions(-)

 [security] fix logout

do not mock the session in token storage tests.patch | (download)

src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php | 177 25 + 152 - 0 !
1 file changed, 25 insertions(+), 152 deletions(-)

 do not mock the session in token storage tests

clear CSRF tokens when the user is logged out.patch | (download)

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterCsrfTokenClearingLogoutHandlerPass.php | 42 42 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/SecurityBundle.php | 2 2 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php | 18 18 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/LogoutWithoutSessionInvalidation/bundles.php | 18 18 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/LogoutWithoutSessionInvalidation/config.yml | 26 26 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/LogoutWithoutSessionInvalidation/routing.yml | 5 5 + 0 - 0 !
src/Symfony/Component/Security/Csrf/Tests/TokenStorage/NativeSessionTokenStorageTest.php | 28 28 + 0 - 0 !
src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php | 27 27 + 0 - 0 !
src/Symfony/Component/Security/Csrf/TokenStorage/ClearableTokenStorageInterface.php | 23 23 + 0 - 0 !
src/Symfony/Component/Security/Csrf/TokenStorage/NativeSessionTokenStorage.php | 10 9 + 1 - 0 !
src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php | 14 13 + 1 - 0 !
src/Symfony/Component/Security/Http/Logout/CsrfTokenClearingLogoutHandler.php | 35 35 + 0 - 0 !
src/Symfony/Component/Security/Http/Tests/Logout/CsrfTokenClearingLogoutHandlerTest.php | 76 76 + 0 - 0 !
13 files changed, 322 insertions(+), 2 deletions(-)

 clear csrf tokens when the user is logged out

[CVE-2018-11406] https://symfony.com/blog/cve-2018-11406-csrf-token-fixation

Ldap cast to string when checking empty passwords.patch | (download)

src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php | 2 1 + 1 - 0 !
src/Symfony/Component/Security/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php | 17 17 + 0 - 0 !
2 files changed, 18 insertions(+), 1 deletion(-)

 [ldap] cast to string when checking empty passwords

[CVE-2016-2403] https://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password

SecurityBundle Fail if security.http_utils cannot be conf.patch | (download)

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php | 3 2 + 1 - 0 !
src/Symfony/Bundle/SecurityBundle/SecurityBundle.php | 2 1 + 1 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php | 13 13 + 0 - 0 !
3 files changed, 16 insertions(+), 2 deletions(-)

 [securitybundle] fail if security.http_utils cannot be configured

[CVE-2018-11408] https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers