Package: symfony / 2.8.7+dfsg-1.3+deb9u2

Metadata

Package Version Patches format
symfony 2.8.7+dfsg-1.3+deb9u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
group online for test failing without network.patch | (download)

src/Symfony/Component/Filesystem/Tests/FilesystemTest.php | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 '@group online' for test failing without network

Add more tests to group tty.patch | (download)

src/Symfony/Component/Process/Tests/ProcessTest.php | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 add more tests to '@group tty'

Not all tests using a tty are in @group tty. This should be reported (and
fixed) upstream but needs further investigation:
 - There might be more tests needing a tty.
 - It could be that some tests in group tty may not need a tty.

Increasing timeout in test AbstractProcessTest testS.patch | (download)

src/Symfony/Component/Process/Tests/ProcessTest.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 increasing timeout in test
 AbstractProcessTest::testStartAfterATimeout()

This hopefully will allow ci.debian.net to run DEP-8 as installed tests
and might prevent FTBFS #775625 from hitting us again.

FrameworkBundle SecurityBundle Don t try to include .patch | (download)

src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php | 10 0 + 10 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AppKernel.php | 10 0 + 10 - 0 !
2 files changed, 20 deletions(-)

 frameworkbundle+securitybundle: don't try to include legacy autoload
 files

The AppKernel.php used for some functional tests still tries to load
./autoload.php(.dist), which is no longer shipped with Symfony in favour
of using vendor/autoload.php.

This is harmless for the normal testsuite, but becomes problematic for the
Debian packaging of Symfony:
In Debian the autoloading for Symfony currently does not make use of
composer's autoloading mechanism. Instead an own autoloading is implemented,
that uses phpab to generate autoload.php files for each single component,
bride and bundle. Since AppKernel.php, which is provided for functional tests
in FrameworkBundle and SecurityBundle would load those generated autoload.php
files instead of /vendor/autoload.php, the testsuite fails for the Debian
packaging. Additionally for DEP-8 (as-installed) tests not including
vendor/autoload.php means, that instead of installed classes, classes from
the source code are loaded, which is wrong.

Example for tests in the Symfony SecurityBundle:
Instead of loading [SYMFONY]/vendor.autoload.php, the file
[SYMFONY]/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AppKernel.php
would load [SYMFONY]/src/Symfony/Bundle/SecurityBundle/autoload.php without
this patch, making the tests fail.

HttpFoundation Fix incompatibility with php memcache.patch | (download)

src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MemcacheSessionHandler.php | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 httpfoundation fix incompatibility with php-memcache from debian

The version of php-memcache (3.0.9~20151130.fdbd46b-1) in Debian makes
the test MemcacheSessionHandlerTest::testReadSession fail, complaining
about missing arguments. This commit solves this issue.

fix php 7.1 related failures | (download)

.travis.yml | 10 5 + 5 - 0 !
src/Symfony/Bridge/ProxyManager/Tests/LazyProxy/Fixtures/php/lazy_service_structure.txt | 4 2 + 2 - 0 !
src/Symfony/Component/Console/Helper/Table.php | 2 1 + 1 - 0 !
src/Symfony/Component/DependencyInjection/Tests/CrossCheckTest.php | 2 1 + 1 - 0 !
src/Symfony/Component/Form/Util/OrderedHashMap.php | 2 1 + 1 - 0 !
src/Symfony/Component/HttpKernel/CacheWarmer/CacheWarmer.php | 2 1 + 1 - 0 !
src/Symfony/Component/Validator/Constraints/File.php | 12 7 + 5 - 0 !
7 files changed, 18 insertions(+), 16 deletions(-)

 fix php 7.1 related failures

do not depend on a fixed date in layout | (download)

src/Symfony/Component/Form/Tests/AbstractBootstrap3LayoutTest.php | 16 8 + 8 - 0 !
src/Symfony/Component/Form/Tests/AbstractLayoutTest.php | 16 8 + 8 - 0 !
2 files changed, 16 insertions(+), 16 deletions(-)

 do not depend on a fixed date in layout tests

By default, the `DateType` as well as the `DateTimeType` set the choices
being available for the year to a range starting five years in the past.
After some time, this will make tests fail when the year of the fixed
date being used as the initial data is before the first year being part
of the choices.

update ipvalidatortest data set with a v | (download)

src/Symfony/Component/Validator/Tests/Constraints/IpValidatorTest.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 update ipvalidatortest data set with a valid reserved ip

The validator uses PHP filter which was recently fixed (see https://bugs.php.net/bug.php?id=72972).

relax 1 test failing with latest php ver | (download)

src/Symfony/Component/VarDumper/Tests/Caster/SplCasterTest.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 relax 1 test failing with latest php versions

Related to php bug #52646 which is fixed in 5.6.25RC1, 7.0.10RC1, 7.1.0beta2

vardumper relax tests to adapt for php 7 | (download)

src/Symfony/Component/VarDumper/Tests/CliDumperTest.php | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 [vardumper] relax tests to adapt for php 7.1rc4

vardumper relax line number for clidumpe | (download)

src/Symfony/Component/VarDumper/Tests/CliDumperTest.php | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [vardumper] relax line number for clidumpertest

Security Validate redirect targets using the session cook.patch | (download)

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php | 40 40 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/SecurityBundle.php | 3 3 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php | 131 131 + 0 - 0 !
src/Symfony/Component/Security/Http/HttpUtils.php | 9 8 + 1 - 0 !
src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php | 32 32 + 0 - 0 !
5 files changed, 214 insertions(+), 1 deletion(-)

 [security] validate redirect targets using the session cookie domain

[CVE-2017-16652] https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers

Security Namespace generated CSRF tokens depending of the.patch | (download)

src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.xml | 1 1 + 0 - 0 !
src/Symfony/Component/Security/Csrf/CsrfTokenManager.php | 58 45 + 13 - 0 !
src/Symfony/Component/Security/Csrf/Tests/CsrfTokenManagerTest.php | 193 126 + 67 - 0 !
3 files changed, 172 insertions(+), 80 deletions(-)

 [security] namespace generated csrf tokens depending of the current
 scheme

prevent bundle readers from breaking out of paths.patch | (download)

src/Symfony/Component/Intl/Data/Bundle/Reader/JsonBundleReader.php | 5 5 + 0 - 0 !
src/Symfony/Component/Intl/Data/Bundle/Reader/PhpBundleReader.php | 5 5 + 0 - 0 !
src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/Fixtures/invalid_directory/en.json | 1 1 + 0 - 0 !
src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/Fixtures/invalid_directory/en.php | 14 14 + 0 - 0 !
src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/JsonBundleReaderTest.php | 8 8 + 0 - 0 !
src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/PhpBundleReaderTest.php | 8 8 + 0 - 0 !
6 files changed, 41 insertions(+)

 prevent bundle readers from breaking out of paths

[CVE-2017-16654] https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths

Form DX FileType multiple fixes.patch | (download)

src/Symfony/Component/Form/Extension/Core/Type/FileType.php | 41 36 + 5 - 0 !
src/Symfony/Component/Form/Tests/Extension/Core/Type/FileTypeTest.php | 27 27 + 0 - 0 !
2 files changed, 63 insertions(+), 5 deletions(-)

 [form][dx] filetype "multiple" fixes

ensure that submitted data are uploaded files.patch | (download)

UPGRADE-2.7.md | 2 2 + 0 - 0 !
src/Symfony/Component/Form/CHANGELOG.md | 5 5 + 0 - 0 !
src/Symfony/Component/Form/Extension/Core/Type/FileType.php | 31 23 + 8 - 0 !
src/Symfony/Component/Form/Extension/HttpFoundation/HttpFoundationRequestHandler.php | 9 6 + 3 - 0 !
src/Symfony/Component/Form/NativeRequestHandler.php | 21 13 + 8 - 0 !
src/Symfony/Component/Form/RequestHandlerInterface.php | 7 7 + 0 - 0 !
src/Symfony/Component/Form/Tests/AbstractRequestHandlerTest.php | 12 12 + 0 - 0 !
src/Symfony/Component/Form/Tests/Extension/Core/Type/FileTypeTest.php | 132 91 + 41 - 0 !
src/Symfony/Component/Form/Tests/Extension/HttpFoundation/HttpFoundationRequestHandlerTest.php | 5 5 + 0 - 0 !
src/Symfony/Component/Form/Tests/NativeRequestHandlerTest.php | 11 11 + 0 - 0 !
10 files changed, 175 insertions(+), 60 deletions(-)

 ensure that submitted data are uploaded files

[CVE-2017-16790] https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files

Adding session strategy to ALL listeners to avoid any pos.patch | (download)

src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php | 15 15 + 0 - 0 !
src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php | 16 16 + 0 - 0 !
src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php | 14 14 + 0 - 0 !
src/Symfony/Component/Security/Http/Firewall/SimplePreAuthenticationListener.php | 16 16 + 0 - 0 !
src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php | 7 5 + 2 - 0 !
src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategyInterface.php | 7 2 + 5 - 0 !
6 files changed, 68 insertions(+), 7 deletions(-)

 adding session strategy to all listeners to avoid *any* possible
 fixation

[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication

Adding session authentication strategy to Guard to avoid .patch | (download)

src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php | 13 13 + 0 - 0 !
1 file changed, 13 insertions(+)

 adding session authentication strategy to guard to avoid session
 fixation

[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication

HttpFoundation Break infinite loop in PdoSessionHandler w.patch | (download)

src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [httpfoundation] break infinite loop in pdosessionhandler when mysql
 is in loose mode

[CVE-2018-11386] https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler

Security Fix logout.patch | (download)

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php | 25 13 + 12 - 0 !
src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml | 1 1 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Security/FirewallContext.php | 7 5 + 2 - 0 !
src/Symfony/Bundle/SecurityBundle/Security/FirewallMap.php | 2 1 + 1 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php | 1 0 + 1 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php | 34 34 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeLogout/bundles.php | 18 18 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeLogout/config.yml | 25 25 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeLogout/routing.yml | 5 5 + 0 - 0 !
src/Symfony/Component/Security/Http/Firewall.php | 13 11 + 2 - 0 !
src/Symfony/Component/Security/Http/FirewallMap.php | 14 5 + 9 - 0 !
11 files changed, 118 insertions(+), 27 deletions(-)

 [security] fix logout

do not mock the session in token storage tests.patch | (download)

src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php | 177 25 + 152 - 0 !
1 file changed, 25 insertions(+), 152 deletions(-)

 do not mock the session in token storage tests

clear CSRF tokens when the user is logged out.patch | (download)

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterCsrfTokenClearingLogoutHandlerPass.php | 42 42 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/SecurityBundle.php | 2 2 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php | 18 18 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/LogoutWithoutSessionInvalidation/bundles.php | 18 18 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/LogoutWithoutSessionInvalidation/config.yml | 26 26 + 0 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/LogoutWithoutSessionInvalidation/routing.yml | 5 5 + 0 - 0 !
src/Symfony/Component/Security/Csrf/Tests/TokenStorage/NativeSessionTokenStorageTest.php | 28 28 + 0 - 0 !
src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php | 27 27 + 0 - 0 !
src/Symfony/Component/Security/Csrf/TokenStorage/ClearableTokenStorageInterface.php | 23 23 + 0 - 0 !
src/Symfony/Component/Security/Csrf/TokenStorage/NativeSessionTokenStorage.php | 10 9 + 1 - 0 !
src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php | 14 13 + 1 - 0 !
src/Symfony/Component/Security/Http/Logout/CsrfTokenClearingLogoutHandler.php | 35 35 + 0 - 0 !
src/Symfony/Component/Security/Http/Tests/Logout/CsrfTokenClearingLogoutHandlerTest.php | 76 76 + 0 - 0 !
13 files changed, 322 insertions(+), 2 deletions(-)

 clear csrf tokens when the user is logged out

[CVE-2018-11406] https://symfony.com/blog/cve-2018-11406-csrf-token-fixation

Ldap cast to string when checking empty passwords.patch | (download)

src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php | 2 1 + 1 - 0 !
src/Symfony/Component/Security/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php | 17 17 + 0 - 0 !
2 files changed, 18 insertions(+), 1 deletion(-)

 [ldap] cast to string when checking empty passwords

[CVE-2016-2403] https://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password

SecurityBundle Fail if security.http_utils cannot be conf.patch | (download)

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php | 3 2 + 1 - 0 !
src/Symfony/Bundle/SecurityBundle/SecurityBundle.php | 2 1 + 1 - 0 !
src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php | 13 13 + 0 - 0 !
3 files changed, 16 insertions(+), 2 deletions(-)

 [securitybundle] fail if security.http_utils cannot be configured

[CVE-2018-11408] https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers

HttpFoundation Remove support for legacy and risky HTTP h.patch | (download)

src/Symfony/Component/HttpFoundation/CHANGELOG.md | 6 6 + 0 - 0 !
src/Symfony/Component/HttpFoundation/Request.php | 13 1 + 12 - 0 !
src/Symfony/Component/HttpFoundation/Tests/RequestTest.php | 44 0 + 44 - 0 !
3 files changed, 7 insertions(+), 56 deletions(-)

 [httpfoundation] remove support for legacy and risky http headers

[CVE-2018-14773] https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers

Form Filter file uploads out of regular form types.patch | (download)

src/Symfony/Component/Form/Extension/Core/Type/FileType.php | 1 1 + 0 - 0 !
src/Symfony/Component/Form/Extension/Core/Type/FormType.php | 1 1 + 0 - 0 !
src/Symfony/Component/Form/Form.php | 9 9 + 0 - 0 !
src/Symfony/Component/Form/Tests/CompoundFormTest.php | 17 16 + 1 - 0 !
4 files changed, 27 insertions(+), 1 deletion(-)

 [form] filter file uploads out of regular form types

[CVE-2018-19789] https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path

Security Http detect bad redirect targets using backslash.patch | (download)

src/Symfony/Component/Security/Http/HttpUtils.php | 2 1 + 1 - 0 !
src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php | 18 16 + 2 - 0 !
2 files changed, 17 insertions(+), 3 deletions(-)

 [security\http] detect bad redirect targets using backslashes

[CVE-2018-19790] https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http

security cve 2019 10909 FrameworkBundle Form Fix XSS issu.patch | (download)

src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php | 2 1 + 1 - 0 !
src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_errors.html.php | 2 1 + 1 - 0 !
src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_start.html.php | 4 2 + 2 - 0 !
3 files changed, 4 insertions(+), 4 deletions(-)

 security #cve-2019-10909 [frameworkbundle][form] fix xss issues in
 the form theme of the PHP templating engine (stof)

This PR was merged into the 2.8 branch.

Discussion

security cve 2019 10910 DI Check service IDs are valid ni.patch | (download)

src/Symfony/Bridge/ProxyManager/LazyProxy/PhpDumper/ProxyDumper.php | 8 5 + 3 - 0 !
src/Symfony/Component/DependencyInjection/ContainerBuilder.php | 8 8 + 0 - 0 !
src/Symfony/Component/DependencyInjection/Dumper/PhpDumper.php | 27 17 + 10 - 0 !
src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php | 32 32 + 0 - 0 !
4 files changed, 62 insertions(+), 13 deletions(-)

 security #cve-2019-10910 [di] check service ids are valid
 (nicolas-grekas)

This PR was merged into the 2.8 branch.

Discussion

security cve 2019 10911 Security Add a separator in the r.patch | (download)

src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 security #cve-2019-10911 [security] add a separator in the remember
 me cookie hash (pborreli)

This PR was merged into the 2.8 branch.

Discussion

security cve 2019 10912 PHPUnit Bridge Prevent destructor.patch | (download)

src/Symfony/Bridge/PhpUnit/SymfonyTestsListener.php | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 security #cve-2019-10912 [phpunit bridge] prevent destructors with
 side-effects from being unserialized (nicolas-grekas)

This PR was merged into the 2.8 branch.

Discussion

HttpFoundation fixed using _method parameter with invalid.patch | (download)

src/Symfony/Component/HttpFoundation/Request.php | 5 4 + 1 - 0 !
src/Symfony/Component/HttpFoundation/Tests/RequestTest.php | 5 5 + 0 - 0 !
2 files changed, 9 insertions(+), 1 deletion(-)

 [httpfoundation] fixed using _method parameter with invalid type

security cve 2019 10913 HttpFoundation reject invalid met.patch | (download)

src/Symfony/Component/HttpFoundation/Request.php | 43 29 + 14 - 0 !
1 file changed, 29 insertions(+), 14 deletions(-)

 security #cve-2019-10913 [httpfoundation] reject invalid method
 override (nicolas-grekas)

This PR was merged into the 2.8 branch.

Discussion