23 Apr 2019

feedSymfony Blog

New in Symfony 4.3: URL Helper

Valentin Udaltsov

Contributed by
Valentin Udaltsov
in #30862.

Generating absolute (and relative) URLs for a given path is a common need in lots of applications. In Twig templates this is trivial thanks to the absolute_url() and relative_path() functions (don't mistake them for the path() and url() functions that generate URLs using route names).

In Symfony 4.3 we've extracted the internal logic used by the Twig functions into a new class called Symfony\Component\HttpFoundation\UrlHelper that you can inject as a service anywhere in your application. This class provides two public methods called getAbsoluteUrl() and getRelativePath().

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
use Symfony\Component\HttpFoundation\UrlHelper;

class UserApiNormalizer
{
    private $urlHelper;

    public function __construct(UrlHelper $urlHelper)
    {
        $this->urlHelper = $urlHelper;
    }

    public function normalize($user, $format = null, array $context = [])
    {
        return [
            'avatar' => $this->urlHelper->getAbsoluteUrl($user->avatar()->path()),
            // ...
        ];
    }

    // ...
}

Be trained by Symfony experts - 2019-04-23 Lille - 2019-04-23 Clichy - 2019-04-23 Clichy

23 Apr 2019 10:38am GMT

21 Apr 2019

feedSymfony Blog

A Week of Symfony #642 (15-21 April 2019)

This week, Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7 versions were released to address some security issues. Meanwhile, the upcoming Symfony 4.3 version added a native password hasher which chooses the best hashing algorithm automatically.

Symfony development highlights

This week, 44 pull requests were merged (33 in code and 11 in docs) and 52 issues were closed (40 in code and 12 in docs). Excluding merges, 24 authors made 6,899 additions and 1,910 deletions. See details for code and docs.

3.4 changelog:

4.2 changelog:

Master changelog:

Newest issues and pull requests

They talked about us

Upcoming Symfony Events

Call to Action


Be trained by Symfony experts - 2019-04-23 Lille - 2019-04-23 Clichy - 2019-04-23 Clichy

21 Apr 2019 9:07am GMT

17 Apr 2019

feedSymfony Blog

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

Affected versions

Symfony 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Cache component are affected by this security issue.

The issue has been fixed in Symfony 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore and that 2.7 is unaffected.

Description

When unserialize() is called with content coming from user input, malicious payloads could be used to trigger file deletions or raw output being echoed.

Resolution

We now prevent some classes from being serialized or unserialized.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Mindaugas Vedegys for reporting the issue and Nicolas Grekas for fixing the issue.


Be trained by Symfony experts - 2019-04-23 Lille - 2019-04-23 Clichy - 2019-04-23 Clichy

17 Apr 2019 4:22pm GMT