fidzu : symfony

Contributed by
Valentin Udaltsov
in #30862.

Generating absolute (and relative) URLs for a given path is a common need in lots of applications. In Twig templates this is trivial thanks to the absolute_url() and relative_path() functions (don't mistake them for the path() and url() functions that generate URLs using route names).

In Symfony 4.3 we've extracted the internal logic used by the Twig functions into a new class called Symfony\Component\HttpFoundation\UrlHelper that you can inject as a service anywhere in your application. This class provides two public methods called getAbsoluteUrl() and getRelativePath().

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

use Symfony\Component\HttpFoundation\UrlHelper;

class UserApiNormalizer
{
    private $urlHelper;

    public function __construct(UrlHelper $urlHelper)
    {
        $this->urlHelper = $urlHelper;
    }

    public function normalize($user, $format = null, array $context = [])
    {
        return [
            'avatar' => $this->urlHelper->getAbsoluteUrl($user->avatar()->path()),
            // ...
        ];
    }

    // ...
}

23 Apr 2019 10:38am GMT

This week, Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7 versions were released to address some security issues. Meanwhile, the upcoming Symfony 4.3 version added a native password hasher which chooses the best hashing algorithm automatically.

Symfony development highlights

This week, 44 pull requests were merged (33 in code and 11 in docs) and 52 issues were closed (40 in code and 12 in docs). Excluding merges, 24 authors made 6,899 additions and 1,910 deletions. See details for code and docs.

3.4 changelog:

• 81d11c3: [Form] workaround for \DateInterval::createFromDateString
• 84ee311: [HttpFoundation] reject invalid method override
• 0a4ed67: [Security] added a separator in the remember me cookie hash
• d77e445: [Cache, PHPUnit Bridge] prevent destructors with side-effects from being unserialized
• 4585a41: [FrameworkBundle, Form] fixed XSS issues in the form theme of the PHP templating engine
• 47cd029: [DependencyInjection] check service IDs are valid
• 1311324: [HttpFoundation] made MimeTypeExtensionGuesser case insensitive
• f458e5b: [Validator] updated the Tagalog translation

4.2 changelog:

• c009e60: [HttpKernel] fixed get session when the request stack is empty
• 74a18bc: [FrameworkBundle] decorated the ValidatorBuilder's translator with LegacyTranslatorProxy
• 2d2ff38: [Routing] fixed trailing slash redirection with non-greedy trailing vars
• cc497a5: [FrameworkBundle] called method with Translator component only
• 243b257: [Routing] fixed matching trailing vars with defaults

Master changelog:

• 238f844: [Serializer] use name converter when normalizing constraint violation list
• e683dfa: [Messenger] removed base64_encode & used addslashes
• 7cf96a4: [Form] show all option normalizers on debug:form command
• a59fe66: [VarDumper] added caster for WeakReference instances of PHP 7.4
• 89ec311: [Security] added NativePasswordEncoder
• d9bcfc3: [PhpUnit Bridge] treat undefined env var as strict mode
• 823d375: [Security] deprecated BCryptPasswordEncoder in favor of NativePasswordEncoder

Newest issues and pull requests

• Built-in password hash migrations
• Split the logic of Response::isNotModified()
• Use ReflectionReference in VarCloner to prepare for PHP 7.4
• [DI] Give services defined by hands higher priority than wildcard defined ones
• [Messenger] Remove StackInterface

They talked about us

• Introducing the league/flysystem-bundle
• Continuously Build, Test, and Deploy with Symfony on Google Cloud
• EU Fossa-2 Hackathons - Co-creating the Future of Open Source
• Symfony 4 upload images using EasyAdmin
• Symfony4 Kubernetes Local Development Environment #3 Ksync
• Why many people are going to migrate from Magento 1 to Sylius?
• Fixtures, the right gestures
• How I integrated myFMApiLibrary for PHP with Symfony 3.4
• Implement a 'Read in your language' link with Symfony
• Symfony 4.2 is used Twice More than Symfony 3.4
• How to start build reusable Symfony Bundle
• Cómo filtrar por un campo en una aplicación Symfony dependiendo del usuario conectado
• Nuevo en Symfony 4.3: Mejoras en los formularios
• Se publican las actualizaciones de seguridad 2.7.51, 2.8.50, 3.4.26, 4.1.12 y 4.2.7
• Nuevo en Symfony 4.3: Declaradas obsoletas las clases Role y SwitchUserRole
• Nouveau bundle LexikCronFileGeneratorBundle
• Implémenter un lien 'Lire dans votre langue' avec Symfony
• Acesso mais Simples aos Dados do Componente Intl no Symfony 4.3

Upcoming Symfony Events

• Monolith turned API Gateway and Static Code Analysis: Berlin, Germany (April 24)
• Symfony User Group Osnabrück: Osnabrück, Germany (May 9)
• 8. PHP Symfony User Group Basel: Basel, Switzerland (May 16)
• Symfony Meetup III / 2019: Frankfurt, Germany (May 28)
• Etwas mit FormTypes, AWS und der Unsplash-API: Hamburg, Germany (June 4)

Call to Action

• Give Symfony a star on GitHub
• Follow Symfony on Twitter and retweet this article.
• Follow Symfony on Medium and clap for this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

21 Apr 2019 9:07am GMT

Affected versions

Symfony 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Cache component are affected by this security issue.

The issue has been fixed in Symfony 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore and that 2.7 is unaffected.

Description

When unserialize() is called with content coming from user input, malicious payloads could be used to trigger file deletions or raw output being echoed.

Resolution

We now prevent some classes from being serialized or unserialized.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Mindaugas Vedegys for reporting the issue and Nicolas Grekas for fixing the issue.

17 Apr 2019 4:22pm GMT