From 3a0bd9d59ea52af4091def50caa5781740b6d120 Mon Sep 17 00:00:00 2001 From: Mohammed Rhamnia Date: Mon, 17 Aug 2015 19:03:42 +0100 Subject: [PATCH 01/16] Add a caution about logout when using http-basic authenticated firewall --- book/security.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/book/security.rst b/book/security.rst index 1d1259d5e90..c177f540cde 100644 --- a/book/security.rst +++ b/book/security.rst @@ -1133,6 +1133,13 @@ is defined by the ``target`` parameter above (e.g. the ``homepage``). :class:`Symfony\\Component\\Security\\Http\\Logout\\LogoutSuccessHandlerInterface`. See :doc:`Security Configuration Reference `. +.. caution:: + + Notice that when using http-basic authenticated firewall there is no real + way to log out : the only way to 'logout' is to have the browser stop sending your name and password + on every request. Clearing your browser cache, restarting your browser usually helps, and some web developer + tools might be helpful here. + .. _`security-encoding-password`: Dynamically Encoding a Password From dc62504946c8239975491d8c2b2a2d196129febf Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Mon, 1 Feb 2016 17:44:34 +0100 Subject: [PATCH 02/16] Added a caution about failing cache warmers --- reference/dic_tags.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/reference/dic_tags.rst b/reference/dic_tags.rst index 62c674ba719..854758178c6 100644 --- a/reference/dic_tags.rst +++ b/reference/dic_tags.rst @@ -456,6 +456,13 @@ tag: The ``priority`` value is optional and defaults to 0. The higher the priority, the sooner it gets executed. +.. caution:: + + If your cache warmer fails its execution because of any exception, Symfony + won't try to execute it again for the next requests. Therefore, your + application and/or bundles should be prepared for when the contents + generated by the cache warmer are not available. + Core Cache Warmers ~~~~~~~~~~~~~~~~~~ From 51659f17b9b06d80ca7f44655438d6cdd986068b Mon Sep 17 00:00:00 2001 From: Mohammed Rhamnia Date: Mon, 10 Aug 2015 12:27:13 +0100 Subject: [PATCH 03/16] internal web server ran with dev environment by default --- book/page_creation.rst | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/book/page_creation.rst b/book/page_creation.rst index 4a762d61478..0a9fdc0c1a8 100644 --- a/book/page_creation.rst +++ b/book/page_creation.rst @@ -59,7 +59,7 @@ a method inside of it that will be executed when someone goes to ``/lucky/number Before diving into this, test it out! - http://localhost:8000/app_dev.php/lucky/number + http://localhost:8000/lucky/number .. tip:: @@ -86,9 +86,15 @@ return a Symfony :ref:`Response ` object Symfony through a file - ``web/app_dev.php`` - that boots it in the ``dev`` environment. This enables great debugging tools and rebuilds cached files automatically. For production, you'll use clean URLs - like - ``http://localhost:8000/lucky/number`` - that execute a different file - - ``app.php`` - that's optimized for speed. To learn more about this and - environments, see :ref:`book-page-creation-prod-cache-clear`. + ``http://symfony.dev/lucky/number`` - that execute a different file - + ``app.php`` - that's optimized for speed. + + When you visit the ``http://localhost:8000`` URL in your browser, you're + executing your Symfony application in the ``dev`` environment. To visit + your application in the ``prod`` environment, visit the ``http://localhost:8000/app.php`` + URL instead. + + To learn more about this and environments, see :ref:`book-page-creation-prod-cache-clear`. Creating a JSON Response ~~~~~~~~~~~~~~~~~~~~~~~~ From 6dfeb9a81223d5425fcabd8ec7c073dee8b78430 Mon Sep 17 00:00:00 2001 From: WouterJ Date: Sat, 6 Feb 2016 23:29:30 +0100 Subject: [PATCH 04/16] Remove app_dev.php as buildin server is used --- book/configuration.rst | 14 ++++++++++---- book/page_creation.rst | 25 +++++-------------------- 2 files changed, 15 insertions(+), 24 deletions(-) diff --git a/book/configuration.rst b/book/configuration.rst index 2574096f4d6..6562832ef09 100644 --- a/book/configuration.rst +++ b/book/configuration.rst @@ -87,8 +87,8 @@ format you prefer: .. note:: - You'll learn exactly how to load each file/format in the next section - `Environments`_. + You'll learn exactly how to load each file/format in the next section + `Environments`_. Each top-level entry like ``framework`` or ``twig`` defines the configuration for a particular bundle. For example, the ``framework`` key defines the configuration @@ -122,13 +122,13 @@ FrameworkBundle configuration: .. code-block:: bash - $ app/console config:dump-reference FrameworkBundle + $ php app/console config:dump-reference FrameworkBundle The extension alias (configuration key) can also be used: .. code-block:: bash - $ app/console config:dump-reference framework + $ php app/console config:dump-reference framework .. note:: @@ -195,6 +195,12 @@ cached files and allow them to rebuild: be accessed directly through the browser. See the :doc:`testing chapter ` for more details. +.. tip:: + + When using the ``server:run`` command to start a server, + ``http://localhost:8000/`` will use the dev front controller of your + application. + .. index:: single: Environments; Configuration diff --git a/book/page_creation.rst b/book/page_creation.rst index 0a9fdc0c1a8..903d1c1fad5 100644 --- a/book/page_creation.rst +++ b/book/page_creation.rst @@ -63,7 +63,8 @@ Before diving into this, test it out! .. tip:: - If you setup a proper virtual host in :doc:`Apache or Nginx `, + If you setup a proper virtual host in + :doc:`Apache or Nginx `, replace ``http://localhost:8000`` with your host name - like ``http://symfony.dev/app_dev.php/lucky/number``. @@ -80,22 +81,6 @@ and is where you build the page. The only rule is that a controller *must* return a Symfony :ref:`Response ` object (and you'll even learn to bend this rule eventually). -.. sidebar:: What's the ``app_dev.php`` in the URL? - - Great question! By including ``app_dev.php`` in the URL, you're executing - Symfony through a file - ``web/app_dev.php`` - that boots it in the ``dev`` - environment. This enables great debugging tools and rebuilds cached - files automatically. For production, you'll use clean URLs - like - ``http://symfony.dev/lucky/number`` - that execute a different file - - ``app.php`` - that's optimized for speed. - - When you visit the ``http://localhost:8000`` URL in your browser, you're - executing your Symfony application in the ``dev`` environment. To visit - your application in the ``prod`` environment, visit the ``http://localhost:8000/app.php`` - URL instead. - - To learn more about this and environments, see :ref:`book-page-creation-prod-cache-clear`. - Creating a JSON Response ~~~~~~~~~~~~~~~~~~~~~~~~ @@ -132,7 +117,7 @@ Just add a second method to ``LuckyController``:: Try this out in your browser: - http://localhost:8000/app_dev.php/api/lucky/number + http://localhost:8000/api/lucky/number You can even shorten this with the handy :class:`Symfony\\Component\\HttpFoundation\\JsonResponse`:: @@ -253,7 +238,7 @@ The best part is that you can access this value and use it in your controller:: Try it by going to ``/lucky/number/XX`` - replacing XX with *any* number: - http://localhost:8000/app_dev.php/lucky/number/7 + http://localhost:8000/lucky/number/7 You should see *7* lucky numbers printed out! You can get the value of any ``{placeholder}`` in your route by adding a ``$placeholder`` argument to @@ -410,7 +395,7 @@ to put the content into the middle of the ``base.html.twig`` layout. Refresh to see your template in action! - http://localhost:8000/app_dev.php/lucky/number/9 + http://localhost:8000/lucky/number/9 If you view the source code, you now have a basic HTML structure thanks to ``base.html.twig``. From 75142a50689312cba5e70fc0ea2e8a937c4d214d Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Sun, 7 Feb 2016 10:42:32 +0100 Subject: [PATCH 05/16] [#6224] some tweaks --- cookbook/controller/error_pages.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cookbook/controller/error_pages.rst b/cookbook/controller/error_pages.rst index fed6f2970c3..eeb20da4afe 100644 --- a/cookbook/controller/error_pages.rst +++ b/cookbook/controller/error_pages.rst @@ -233,7 +233,7 @@ In that case, you might want to override one or both of the ``showAction()`` and # app/config/services.yml services: app.exception_controller: - class: AppBundle\CustomExceptionController + class: AppBundle\Controller\CustomExceptionController arguments: ['@twig', '%kernel.debug%'] .. code-block:: xml @@ -264,6 +264,7 @@ In that case, you might want to override one or both of the ``showAction()`` and new Reference('twig'), '%kernel.debug%' )); + $container->setDefinition('app.exception_controller', $definition); And then configure ``twig.exception_controller`` using the controller as services syntax (e.g. ``app.exception_controller:showAction``). From 07f8e406bca7ed2358ecfa193db21ec7fb40c021 Mon Sep 17 00:00:00 2001 From: Michael Lee Date: Wed, 29 Jul 2015 16:51:34 +0800 Subject: [PATCH 06/16] [components][expression_language] Add doc for backslashes Additional backslashes are required to escape a backslash(``\``) in a string or regex because a string will be stripped by the lexer. This should be documented here, otherwise, user may feel confused about the unexpected behavior. | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | ~2.4 | Fixed tickets | n/a --- components/expression_language/syntax.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/components/expression_language/syntax.rst b/components/expression_language/syntax.rst index ba153905aa6..ef870ec07f0 100644 --- a/components/expression_language/syntax.rst +++ b/components/expression_language/syntax.rst @@ -181,6 +181,28 @@ Comparison Operators You must use parenthesis because the unary operator ``not`` has precedence over the binary operator ``matches``. + A backslash(``\``) must be escaped by 4 backslashes(``\\\\``) in a string and + 8 backslashes(``\\\\\\\\``) in a regex:: + + $language->evaluate('"\\\\"'); + // returns \ + + $language->evaluate('"a\\\\b" matches "/^a\\\\\\\\b$/"'); + // returns true + + Control characters must be defined as the escaped form of their escape sequences. + Otherwise, they will be replaced by spaces and ignored:: + + $language->evaluate('"a\nb"'); + // returns a b + + $language->evaluate('"a\\nb"'); + // returns a\nb + + This is because the backslashes in a string will be stripped by the + ``stripcslashes()`` function and the stripped slashes in a regex will be + stripped again by the regex engine. + Examples:: $ret1 = $language->evaluate( From 31d74e5d2577436e27f765bafb594678bb1348d0 Mon Sep 17 00:00:00 2001 From: WouterJ Date: Sun, 7 Feb 2016 11:17:12 +0100 Subject: [PATCH 07/16] Add a caution about backslash escaping --- components/expression_language/syntax.rst | 34 ++++++++--------------- 1 file changed, 12 insertions(+), 22 deletions(-) diff --git a/components/expression_language/syntax.rst b/components/expression_language/syntax.rst index ef870ec07f0..c3140ace7a2 100644 --- a/components/expression_language/syntax.rst +++ b/components/expression_language/syntax.rst @@ -20,6 +20,18 @@ The component supports: * **booleans** - ``true`` and ``false`` * **null** - ``null`` +.. caution:: + + A backslash (``\``) must be escaped by 4 backslashes (``\\\\``) in a string + and 8 backslashes (``\\\\\\\\``) in a regex:: + + echo $language->evaluate('"\\\\"'); // prints \ + $language->evaluate('"a\\\\b" matches "/^a\\\\\\\\b$/"'); // returns true + + Control characters (e.g. ``\n``) in expressions are replaced with + whitespace. To avoid this, escape the sequence with a single backslash + (e.g. ``\\n``). + .. _component-expression-objects: Working with Objects @@ -181,28 +193,6 @@ Comparison Operators You must use parenthesis because the unary operator ``not`` has precedence over the binary operator ``matches``. - A backslash(``\``) must be escaped by 4 backslashes(``\\\\``) in a string and - 8 backslashes(``\\\\\\\\``) in a regex:: - - $language->evaluate('"\\\\"'); - // returns \ - - $language->evaluate('"a\\\\b" matches "/^a\\\\\\\\b$/"'); - // returns true - - Control characters must be defined as the escaped form of their escape sequences. - Otherwise, they will be replaced by spaces and ignored:: - - $language->evaluate('"a\nb"'); - // returns a b - - $language->evaluate('"a\\nb"'); - // returns a\nb - - This is because the backslashes in a string will be stripped by the - ``stripcslashes()`` function and the stripped slashes in a regex will be - stripped again by the regex engine. - Examples:: $ret1 = $language->evaluate( From 794c1ee35158d62778bc6745c6b162ca7005478d Mon Sep 17 00:00:00 2001 From: Henry Snoek Date: Wed, 13 Jan 2016 20:41:50 +0100 Subject: [PATCH 08/16] use same route for login_path and check_path --- best_practices/security.rst | 4 +- cookbook/security/csrf_in_login_form.rst | 4 +- cookbook/security/form_login.rst | 4 +- cookbook/security/form_login_setup.rst | 73 ++++++++---------------- cookbook/security/remember_me.rst | 4 +- reference/configuration/security.rst | 8 +-- 6 files changed, 37 insertions(+), 60 deletions(-) diff --git a/best_practices/security.rst b/best_practices/security.rst index ff7e747ae0d..1a40fdfc260 100644 --- a/best_practices/security.rst +++ b/best_practices/security.rst @@ -57,8 +57,8 @@ which uses a login form to load users from the database: pattern: ^/ anonymous: true form_login: - check_path: security_login_check - login_path: security_login_form + check_path: login + login_path: login logout: path: security_logout diff --git a/cookbook/security/csrf_in_login_form.rst b/cookbook/security/csrf_in_login_form.rst index f98cc160fa9..3af0643f7fe 100644 --- a/cookbook/security/csrf_in_login_form.rst +++ b/cookbook/security/csrf_in_login_form.rst @@ -92,7 +92,7 @@ using the login form: {# src/AppBundle/Resources/views/Security/login.html.twig #} {# ... #} -
+ {# ... the login fields #} - + {{ error.message }} {% endif %} - + @@ -253,7 +253,7 @@ redirect to the URL defined by some ``account`` route, use the following:
getMessage() ?>
- + diff --git a/cookbook/security/form_login_setup.rst b/cookbook/security/form_login_setup.rst index 829ee018cef..4b2e896fcdf 100644 --- a/cookbook/security/form_login_setup.rst +++ b/cookbook/security/form_login_setup.rst @@ -26,8 +26,8 @@ First, enable form login under your firewall: main: anonymous: ~ form_login: - login_path: /login - check_path: /login_check + login_path: login + check_path: login .. code-block:: xml @@ -42,7 +42,7 @@ First, enable form login under your firewall: - + @@ -55,8 +55,8 @@ First, enable form login under your firewall: 'main' => array( 'anonymous' => null, 'form_login' => array( - 'login_path' => '/login', - 'check_path' => '/login_check', + 'login_path' => 'login', + 'check_path' => 'login', ), ), ), @@ -82,8 +82,8 @@ bundle:: { } -Next, create two routes: one for each of the paths you configured earlier -under your ``form_login`` configuration (``/login`` and ``/login_check``): +Next, create a route for the path you configured earlier +under your ``form_login`` configuration (``/login``): .. configuration-block:: @@ -98,34 +98,20 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``): class SecurityController extends Controller { /** - * @Route("/login", name="login_route") + * @Route("/login", name="login") */ public function loginAction(Request $request) { } - - /** - * @Route("/login_check", name="login_check") - */ - public function loginCheckAction() - { - // this controller will not be executed, - // as the route is handled by the Security system - } } .. code-block:: yaml # app/config/routing.yml - login_route: + login: path: /login defaults: { _controller: AppBundle:Security:login } - login_check: - path: /login_check - # no controller is bound to this route - # as it's handled by the Security system - .. code-block:: xml @@ -135,13 +121,9 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``): xsi:schemaLocation="http://symfony.com/schema/routing http://symfony.com/schema/routing/routing-1.0.xsd"> - + AppBundle:Security:login - - - .. code-block:: php @@ -151,14 +133,10 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``): use Symfony\Component\Routing\Route; $collection = new RouteCollection(); - $collection->add('login_route', new Route('/login', array( + $collection->add('login', new Route('/login', array( '_controller' => 'AppBundle:Security:login', ))); - $collection->add('login_check', new Route('/login_check')); - // no controller is bound to this route - // as it's handled by the Security system - return $collection; Great! Next, add the logic to ``loginAction`` that will display the login @@ -220,7 +198,7 @@ Finally, create the template:
{{ error.messageKey|trans(error.messageData, 'security') }}
{% endif %} - + @@ -243,7 +221,7 @@ Finally, create the template:
getMessage() ?>
- + @@ -269,7 +247,7 @@ Finally, create the template: The form can look like anything, but has a few requirements: -* The form must POST to ``/login_check``, since that's what you configured +* The form must POST to ``/login``, since that's what you configured under the ``form_login`` key in ``security.yml``. * The username must have the name ``_username`` and the password must have @@ -297,7 +275,7 @@ To review the whole process: user to the login form (``/login``); #. The ``/login`` page renders login form via the route and controller created in this example; -#. The user submits the login form to ``/login_check``; +#. The user submits the login form to ``/login``; #. The security system intercepts the request, checks the user's submitted credentials, authenticates the user if they are correct, and sends the user back to the login form if they are not. @@ -324,12 +302,11 @@ When setting up your login form, watch out for a few common pitfalls. 1. Create the Correct Routes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -First, be sure that you've defined the ``/login`` and ``/login_check`` -routes correctly and that they correspond to the ``login_path`` and -``check_path`` config values. A misconfiguration here can mean that you're -redirected to a 404 page instead of the login page, or that submitting -the login form does nothing (you just see the login form over and over -again). +First, be sure that you've defined the ``/login`` route correctly and that +it corresponds to the ``login_path`` and``check_path`` config values. +A misconfiguration here can mean that you're redirected to a 404 page instead +of the login page, or that submitting the login form does nothing (you just see +the login form over and over again). 2. Be Sure the Login Page Isn't Secure (Redirect Loop!) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -472,14 +449,14 @@ for the login page: ), ), -3. Be Sure /login_check Is Behind a Firewall -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +3. Be Sure check_path Is Behind a Firewall +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Next, make sure that your ``check_path`` URL (e.g. ``/login_check``) is behind +Next, make sure that your ``check_path`` URL (e.g. ``/login``) is behind the firewall you're using for your form login (in this example, the single -firewall matches *all* URLs, including ``/login_check``). If ``/login_check`` +firewall matches *all* URLs, including ``/login``). If ``/login`` doesn't match any firewall, you'll receive a ``Unable to find the controller -for path "/login_check"`` exception. +for path "/login"`` exception. 4. Multiple Firewalls Don't Share the Same Security Context ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/cookbook/security/remember_me.rst b/cookbook/security/remember_me.rst index 4340bf235f3..586aab92410 100644 --- a/cookbook/security/remember_me.rst +++ b/cookbook/security/remember_me.rst @@ -152,7 +152,7 @@ this:
{{ error.message }}
{% endif %} - + @@ -172,7 +172,7 @@ this:
getMessage() ?>
- + diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index 13be9393268..65f7d5599dd 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -129,10 +129,10 @@ Each part will be explained in the next section. provider: some_key_from_above form_login: # submit the login form here - check_path: /login_check + check_path: login # the user is redirected here when they need to log in - login_path: /login + login_path: login # if true, forward the user to the login form instead of redirecting use_forward: false @@ -252,7 +252,7 @@ The Login Form and Process login_path .......... -**type**: ``string`` **default**: ``/login`` +**type**: ``string`` **default**: ``login`` This is the route or path that the user will be redirected to (unless ``use_forward`` is set to ``true``) when they try to access a protected resource but isn't @@ -265,7 +265,7 @@ you may create a redirect loop. For details, see check_path .......... -**type**: ``string`` **default**: ``/login_check`` +**type**: ``string`` **default**: ``login`` This is the route or path that your login form must submit to. The firewall will intercept any requests (``POST`` requests only, by default) to this From d46b458df6721418e48187070ef5e20892061740 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Sun, 7 Feb 2016 11:18:12 +0100 Subject: [PATCH 09/16] [#6143] some tweaks --- cookbook/security/form_login_setup.rst | 8 ++++---- reference/configuration/security.rst | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cookbook/security/form_login_setup.rst b/cookbook/security/form_login_setup.rst index 4b2e896fcdf..ee1ebf37478 100644 --- a/cookbook/security/form_login_setup.rst +++ b/cookbook/security/form_login_setup.rst @@ -42,7 +42,7 @@ First, enable form login under your firewall: - + @@ -82,8 +82,8 @@ bundle:: { } -Next, create a route for the path you configured earlier -under your ``form_login`` configuration (``/login``): +Next, configure the route that you earlier used under your ``form_login`` +configuration (``login``): .. configuration-block:: @@ -247,7 +247,7 @@ Finally, create the template: The form can look like anything, but has a few requirements: -* The form must POST to ``/login``, since that's what you configured +* The form must POST to the ``login`` route, since that's what you configured under the ``form_login`` key in ``security.yml``. * The username must have the name ``_username`` and the password must have diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index 65f7d5599dd..13be9393268 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -129,10 +129,10 @@ Each part will be explained in the next section. provider: some_key_from_above form_login: # submit the login form here - check_path: login + check_path: /login_check # the user is redirected here when they need to log in - login_path: login + login_path: /login # if true, forward the user to the login form instead of redirecting use_forward: false @@ -252,7 +252,7 @@ The Login Form and Process login_path .......... -**type**: ``string`` **default**: ``login`` +**type**: ``string`` **default**: ``/login`` This is the route or path that the user will be redirected to (unless ``use_forward`` is set to ``true``) when they try to access a protected resource but isn't @@ -265,7 +265,7 @@ you may create a redirect loop. For details, see check_path .......... -**type**: ``string`` **default**: ``login`` +**type**: ``string`` **default**: ``/login_check`` This is the route or path that your login form must submit to. The firewall will intercept any requests (``POST`` requests only, by default) to this From 882f66ff35d8231ac056fc22edff96fe53bf06f0 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Sun, 7 Feb 2016 11:45:10 +0100 Subject: [PATCH 10/16] [#6239] fix typo --- book/page_creation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/page_creation.rst b/book/page_creation.rst index 903d1c1fad5..ce3be3ce65b 100644 --- a/book/page_creation.rst +++ b/book/page_creation.rst @@ -63,7 +63,7 @@ Before diving into this, test it out! .. tip:: - If you setup a proper virtual host in + If you set up a proper virtual host in :doc:`Apache or Nginx `, replace ``http://localhost:8000`` with your host name - like ``http://symfony.dev/app_dev.php/lucky/number``. From 9f7f1dd91b4dc47df143e6aa0f2532361d51c15f Mon Sep 17 00:00:00 2001 From: WouterJ Date: Sat, 6 Feb 2016 12:02:19 +0100 Subject: [PATCH 11/16] Use hash_equals instead of StringUtils::equals --- components/security/secure_tools.rst | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/components/security/secure_tools.rst b/components/security/secure_tools.rst index 338a18a449b..a7060c26597 100644 --- a/components/security/secure_tools.rst +++ b/components/security/secure_tools.rst @@ -5,6 +5,12 @@ The Symfony Security component comes with a collection of nice utilities related to security. These utilities are used by Symfony, but you should also use them if you want to solve the problem they address. +.. note:: + + The functions described in this article were introduced in PHP 5.6 or 7. + For older PHP versions, a polyfill is provided by the + `Symfony Polyfill Component`_. + Comparing Strings ~~~~~~~~~~~~~~~~~ @@ -12,14 +18,12 @@ The time it takes to compare two strings depends on their differences. This can be used by an attacker when the two strings represent a password for instance; it is known as a `Timing attack`_. -Internally, when comparing two passwords, Symfony uses a constant-time -algorithm; you can use the same strategy in your own code thanks to the -:class:`Symfony\\Component\\Security\\Core\\Util\\StringUtils` class:: - - use Symfony\Component\Security\Core\Util\StringUtils; +When comparing two passwords, you should use the :phpfunction:`hash_equals` +function:: - // is some known string (e.g. password) equal to some user input? - $bool = StringUtils::equals($knownString, $userInput); + if (hash_equals($knownString, $userInput)) { + // ... + } Generating a Secure Random String ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -49,12 +53,5 @@ use the :phpfunction:`random_int` function:: $random = random_int(1, 10); -.. note:: - - PHP 7 and up provide the ``random_bytes()`` and ``random_int()`` functions - natively, for older versions of PHP a polyfill is provided by the - `Symfony Polyfill Component`_ and the `paragonie/random_compat package`_. - .. _`Timing attack`: https://en.wikipedia.org/wiki/Timing_attack .. _`Symfony Polyfill Component`: https://github.com/symfony/polyfill -.. _`paragonie/random_compat package`: https://github.com/paragonie/random_compat From 0ae9f60c2bbf312c7c49bfd9c0d42070e5613e35 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Sun, 7 Feb 2016 12:20:12 +0100 Subject: [PATCH 12/16] [#5630] some tweaks --- book/security.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/book/security.rst b/book/security.rst index e91dc9974d5..acc2f90ad75 100644 --- a/book/security.rst +++ b/book/security.rst @@ -1137,10 +1137,11 @@ is defined by the ``target`` parameter above (e.g. the ``homepage``). .. caution:: - Notice that when using http-basic authenticated firewall there is no real - way to log out : the only way to 'logout' is to have the browser stop sending your name and password - on every request. Clearing your browser cache, restarting your browser usually helps, and some web developer - tools might be helpful here. + Notice that when using http-basic authenticated firewalls, there is no + real way to log out : the only way to *log out* is to have the browser + stop sending your name and password on every request. Clearing your + browser cache or restarting your browser usually helps. Some web developer + tools might be helpful here too. .. _`security-encoding-password`: From fc6b0a6ac3ec8aef605c054ade6675f0b736ab4b Mon Sep 17 00:00:00 2001 From: Gonzalo Vilaseca Date: Thu, 10 Dec 2015 10:55:43 +0000 Subject: [PATCH 13/16] Update dev_environment.rst As per the config docs: delivery_whitelist: Used in combination with delivery_address. If set, emails matching any of these patterns will be delivered like normal, as well as being sent to delivery_address. --- cookbook/email/dev_environment.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbook/email/dev_environment.rst b/cookbook/email/dev_environment.rst index c9eb21433dc..c93553102e0 100644 --- a/cookbook/email/dev_environment.rst +++ b/cookbook/email/dev_environment.rst @@ -187,8 +187,8 @@ by adding the ``delivery_whitelist`` option: )); In the above example all email messages will be redirected to ``dev@example.com``, -except messages sent to the ``admin@mydomain.com`` address or to any email -address belonging to the domain ``specialdomain.com``, which will be delivered as normal. +and messages sent to the ``admin@mydomain.com`` address or to any email +address belonging to the domain ``specialdomain.com`` will be delivered as normal. Viewing from the Web Debug Toolbar ---------------------------------- From 20ad31d501d879ceed5b77ce7c0771f5219863b0 Mon Sep 17 00:00:00 2001 From: WouterJ Date: Sun, 7 Feb 2016 12:45:30 +0100 Subject: [PATCH 14/16] [#5995] Update comments in the code --- cookbook/email/dev_environment.rst | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/cookbook/email/dev_environment.rst b/cookbook/email/dev_environment.rst index c93553102e0..c8bfc8b3e55 100644 --- a/cookbook/email/dev_environment.rst +++ b/cookbook/email/dev_environment.rst @@ -141,12 +141,9 @@ by adding the ``delivery_whitelist`` option: swiftmailer: delivery_address: dev@example.com delivery_whitelist: - # all email addresses matching this regex will *not* be - # redirected to dev@example.com + # all email addresses matching these regexes will be delivered + # like normal, as well as being sent to dev@example.com - '/@specialdomain\.com$/' - - # all emails sent to admin@mydomain.com won't - # be redirected to dev@example.com too - '/^admin@mydomain\.com$/' .. code-block:: xml @@ -162,10 +159,9 @@ by adding the ``delivery_whitelist`` option: http://symfony.com/schema/dic/swiftmailer http://symfony.com/schema/dic/swiftmailer/swiftmailer-1.0.xsd"> - + /@specialdomain\.com$/ - - /^admin@mydomain\.com$/ @@ -176,19 +172,16 @@ by adding the ``delivery_whitelist`` option: $container->loadFromExtension('swiftmailer', array( 'delivery_address' => "dev@example.com", 'delivery_whitelist' => array( - // all email addresses matching this regex will *not* be - // redirected to dev@example.com + // all email addresses matching these regexes will be delivered + // like normal, as well as being sent to dev@example.com '/@specialdomain\.com$/', - - // all emails sent to admin@mydomain.com won't be - // redirected to dev@example.com too '/^admin@mydomain\.com$/', ), )); -In the above example all email messages will be redirected to ``dev@example.com``, -and messages sent to the ``admin@mydomain.com`` address or to any email -address belonging to the domain ``specialdomain.com`` will be delivered as normal. +In the above example all email messages will be redirected to ``dev@example.com`` +and messages sent to the ``admin@mydomain.com`` address or to any email address +belonging to the domain ``specialdomain.com`` will also be delivered as normal. Viewing from the Web Debug Toolbar ---------------------------------- From 2ab746eea0854941243ec0b59a458e71c0a8277e Mon Sep 17 00:00:00 2001 From: WouterJ Date: Sun, 7 Feb 2016 13:49:54 +0100 Subject: [PATCH 15/16] Added December changelog --- changelog.rst | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/changelog.rst b/changelog.rst index a05c9f49dcd..b2154485489 100644 --- a/changelog.rst +++ b/changelog.rst @@ -13,6 +13,71 @@ documentation. Do you also want to participate in the Symfony Documentation? Take a look at the ":doc:`/contributing/documentation/overview`" article. +December, 2015 +-------------- + +New Documentation +~~~~~~~~~~~~~~~~~ + +* `#5811 `_ Conversion from mysql to PDO (iqbalmalik89) +* `#5962 `_ Simplify code example in "Adding custom extensions" section (snoek09) +* `#6022 `_ clarify custom route loader documentation (dbu) +* `#5994 `_ Updated the release process for Symfony 3.x and future releases (javiereguiluz) + +Fixed Documentation +~~~~~~~~~~~~~~~~~~~ + +* `#6063 `_ minor #5829 Fix broken composer command (JHGitty) +* `#5904 `_ Update php_soap_extension.rst (xDaizu) +* `#5819 `_ Remove AppBundle (roukmoute) + +Minor Documentation Changes +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* `#6043 `_ Mention commiting only bower.json (krike, WouterJ) +* `#5848 `_ Added hints to spool config section (martinczerwi) +* `#6042 `_ some tweaks to unit testing form types (xabbuh) +* `#6059 `_ Add best practice about the Form type namespace (WouterJ) +* `#6068 `_ Remove references to API tagging (dunglas) +* `#6088 `_ Update validation.rst (syedi) +* `#6085 `_ Update validation.rst (syedi) +* `#6094 `_ [Form] Added a missing php opening tag (dev-symfony-void) +* `#5840 `_ [Contributing] [Standards] Add note about `trigger_error()` and deprecation messages (phansys) +* `#6050 `_ Lots of minor fixes & applying best practices to form cookbook doc (ThomasLandauer, WouterJ) +* `#5570 `_ Quick review of 'create framework' tutorial (WouterJ) +* `#5445 `_ Reworded the explanation about the kernel.event_listener tag (javiereguiluz) +* `#6054 `_ Remove 2.8 branch from patch documentation (Triiistan) +* `#6057 `_ Fix PHP code for registering service (WouterJ) +* `#6063 `_ minor #5829 Fix broken composer command (JHGitty) +* `#6041 `_ Fixed misspelling of human in glossary.rst YAML (Wasserschlange) +* `#6049 `_ Finish #5798 Add app_ prefix to form type names (OskarStark, WouterJ) +* `#5829 `_ use composer command instead of editing json file (OskarStark) +* `#6046 `_ Update framework.rst (typo in sesssion) (patrick-mota) +* `#5890 `_ Updated article for modern Symfony practices and the use of bcrypt (javiereguiluz) +* `#6015 `_ [Assetic] complete XML configuration examples (xabbuh) +* `#5963 `_ Add note about 'phar extension' dependency (snoek09) +* `#6006 `_ [Book] use AppBundle examples and follow best practices (xabbuh) +* `#6016 `_ Corrected the line references for the basic controller example (theTeddyBear) +* `#5446 `_ [Contributing] [Standards] Added note about phpdoc_separation (phansys) +* `#5820 `_ Fixed an issue with command option shortcuts (javiereguiluz) +* `#6033 `_ Fix Typo (Shine-neko) +* `#6011 `_ Fixed formatting issues (javiereguiluz) +* `#6012 `_ Use HTTPS for downloading the Symfony Installer (javiereguiluz) +* `#6009 `_ Fix missing constant usage for generating urls (Tobion) +* `#5965 `_ Removing php opening tags (Deamon) +* `#6003 `_ #5999 fix files names (vincentaubert) +* `#5996 `_ Clarify example for SUBMIT form event (bkosborne) +* `#6000 `_ Update registration_form.rst (afurculita) +* `#5989 `_ Fix words according context (richardpq) +* `#5992 `_ More use single quotes for YAML strings (snoek09) +* `#5959 `_ Fix #5912 Ambiguity on Access Decision Manager's Strategy (Pierre Maraitre) +* `#5955 `_ use single quotes for YAML strings (snoek09) +* `#5979 `_ [Book] Do not extend the base controller before introducing it (ogizanagi) +* `#5970 `_ Remove isSubmitted call (DanielSiepmann) +* `#5972 `_ Add isSubmitted call (DanielSiepmann) +* `#5961 `_ update from_flat_php_to_symfony2.rst (thao-witkam) + + November, 2015 -------------- From a5055a577be394bfa59c6980e472f2da49cd83c3 Mon Sep 17 00:00:00 2001 From: WouterJ Date: Sun, 7 Feb 2016 13:50:10 +0100 Subject: [PATCH 16/16] Added December changelog --- changelog.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/changelog.rst b/changelog.rst index a81f358ebb4..2ca8d4f1f8d 100644 --- a/changelog.rst +++ b/changelog.rst @@ -19,6 +19,8 @@ December, 2015 New Documentation ~~~~~~~~~~~~~~~~~ +* `#5906 `_ Added documentation for choice_translation_domain option (peterrehm) +* `#6017 `_ Documented the Symfony Console Styles (javiereguiluz) * `#5811 `_ Conversion from mysql to PDO (iqbalmalik89) * `#5962 `_ Simplify code example in "Adding custom extensions" section (snoek09) * `#6022 `_ clarify custom route loader documentation (dbu) @@ -30,6 +32,7 @@ Fixed Documentation * `#6063 `_ minor #5829 Fix broken composer command (JHGitty) * `#5904 `_ Update php_soap_extension.rst (xDaizu) * `#5819 `_ Remove AppBundle (roukmoute) +* `#6001 `_ Fix class name (BlueM) Minor Documentation Changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -48,11 +51,13 @@ Minor Documentation Changes * `#5445 `_ Reworded the explanation about the kernel.event_listener tag (javiereguiluz) * `#6054 `_ Remove 2.8 branch from patch documentation (Triiistan) * `#6057 `_ Fix PHP code for registering service (WouterJ) +* `#6067 `_ improve phrasing (greg0ire) * `#6063 `_ minor #5829 Fix broken composer command (JHGitty) * `#6041 `_ Fixed misspelling of human in glossary.rst YAML (Wasserschlange) * `#6049 `_ Finish #5798 Add app_ prefix to form type names (OskarStark, WouterJ) * `#5829 `_ use composer command instead of editing json file (OskarStark) * `#6046 `_ Update framework.rst (typo in sesssion) (patrick-mota) +* `#5662 `_ Fixed wrong version of symfony with composer install (Nek-) * `#5890 `_ Updated article for modern Symfony practices and the use of bcrypt (javiereguiluz) * `#6015 `_ [Assetic] complete XML configuration examples (xabbuh) * `#5963 `_ Add note about 'phar extension' dependency (snoek09) @@ -70,6 +75,9 @@ Minor Documentation Changes * `#6000 `_ Update registration_form.rst (afurculita) * `#5989 `_ Fix words according context (richardpq) * `#5992 `_ More use single quotes for YAML strings (snoek09) +* `#5957 `_ mark deep option as deprecated (snoek09) +* `#5943 `_ Add tip for when returning `null` from `createToken()` (jeroenseegers) +* `#5956 `_ Update security.rst (mpaquet) * `#5959 `_ Fix #5912 Ambiguity on Access Decision Manager's Strategy (Pierre Maraitre) * `#5955 `_ use single quotes for YAML strings (snoek09) * `#5979 `_ [Book] Do not extend the base controller before introducing it (ogizanagi)