Detections
Analytics

CVE Search

IDDescriptionSeverity
CVE-2024-21510Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
medium
CVE-2023-44388Discourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. It is possible to temporarily work around this problem by reducing the `client_max_body_size nginx directive`. `client_max_body_size` will limit the size of uploads that can be uploaded directly to the server.
high
CVE-2023-39481Softing Secure Integration Server Interpretation Conflict Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the web server. The issue results from an inconsistency in URI parsing between NGINX and application code. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20551.
medium
CVE-2024-1521The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is only exploitable on web servers running NGINX. It is not exploitable on web servers running Apache HTTP Server.
medium
CVE-2023-47106Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. This vulnerability has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
medium
CVE-2024-3149A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. This feature, intended for users with manager or admin roles, processes uploaded links through an internal Collector API using a headless browser. An attacker can exploit this by hosting a malicious website and using it to perform actions such as internal port scanning, accessing internal web applications not exposed externally, and interacting with the Collector API. This interaction can lead to unauthorized actions such as arbitrary file deletion and limited Local File Inclusion (LFI), including accessing NGINX access logs which may contain sensitive information.
high
CVE-2019-9945SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user credentials. If customers have not followed SoftNAS deployment best practices and expose SoftNAS StorageCenter ports directly to the internet, this vulnerability allows an attacker to gain access to the Webadmin interface to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and the data.
critical
CVE-2021-3882LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positioned to eavesdrop on the network traffic between the client and the server *and* the user must be tricked into using unencrypted HTTP traffic. Proper audit control and separation of duties limit Integrity impact of the attack vector. Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need to take action. As a workaround, users may configure their Apache or Nginx reverse proxy to add the Secure attribute at the network boundary instead of relying on LedgerSMB. For Apache, please refer to the 'Header always edit' configuration command in the mod_headers module. For Nginx, please refer to the 'proxy_cookie_flags' configuration command.
medium
CVE-2024-26615In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL> - continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D' BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag] smc_diag_dump+0x26/0x60 [smc_diag] netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag] ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump.
medium
CVE-2010-4180OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
high
CVE-2023-20088A vulnerability in the nginx configurations that are provided as part of the VPN-less reverse proxy for Cisco Finesse could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for new and existing users who are connected through a load balancer. This vulnerability is due to improper IP address filtering by the reverse proxy. An attacker could exploit this vulnerability by sending a series of unauthenticated requests to the reverse proxy. A successful exploit could allow the attacker to cause all current traffic and subsequent requests to the reverse proxy through a load balancer to be dropped, resulting in a DoS condition.
high
CVE-2024-45614Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
medium
CVE-2022-23470Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.
high
CVE-2024-24827Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to site as various site settings like `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` will determine the amount of resources used when creating an upload. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should reduce `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` as smaller uploads require less resources to process. Alternatively, `client_max_body_size` can be reduced in Nginx to prevent large uploads from reaching the server.
medium
CVE-2023-29004hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. Successful exploitation of this vulnerability could allow an attacker with user level privileges to obtain the content of arbitrary files on the file server within the scope of what the server process has access to. The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.
medium
CVE-2022-29169BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
high
CVE-2024-28101The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the `limits.http_max_request_bytes` configuration option after the entirety of the compressed payload is decompressed. If affected versions of the Router receive highly compressed payloads, this could result in significant memory consumption while the compressed payload is expanded. Router version 1.40.2 has a fix for the vulnerability. Those who are unable to upgrade may be able to implement mitigations at proxies or load balancers positioned in front of their Router fleet (e.g. Nginx, HAProxy, or cloud-native WAF services) by creating limits on HTTP body upload size.
high
CVE-2021-21396wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02.
medium
CVE-2021-43840message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled.
medium
CVE-2024-43804Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. An OS Command Injection vulnerability allows any authenticated user on the application to execute arbitrary code on the web application server via port scanning functionality. User-supplied input is used without validation when constructing and executing an OS command. User supplied JSON POST data is parsed and if "id" JSON key does not exist, JSON value supplied via "ip" JSON key is assigned to the "ip" variable. Later on, "ip" variable which can be controlled by the attacker is used when constructing the cmd and cmd1 strings without any extra validation. Then, server_mod.subprocess_execute function is called on both cmd1 and cmd2. When the definition of the server_mod.subprocess_execute() function is analyzed, it can be seen that subprocess.Popen() is called on the input parameter with shell=True which results in OS Command Injection. This issue has not yet been patched. Users are advised to contact the Roxy-WI to coordinate a fix.
high
CVE-2021-29509Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.
high
CVE-2022-48751In the Linux kernel, the following vulnerability has been resolved: net/smc: Transitional solution for clcsock race issue We encountered a crash in smc_setsockopt() and it is caused by accessing smc->clcsock after clcsock was released. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53 RIP: 0010:smc_setsockopt+0x59/0x280 [smc] Call Trace: <TASK> __sys_setsockopt+0xfc/0x190 __x64_sys_setsockopt+0x20/0x30 do_syscall_64+0x34/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f16ba83918e </TASK> This patch tries to fix it by holding clcsock_release_lock and checking whether clcsock has already been released before access. In case that a crash of the same reason happens in smc_getsockopt() or smc_switch_to_fallback(), this patch also checkes smc->clcsock in them too. And the caller of smc_switch_to_fallback() will identify whether fallback succeeds according to the return value.
medium
CVE-2022-31081HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling `my $rqst = $conn->get_request()` one could inspect the returned `HTTP::Request` object. Querying the 'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will show any abnormalities that should be dealt with by a `400` response. Expected strings of 'Content-Length' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is `42` or `42, 42, 42`). Anything else MUST be rejected.
medium
CVE-2019-11043In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
critical
CVE-2009-3555The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
critical
CVE-2021-3618ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
high
CVE-2019-9516Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
medium
CVE-2019-9511Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
high
CVE-2019-9513Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
high
CVE-2023-24814TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.
medium
CVE-2023-34450CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. An internal modification made in versions 0.34.28 and 0.37.1 to the way struct `PeerState` is serialized to JSON introduced a deadlock when new function MarshallJSON is called. This function can be called from two places. The first is via logs, setting the `consensus` logging module to "debug" level (should not happen in production), and setting the log output format to JSON. The second is via RPC `dump_consensus_state`. Case 1, which should not be hit in production, will eventually hit the deadlock in most goroutines, effectively halting the node. In case 2, only the data structures related to the first peer will be deadlocked, together with the thread(s) dealing with the RPC request(s). This means that only one of the channels of communication to the node's peers will be blocked. Eventually the peer will timeout and excluded from the list (typically after 2 minutes). The goroutines involved in the deadlock will not be garbage collected, but they will not interfere with the system after the peer is excluded. The theoretical worst case for case 2, is a network with only two validator nodes. In this case, each of the nodes only has one `PeerState` struct. If `dump_consensus_state` is called in either node (or both), the chain will halt until the peer connections time out, after which the nodes will reconnect (with different `PeerState` structs) and the chain will progress again. Then, the same process can be repeated. As the number of nodes in a network increases, and thus, the number of peer struct each node maintains, the possibility of reproducing the perturbation visible with two nodes decreases. Only the first `PeerState` struct will deadlock, and not the others (RPC `dump_consensus_state` accesses them in a for loop, so the deadlock at the first iteration causes the rest of the iterations of that "for" loop to never be reached). This regression was fixed in versions 0.34.29 and 0.37.2. Some workarounds are available. For case 1 (hitting the deadlock via logs), either don't set the log output to "json", leave at "plain", or don't set the consensus logging module to "debug", leave it at "info" or higher. For case 2 (hitting the deadlock via RPC `dump_consensus_state`), do not expose `dump_consensus_state` RPC endpoint to the public internet (e.g., via rules in one's nginx setup).
medium
CVE-2023-44487The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
critical
CVE-2014-4931## 2.3.30 (2015-05-30) * bug #14262 [REVERTED] [TwigBundle] Refresh twig paths when resources change. (aitboudad) ## 2.3.29 (2015-05-26) * security #14759 CVE-2015-4050 [HttpKernel] Do not call the FragmentListener if _controller is already defined (jakzal) * bug #14715 [Form] Check instance of FormBuilderInterface instead of FormBuilder (dosten) * bug #14678 [Security] AbstractRememberMeServices::encodeCookie() validates cookie parts (MacDada) * bug #14635 [HttpKernel] Handle an array vary header in the http cache store (jakzal) * bug #14513 [console][formater] allow format toString object. (aitboudad) * bug #14335 [HttpFoundation] Fix baseUrl when script filename is contained in pathInfo (danez) * bug #14593 [Security][Firewall] Avoid redirection to XHR URIs (asiragusa) * bug #14618 [DomCrawler] Throw an exception if a form field path is incomplete (jakzal) * bug #14698 Fix HTML escaping of to-source links (nicolas-grekas) * bug #14690 [HttpFoundation] IpUtils::checkIp4() should allow `/0` networks (zerkms) * bug #14262 [TwigBundle] Refresh twig paths when resources change. (aitboudad) * bug #13633 [ServerBag] Handled bearer authorization header in REDIRECT_ form (Lance0312) * bug #13637 [CSS] WebProfiler break words (nicovak) * bug #14633 [EventDispatcher] make listeners removable from an executed listener (xabbuh) ## 2.3.28 (2015-05-10) * bug #14266 [HttpKernel] Check if "symfony/proxy-manager-bridge" package is installed (hason) * bug #14501 [ProxyBridge] Fix proxy classnames generation (xphere) * bug #14498 [FrameworkBundle] Added missing log in server:run command (lyrixx) * bug #14484 [SecurityBundle][WebProfiler] check authenticated user by tokenClass instead of username. (aitboudad) * bug #14497 [HttpFoundation] Allow curly braces in trusted host patterns (sgrodzicki) * bug #14436 Show a better error when the port is in use (dosten) * bug #14463 [Validator] Fixed Choice when an empty array is used in the "choices" option (webmozart) * bug #14402 [FrameworkBundle][Translation] Check for 'xlf' instead of 'xliff' (xelaris) * bug #14272 [FrameworkBundle] Workaround php -S ignoring auto_prepend_file (nicolas-grekas) * bug #14345 [FrameworkBundle] Fix Routing\DelegatingLoader resiliency to fatal errors (nicolas-grekas) * bug #14325 [Routing][DependencyInjection] Support .yaml extension in YAML loaders (thunderer) * bug #14344 [Translation][fixed test] refresh cache when resources are no longer fresh. (aitboudad) * bug #14268 [Translator] Cache does not take fallback locales into consideration (sf2.3) (mpdude) * bug #14192 [HttpKernel] Embed the original exception as previous to bounced exceptions (nicolas-grekas) * bug #14102 [Enhancement] netbeans - force interactive shell when limited detection (cordoval) * bug #14191 [StringUtil] Fixed singularification of 'movies' (GerbenWijnja) ## 2.3.27 (2015-04-01) * security #14167 CVE-2015-2308 (nicolas-grekas) * security #14166 CVE-2015-2309 (neclimdul) * bug #14010 Replace GET parameters when changed in form (WouterJ) * bug #13991 [Dependency Injection] Improve PhpDumper Performance for huge Containers (BattleRattle) * bug #13997 [2.3+][Form][DoctrineBridge] Improved loading of entities and documents (guilhermeblanco) * bug #13953 [Translation][MoFileLoader] fixed load empty translation. (aitboudad) * bug #13912 [DependencyInjection] Highest precedence for user parameters (lyrixx) ## 2.3.26 (2015-03-17) * bug #13927 Fixing wrong variable name from #13519 (weaverryan) * bug #13519 [DependencyInjection] fixed service resolution for factories (fabpot) * bug #13901 [Bundle] Fix charset config (nicolas-grekas, bamarni) * bug #13911 [HttpFoundation] MongoDbSessionHandler::read() now checks for valid session age (bzikarsky) * bug #13890 Fix XSS in Debug exception handler (fabpot) * bug #13744 minor #13377 [Console] Change greater by greater or equal for isFresh in FileResource (bijibox) * bug #13708 [HttpFoundation] fixed param order for Nginx's x-accel-mapping (phansys) * bug #13767 [HttpKernel] Throw double-bounce exceptions (nicolas-grekas) * bug #13769 [Form] NativeRequestHandler file handling fix (mpajunen) * bug #13779 [FrameworkBundle] silence E_USER_DEPRECATED in insulated clients (nicolas-grekas) * bug #13715 Enforce UTF-8 charset for core controllers (WouterJ) * bug #13683 [PROCESS] make sure /dev/tty is readable (staabm) * bug #13733 [Process] Fixed PhpProcess::getCommandLine() result (francisbesset) * bug #13618 [PropertyAccess] Fixed invalid feedback -> foodback singularization (WouterJ) * bug #13630 [Console] fixed ArrayInput, if array contains 0 key. (arima-ryunosuke) * bug #13647 [FrameworkBundle] Fix title and placeholder rendering in php form templates (jakzal) * bug #13607 [Console] Fixed output bug, if escaped string in a formatted string. (tronsha) * bug #13466 [Security] Remove ContextListener's onKernelResponse listener as it is used (davedevelopment) * bug #12864 [Console][Table] Fix cell padding with multi-byte (ttsuruoka) * bug #13375 [YAML] Fix one-liners to work with multiple new lines (Alex Pott) * bug #13545 fixxed order of usage (OskarStark) * bug #13567 [Routing] make host matching case-insensitive (Tobion) ## 2.3.25 (2015-01-30) * bug #13528 [Validator] reject ill-formed strings (nicolas-grekas) * bug #13525 [Validator] UniqueEntityValidator - invalidValue fixed. (Dawid Sajdak) * bug #13527 [Validator] drop grapheme_strlen in LengthValidator (nicolas-grekas) * bug #13376 [FrameworkBundle][config] allow multiple fallback locales. (aitboudad) * bug #12972 Make the container considered non-fresh if the environment parameters are changed (thewilkybarkid) * bug #13309 [Console] fixed 10531 (nacmartin) * bug #13352 [Yaml] fixed parse shortcut Key after unindented collection. (aitboudad) * bug #13039 [HttpFoundation] [Request] fix baseUrl parsing to fix wrong path_info (rk3rn3r) * bug #13250 [Twig][Bridge][TranslationDefaultDomain] add support of named arguments. (aitboudad) * bug #13332 [Console] ArgvInput and empty tokens (Taluu) * bug #13293 [EventDispatcher] Add missing checks to RegisterListenersPass (znerol) * bug #13262 [Yaml] Improve YAML boolean escaping (petert82, larowlan) * bug #13420 [Debug] fix loading order for legacy classes (nicolas-grekas) * bug #13371 fix missing comma in YamlDumper (garak) * bug #13365 [HttpFoundation] Make use of isEmpty() method (xelaris) * bug #13347 [Console] Helper\TableHelper->addRow optimization (boekkooi) * bug #13346 [PropertyAccessor] Allow null value for a array (2.3) (boekkooi) * bug #13170 [Form] Set a child type to text if added to the form without a type. (jakzal) * bug #13334 [Yaml] Fixed #10597: Improved Yaml directive parsing (VictoriaQ) ## 2.3.24 (2015-01-07) * bug #13286 [Security] Don't destroy the session on buggy php releases. (derrabus) * bug #12417 [HttpFoundation] Fix an issue caused by php's Bug #66606. (wusuopu) * bug #13200 Don't add Accept-Range header on unsafe HTTP requests (jaytaph) * bug #12491 [Security] Don't send remember cookie for sub request (blanchonvincent) * bug #12574 [HttpKernel] Fix UriSigner::check when _hash is not at the end of the uri (nyroDev) * bug #13185 Fixes Issue #13184 - incremental output getters now return empty strings (Bailey Parker) * bug #13145 [DomCrawler] Fix behaviour with <base> tag (dkop, WouterJ) * bug #13141 [TwigBundle] Moved the setting of the default escaping strategy from the Twig engine to the Twig environment (fabpot) * bug #13114 [HttpFoundation] fixed error when an IP in the X-Forwarded-For HTTP head... (fabpot) * bug #12572 [HttpFoundation] fix checkip6 (Neime) * bug #13075 [Config] fix error handler restoration in test (nicolas-grekas) * bug #13081 [FrameworkBundle] forward error reporting level to insulated Client (nicolas-grekas) * bug #13053 [FrameworkBundle] Fixed Translation loader and update translation command. (saro0h) * bug #13048 [Security] Delete old session on auth strategy migrate (xelaris) * bug #12999 [FrameworkBundle] fix cache:clear command (nicolas-grekas) * bug #13004 add a limit and a test to FlattenExceptionTest. (Daniel Wehner) * bug #12961 fix session restart on PHP 5.3 (Tobion) * bug #12761 [Filesystem] symlink use RealPath instead LinkTarget (aitboudad) * bug #12855 [DependencyInjection] Perf php dumper (nicolas-grekas) * bug #12894 [FrameworkBundle][Template name] avoid error message for the shortcut n... (aitboudad) * bug #12858 [ClassLoader] Fix undefined index in ClassCollectionLoader (szicsu) ## 2.3.23 (2014-12-03) * bug #12811 Configure firewall's kernel exception listener with configured entry point or a default entry point (rjkip) * bug #12784 [DependencyInjection] make paths relative to __DIR__ in the generated container (nicolas-grekas) * bug #12716 [ClassLoader] define constant only if it wasn't defined before (xabbuh) * bug #12553 [Debug] fix error message on double exception (nicolas-grekas) * bug #12550 [FrameworkBundle] backport #12489 (xabbuh) * bug #12570 Fix initialized() with aliased services (Daniel Wehner) * bug #12137 [FrameworkBundle] cache:clear command fills *.php.meta files with wrong data (Strate) ## 2.3.22 (2014-11-20) * bug #12525 [Bundle][FrameworkBundle] be smarter when guessing the document root (xabbuh) * bug #12296 [SecurityBundle] Authentication entry point is only registered with firewall exception listener, not with authentication listeners (rjkip) * bug #12393 [DependencyInjection] inlined factory not referenced (boekkooi) * bug #12436 [Filesystem] Fixed case for empty folder (yosmanyga) * bug #12370 [Yaml] improve error message for multiple documents (xabbuh) * bug #12170 [Form] fix form handling with OPTIONS request method (Tobion) * bug #12235 [Validator] Fixed Regex::getHtmlPattern() to work with complex and negated patterns (webmozart) * bug #12326 [Session] remove invalid hack in session regenerate (Tobion) * bug #12341 [Kernel] ensure session is saved before sending response (Tobion) * bug #12329 [Routing] serialize the compiled route to speed things up (Tobion) * bug #12316 Break infinite loop while resolving aliases (chx) * bug #12313 [Security][listener] change priority of switchuser (aitboudad) ## 2.3.21 (2014-10-24) * bug #11696 [Form] Fix #11694 - Enforce options value type check in some form types (kix) * bug #12209 [FrameworkBundle] Fixed ide links (hason) * bug #12208 Add missing argument (WouterJ) * bug #12197 [TwigBundle] do not pass a template reference to twig (Tobion) * bug #12196 [TwigBundle] show correct fallback exception template in debug mode (Tobion) * bug #12187 [CssSelector] don't raise warnings when exception is thrown (xabbuh) * bug #11998 [Intl] Integrated ICU data into Intl component #2 (webmozart) * bug #11920 [Intl] Integrated ICU data into Intl component #1 (webmozart) ## 2.3.20 (2014-09-28) * bug #9453 [Form][DateTime] Propagate invalid_message & invalid_message_parameters to date & time (egeloen) * bug #11058 [Security] bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider (glutamatt) * bug #12004 [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required (webmozart) * bug #11904 Make twig ExceptionController conformed with ExceptionListener (megazoll) * bug #11924 [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler (rpg600, webmozart) * bug #11079 Response::isNotModified returns true when If-Modified-Since is later than Last-Modified (skolodyazhnyy) * bug #11989 [Finder][Urgent] Remove asterisk and question mark from folder name in test to prevent windows file system issues. (Adam) * bug #11908 [Translation] [Config] Clear libxml errors after parsing xliff file (pulzarraider) * bug #11937 [HttpKernel] Make sure HttpCache is a trusted proxy (thewilkybarkid) * bug #11970 [Finder] Escape location for regex searches (ymc-dabe) * bug #11837 Use getPathname() instead of string casting to get BinaryFileReponse file path (nervo) * bug #11513 [Translation] made XliffFileDumper support CDATA sections. (hhamon) * bug #11907 [Intl] Improved bundle reader implementations (webmozart) * bug #11874 [Console] guarded against non-traversable aliases (thierrymarianne) * bug #11799 [YAML] fix handling of empty sequence items (xabbuh) * bug #11906 [Intl] Fixed a few bugs in TextBundleWriter (webmozart) * bug #11459 [Form][Validator] All index items after children are to be considered grand-children when resolving ViolationPath (Andrew Moore) * bug #11715 [Form] FormBuilder::getIterator() now deals with resolved children (issei-m) * bug #11892 [SwiftmailerBridge] Bump allowed versions of swiftmailer (ymc-dabe) * bug #11918 [DependencyInjection] remove `service` parameter type from XSD (xabbuh) * bug #11905 [Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle (webmozart) * bug #11497 Use separated function to resolve command and related arguments (JJK801) * bug #11374 [DI] Added safeguards against invalid config in the YamlFileLoader (stof) * bug #11897 [FrameworkBundle] Remove invalid markup (flack) * bug #11860 [Security] Fix usage of unexistent method in DoctrineAclCache. (mauchede) * bug #11850 [YAML] properly mask escape sequences in quoted strings (xabbuh) * bug #11856 [FrameworkBundle] backport more error information from 2.6 to 2.3 (xabbuh) * bug #11843 [Yaml] improve error message when detecting unquoted asterisks (xabbuh) ## 2.3.19 (2014-09-03) * security #11832 CVE-2014-6072 (fabpot) * security #11831 CVE-2014-5245 (stof) * security #11830 CVE-2014-4931 (aitboudad, Jérémy Derussé) * security #11829 CVE-2014-6061 (damz, fabpot) * security #11828 CVE-2014-5244 (nicolas-grekas, larowlan) * bug #10197 [FrameworkBundle] PhpExtractor bugfix and improvements (mtibben) * bug #11772 [Filesystem] Add FTP stream wrapper context option to enable overwrite (Damian Sromek) * bug #11788 [Yaml] fixed mapping keys containing a quoted # (hvt, fabpot) * bug #11160 [DoctrineBridge] Abstract Doctrine Subscribers with tags (merk) * bug #11768 [ClassLoader] Add a __call() method to XcacheClassLoader (tstoeckler) * bug #11726 [Filesystem Component] mkdir race condition fix #11626 (kcassam) * bug #11677 [YAML] resolve variables in inlined YAML (xabbuh) * bug #11639 [DependencyInjection] Fixed factory service not within the ServiceReferenceGraph. (boekkooi) * bug #11778 [Validator] Fixed wrong translations for Collection constraints (samicemalone) * bug #11756 [DependencyInjection] fix @return anno created by PhpDumper (jakubkulhan) * bug #11711 [DoctrineBridge] Fix empty parameter logging in the dbal logger (jakzal) * bug #11692 [DomCrawler] check for the correct field type (xabbuh) * bug #11672 [Routing] fix handling of nullable XML attributes (xabbuh) * bug #11624 [DomCrawler] fix the axes handling in a bc way (xabbuh) * bug #11676 [Form] Fixed #11675 ValueToDuplicatesTransformer accept "0" value (Nek-) * bug #11695 [Validators] Fixed failing tests requiring ICU 52.1 which are skipped otherwise (webmozart) * bug #11529 [WebProfilerBundle] Fixed double height of canvas (hason) * bug #11641 [WebProfilerBundle ] Fix toolbar vertical alignment (blaugueux) * bug #11559 [Validator] Convert objects to string in comparison validators (webmozart) * feature #11510 [HttpFoundation] MongoDbSessionHandler supports auto expiry via configurable expiry_field (catchamonkey) * bug #11408 [HttpFoundation] Update QUERY_STRING when overrideGlobals (yguedidi) * bug #11633 [FrameworkBundle] add missing attribute to XSD (xabbuh) * bug #11601 [Validator] Allow basic auth in url when using UrlValidator. (blaugueux) * bug #11609 [Console] fixed style creation when providing an unknown tag option (fabpot) * bug #10914 [HttpKernel] added an analyze of environment parameters for built-in server (mauchede) * bug #11598 [Finder] Shell escape and windows support (Gordon Franke, gimler) * bug #11499 [BrowserKit] Fixed relative redirects for ambiguous paths (pkruithof) * bug #11516 [BrowserKit] Fix browser kit redirect with ports (dakota) * bug #11545 [Bundle][FrameworkBundle] built-in server: exit when docroot does not exist (xabbuh) * bug #11560 Plural fix (1emming) * bug #11558 [DependencyInjection] Fixed missing 'factory-class' attribute in XmlDumper output (kerdany) * bug #11548 [Component][DomCrawler] fix axes handling in Crawler::filterXPath() (xabbuh) * bug #11422 [DependencyInjection] Self-referenced 'service_container' service breaks garbage collection (sun) * bug #11428 [Serializer] properly handle null data when denormalizing (xabbuh) * bug #10687 [Validator] Fixed string conversion in constraint violations (eagleoneraptor, webmozart) * bug #11475 [EventDispatcher] don't count empty listeners (xabbuh) * bug #11436 fix signal handling in wait() on calls to stop() (xabbuh, romainneutron) * bug #11469 [BrowserKit] Fixed server HTTP_HOST port uri conversion (bcremer, fabpot) * bug #11425 Fix issue described in #11421 (Ben, ben-rosio) * bug #11423 Pass a Scope instance instead of a scope name when cloning a container in the GrahpvizDumper (jakzal) * bug #11120 [Process] Reduce I/O load on Windows platform (romainneutron) * bug #11342 [Form] Check if IntlDateFormatter constructor returned a valid object before using it (romainneutron) * bug #11411 [Validator] Backported #11410 to 2.3: Object initializers are called only once per object (webmozart) * bug #11403 [Translator][FrameworkBundle] Added @ to the list of allowed chars in Translator (takeit) * bug #11381 [Process] Use correct test for empty string in UnixPipes (whs, romainneutron) ## 2.3.18 (2014-07-15) * [Security] Forced validate of locales passed to the translator * feature #11367 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671) (Andrew Moore) * bug #11386 Remove Spaceless Blocks from Twig Form Templates (chrisguitarguy) * bug #9719 [TwigBundle] fix configuration tree for paths (mdavis1982, cordoval) * bug #11244 [HttpFoundation] Remove body-related headers when sending the response, if body is empty (SimonSimCity) ## 2.3.17 (2014-07-07) * bug #11238 [Translation] Added unescaping of ids in PoFileLoader (JustBlackBird) * bug #11194 [DomCrawler] Remove the query string and the anchor of the uri of a link (benja-M-1) * bug #11272 [Console] Make sure formatter is the same. (akimsko) * bug #11259 [Config] Fixed failed config schema loads due to libxml_disable_entity_loader usage (ccorliss) * bug #11234 [ClassLoader] fixed PHP warning on PHP 5.3 (fabpot) * bug #11179 [Process] Fix ExecutableFinder with open basedir (cs278) * bug #11242 [CssSelector] Refactored the CssSelector to remove the circular object graph (stof) * bug #11219 [DomCrawler] properly handle buttons with single and double quotes insid... (xabbuh) * bug #11220 [Components][Serializer] optional constructor arguments can be omitted during the denormalization process (xabbuh) * bug #11186 Added missing `break` statement (apfelbox) * bug #11169 [Console] Fixed notice in DialogHelper (florianv) * bug #11144 [HttpFoundation] Fixed Request::getPort returns incorrect value under IPv6 (kicken) * bug #10966 PHP Fatal error when getContainer method of ContainerAwareCommand has be... (kevinvergauwen) * bug #10981 [HttpFoundation] Fixed isSecure() check to be compliant with the docs (Jannik Zschiesche) * bug #11092 [HttpFoundation] Fix basic authentication in url with PHP-FPM (Kdecherf) * bug #10808 [DomCrawler] Empty select with attribute name="foo[]" bug fix (darles) * bug #11063 [HttpFoundation] fix switch statement (Tobion) * bug #11009 [HttpFoundation] smaller fixes for PdoSessionHandler (Tobion) * bug #11041 Remove undefined variable $e (skydiablo) ## 2.3.16 (2014-05-31) * bug #11014 [Validator] Remove property and method targets from the optional and required constraints (jakzal) * bug #10983 [DomCrawler] Fixed charset detection in html5 meta charset tag (77web) * bug #10979 Make rootPath part of regex greedy (artursvonda) * bug #10995 [TwigBridge][Trans]set %count% only on transChoice from the current context. (aitboudad) * bug #10987 [DomCrawler] Fixed a forgotten case of complex XPath queries (stof) ## 2.3.15 (2014-05-22) * reverted #10908 ## 2.3.14 (2014-05-22) * bug #10849 [WIP][Finder] Fix wrong implementation on sortable callback comparator (ProPheT777) * bug #10929 [Process] Add validation on Process input (romainneutron) * bug #10958 [DomCrawler] Fixed filterXPath() chaining loosing the parent DOM nodes (stof, robbertkl) * bug #10953 [HttpKernel] fixed file uploads in functional tests without file selected (realmfoo) * bug #10937 [HttpKernel] Fix "absolute path" when we look to the cache directory (BenoitLeveque) * bug #10908 [HttpFoundation] implement session locking for PDO (Tobion) * bug #10894 [HttpKernel] removed absolute paths from the generated container (fabpot) * bug #10926 [DomCrawler] Fixed the initial state for options without value attribute (stof) * bug #10925 [DomCrawler] Fixed the handling of boolean attributes in ChoiceFormField (stof) * bug #10777 [Form] Automatically add step attribute to HTML5 time widgets to display seconds if needed (tucksaun) * bug #10909 [PropertyAccess] Fixed plurals for -ves words (csarrazi) * bug #10899 Explicitly define the encoding. (jakzal) * bug #10897 [Console] Fix a console test (jakzal) * bug #10896 [HttpKernel] Fixed cache behavior when TTL has expired and a default "global" TTL is defined (alquerci, fabpot) * bug #10841 [DomCrawler] Fixed image input case sensitive (geoffrey-brier) * bug #10714 [Console]Improve formatter for double-width character (denkiryokuhatsuden) * bug #10872 [Form] Fixed TrimListenerTest as of PHP 5.5 (webmozart) * bug #10762 [BrowserKit] Allow URLs that don't contain a path when creating a cookie from a string (thewilkybarkid) * bug #10863 [Security] Add check for supported attributes in AclVoter (artursvonda) * bug #10833 [TwigBridge][Transchoice] set %count% from the current context. (aitboudad) * bug #10820 [WebProfilerBundle] Fixed profiler seach/homepage with empty token (tucksaun) * bug #10815 Fixed issue #5427 (umpirsky) * bug #10817 [Debug] fix #10313: FlattenException not found (nicolas-grekas) * bug #10803 [Debug] fix ErrorHandlerTest when context is not an array (nicolas-grekas) * bug #10801 [Debug] ErrorHandler: remove $GLOBALS from context in PHP5.3 fix #10292 (nicolas-grekas) * bug #10797 [HttpFoundation] Allow File instance to be passed to BinaryFileResponse (anlutro) * bug #10643 [TwigBridge] Removed strict check when found variables inside a translation (goetas) ## 2.3.13 (2014-04-27) * bug #10789 [Console] Fixed the rendering of exceptions on HHVM with a terminal width (stof) * bug #10773 [WebProfilerBundle ] Fixed an edge case on WDT loading (tucksaun) * bug #10763 [Process] Disable TTY mode on Windows platform (romainneutron) * bug #10772 [Finder] Fix ignoring of unreadable dirs in the RecursiveDirectoryIterator (jakzal) * bug #10757 [Process] Setting STDIN while running should not be possible (romainneutron) * bug #10749 Fixed incompatibility of x509 auth with nginx (alcaeus) * bug #10735 [Translation] [PluralizationRules] Little correction for case 'ar' (klyk50) * bug #10720 [HttpFoundation] Fix DbalSessionHandler (Tobion) * bug #10721 [HttpFoundation] status 201 is allowed to have a body (Tobion) * bug #10728 [Process] Fix #10681, process are failing on Windows Server 2003 (romainneutron) * bug #10733 [DomCrawler] Textarea value should default to empty string instead of null. (Berdir) * bug #10723 [Security] fix DBAL connection typehint (Tobion) * bug #10700 Fixes various inconsistencies in the code (fabpot) * bug #10697 [Translation] Make IcuDatFileLoader/IcuResFileLoader::load invalid resource compatible with HHVM. (idn2104) * bug #10652 [HttpFoundation] fix PDO session handler under high concurrency (Tobion) * bug #10669 [Profiler] Prevent throwing fatal errors when searching timestamps or invalid dates (stloyd) * bug #10670 [Templating] PhpEngine should propagate charset to its helpers (stloyd) * bug #10665 [DependencyInjection] Fix ticket #10663 - Added setCharset method call to PHP templating engine (koku) * bug #10654 Changed the typehint of the EsiFragmentRenderer to the interface (stof) * bug #10649 [BrowserKit] Fix #10641 : BrowserKit is broken when using ip as host (romainneutron) ## 2.3.12 (2014-04-03) * bug #10586 Fixes URL validator to accept single part urls (merk) * bug #10591 [Form] Buttons are now disabled if their containing form is disabled (webmozart) * bug #10579 HHVM fixes (fabpot) * bug #10564 fixed the profiler when an uncalled listener throws an exception when instantiated (fabpot) * bug #10568 [Form] Fixed hashing of choice lists containing non-UTF-8 characters (webmozart) * bug #10536 Avoid levenshtein comparison when using ContainerBuilder. (catch56) * bug #10549 Fixed server values in BrowserKit (fabpot) * bug #10540 [HttpKernel] made parsing controllers more robust (fabpot) * bug #10545 [DependencyInjection] Fixed YamlFileLoader imports path (jrnickell) * bug #10523 [Debug] Check headers sent before sending PHP response (GromNaN) * bug #10275 [Validator] Fixed ACE domain checks on UrlValidator (#10031) (aeoris) * bug #10123 handle array root element (greg0ire) * bug #10532 Fixed regression when using Symfony on filesystems without chmod support (fabpot) * bug #10502 [HttpKernel] Fix #10437: Catch exceptions when reloading a no-cache request (romainneutron) * bug #10493 Fix libxml_use_internal_errors and libxml_disable_entity_loader usage (romainneutron) * bug #9784 [HttpFoundation] Removed ini check to make Uploadedfile work on Google App Engine (micheleorselli) * bug #10416 [Form] Allow options to be grouped by objects (felds) * bug #10410 [Form] Fix "Array was modified outside object" in ResizeFormListener. (Chekote) * bug #10494 [Validator] Minor fix in IBAN validator (sprain) * bug #10491 Fixed bug that incorrectly causes the "required" attribute to be omitted from select even though it contains the "multiple" attribute (fabpot) * bug #10479 [Process] Fix escaping on Windows (romainneutron) * bug #10480 [Process] Fixed fatal errors in getOutput and getErrorOutput when process was not started (romainneutron) * bug #10420 [Process] Make Process::start non-blocking on Windows platform (romainneutron) * bug #10455 [Process] Fix random failures in test suite on TravisCI (romainneutron) * bug #10448 [Process] Fix quoted arguments escaping (romainneutron) * bug #10444 [DomCrawler] Fixed incorrect value name conversion in getPhpValues() and getPhpFiles() (romainneutron) * bug #10423 [Config] XmlUtils::convertDomElementToArray does not handle '0' (bendavies) * bug #10153 [Process] Fixed data in pipe being truncated if not read before process termination (astephens25) * bug #10429 [Process] Fix #9160 : escaping an argument with a trailing backslash on windows fails (romainneutron) * bug #10412 [Process] Fix process status in TTY mode (romainneutron) * bug #10382 10158 get vary multiple (bbinkovitz) * bug #10251 [Form] Fixes empty file-inputs getting treated as extra field. (jenkoian) * bug #10351 [HttpKernel] fix stripComments() normalizing new-lines (sstok) * bug #10348 Update FileLoader to fix issue #10339 (msumme) ## 2.3.11 (2014-02-27) * bug #10146 [WebProfilerBundle] fixed parsing Mongo DSN and added Test for it (malarzm) * bug #10299 [Finder] () is also a valid delimiter (WouterJ) * bug #10255 [FrameworkBundle] Fixed wrong redirect url if path contains some query parameters (pulzarraider) * bug #10285 Bypass sigchild detection if phpinfo is not available (Seldaek) * bug #10269 [Form] Revert "Fix "Array was modified outside object" in ResizeFormListener." (norzechowicz) ## 2.3.10 (2014-02-12) * bug #10231 [Console] removed problematic regex (fabpot) * bug #10245 [DomCrawler] Added support for <area> tags to be treated as links (shamess) * bug #10232 [Form] Fix "Array was modified outside object" in ResizeFormListener. (Chekote) * bug #10215 [Routing] reduced recursion in dumper (arnaud-lb) * bug #10207 [DomCrawler] Fixed filterXPath() chaining (robbertkl) * bug #10205 [DomCrawler] Fixed incorrect handling of image inputs (robbertkl) * bug #10191 [HttpKernel] fixed wrong reference in TraceableEventDispatcher (fabpot) * bug #10195 [Debug] Fixed recursion level incrementing in FlattenException::flattenArgs(). (sun) * bug #10151 [Form] Update DateTime objects only if the actual value has changed (peterrehm) * bug #10140 allow the TextAreaFormField to be used with valid/invalid HTML (dawehner) * bug #10131 added lines to exceptions for the trans and transchoice tags (fabpot) * bug #10119 [Validator] Minor fix in XmlFileLoader (florianv) * bug #10078 [BrowserKit] add non-standard port to HTTP_HOST server param (kbond) * bug #10091 [Translation] Update PluralizationRules.php (guilhermeblanco) * bug #10053 [Form] fixed allow render 0 numeric input value (dczech) * bug #10033 [HttpKernel] Bugfix - Logger Deprecation Notice (Rican7) * bug #10023 [FrameworkBundle] Thrown an HttpException instead returning a Response in RedirectController::redirectAction() (jakzal) * bug #9985 Prevent WDT from creating a session (mvrhov) * bug #10000 [Console] Fixed the compatibility with HHVM (stof) * bug #9979 [Doctrine Bridge][Validator] Fix for null values in assosiated properties when using UniqueEntityValidator (vpetrovych) * bug #9983 [TwigBridge] Update min. version of Twig (stloyd) * bug #9970 [CssSelector] fixed numeric attribute issue (jfsimon) * bug #9747 [DoctrineBridge] Fix: Add type detection. Needed by pdo_dblib (iamluc) * bug #9962 [Process] Fix #9861 : Revert TTY mode (romainneutron) * bug #9960 [Form] Update minimal requirement in composer.json (stloyd) * bug #9952 [Translator] Fix Empty translations with Qt files (vlefort) * bug #9948 [WebProfilerBundle] Fixed profiler toolbar icons for XHTML. (rafalwrzeszcz) * bug #9933 Propel1 exception message (jaugustin) * bug #9949 [BrowserKit] Throw exception on invalid cookie expiration timestamp (anlutro)
high
CVE-2014-5245## 2.3.30 (2015-05-30) * bug #14262 [REVERTED] [TwigBundle] Refresh twig paths when resources change. (aitboudad) ## 2.3.29 (2015-05-26) * security #14759 CVE-2015-4050 [HttpKernel] Do not call the FragmentListener if _controller is already defined (jakzal) * bug #14715 [Form] Check instance of FormBuilderInterface instead of FormBuilder (dosten) * bug #14678 [Security] AbstractRememberMeServices::encodeCookie() validates cookie parts (MacDada) * bug #14635 [HttpKernel] Handle an array vary header in the http cache store (jakzal) * bug #14513 [console][formater] allow format toString object. (aitboudad) * bug #14335 [HttpFoundation] Fix baseUrl when script filename is contained in pathInfo (danez) * bug #14593 [Security][Firewall] Avoid redirection to XHR URIs (asiragusa) * bug #14618 [DomCrawler] Throw an exception if a form field path is incomplete (jakzal) * bug #14698 Fix HTML escaping of to-source links (nicolas-grekas) * bug #14690 [HttpFoundation] IpUtils::checkIp4() should allow `/0` networks (zerkms) * bug #14262 [TwigBundle] Refresh twig paths when resources change. (aitboudad) * bug #13633 [ServerBag] Handled bearer authorization header in REDIRECT_ form (Lance0312) * bug #13637 [CSS] WebProfiler break words (nicovak) * bug #14633 [EventDispatcher] make listeners removable from an executed listener (xabbuh) ## 2.3.28 (2015-05-10) * bug #14266 [HttpKernel] Check if "symfony/proxy-manager-bridge" package is installed (hason) * bug #14501 [ProxyBridge] Fix proxy classnames generation (xphere) * bug #14498 [FrameworkBundle] Added missing log in server:run command (lyrixx) * bug #14484 [SecurityBundle][WebProfiler] check authenticated user by tokenClass instead of username. (aitboudad) * bug #14497 [HttpFoundation] Allow curly braces in trusted host patterns (sgrodzicki) * bug #14436 Show a better error when the port is in use (dosten) * bug #14463 [Validator] Fixed Choice when an empty array is used in the "choices" option (webmozart) * bug #14402 [FrameworkBundle][Translation] Check for 'xlf' instead of 'xliff' (xelaris) * bug #14272 [FrameworkBundle] Workaround php -S ignoring auto_prepend_file (nicolas-grekas) * bug #14345 [FrameworkBundle] Fix Routing\DelegatingLoader resiliency to fatal errors (nicolas-grekas) * bug #14325 [Routing][DependencyInjection] Support .yaml extension in YAML loaders (thunderer) * bug #14344 [Translation][fixed test] refresh cache when resources are no longer fresh. (aitboudad) * bug #14268 [Translator] Cache does not take fallback locales into consideration (sf2.3) (mpdude) * bug #14192 [HttpKernel] Embed the original exception as previous to bounced exceptions (nicolas-grekas) * bug #14102 [Enhancement] netbeans - force interactive shell when limited detection (cordoval) * bug #14191 [StringUtil] Fixed singularification of 'movies' (GerbenWijnja) ## 2.3.27 (2015-04-01) * security #14167 CVE-2015-2308 (nicolas-grekas) * security #14166 CVE-2015-2309 (neclimdul) * bug #14010 Replace GET parameters when changed in form (WouterJ) * bug #13991 [Dependency Injection] Improve PhpDumper Performance for huge Containers (BattleRattle) * bug #13997 [2.3+][Form][DoctrineBridge] Improved loading of entities and documents (guilhermeblanco) * bug #13953 [Translation][MoFileLoader] fixed load empty translation. (aitboudad) * bug #13912 [DependencyInjection] Highest precedence for user parameters (lyrixx) ## 2.3.26 (2015-03-17) * bug #13927 Fixing wrong variable name from #13519 (weaverryan) * bug #13519 [DependencyInjection] fixed service resolution for factories (fabpot) * bug #13901 [Bundle] Fix charset config (nicolas-grekas, bamarni) * bug #13911 [HttpFoundation] MongoDbSessionHandler::read() now checks for valid session age (bzikarsky) * bug #13890 Fix XSS in Debug exception handler (fabpot) * bug #13744 minor #13377 [Console] Change greater by greater or equal for isFresh in FileResource (bijibox) * bug #13708 [HttpFoundation] fixed param order for Nginx's x-accel-mapping (phansys) * bug #13767 [HttpKernel] Throw double-bounce exceptions (nicolas-grekas) * bug #13769 [Form] NativeRequestHandler file handling fix (mpajunen) * bug #13779 [FrameworkBundle] silence E_USER_DEPRECATED in insulated clients (nicolas-grekas) * bug #13715 Enforce UTF-8 charset for core controllers (WouterJ) * bug #13683 [PROCESS] make sure /dev/tty is readable (staabm) * bug #13733 [Process] Fixed PhpProcess::getCommandLine() result (francisbesset) * bug #13618 [PropertyAccess] Fixed invalid feedback -> foodback singularization (WouterJ) * bug #13630 [Console] fixed ArrayInput, if array contains 0 key. (arima-ryunosuke) * bug #13647 [FrameworkBundle] Fix title and placeholder rendering in php form templates (jakzal) * bug #13607 [Console] Fixed output bug, if escaped string in a formatted string. (tronsha) * bug #13466 [Security] Remove ContextListener's onKernelResponse listener as it is used (davedevelopment) * bug #12864 [Console][Table] Fix cell padding with multi-byte (ttsuruoka) * bug #13375 [YAML] Fix one-liners to work with multiple new lines (Alex Pott) * bug #13545 fixxed order of usage (OskarStark) * bug #13567 [Routing] make host matching case-insensitive (Tobion) ## 2.3.25 (2015-01-30) * bug #13528 [Validator] reject ill-formed strings (nicolas-grekas) * bug #13525 [Validator] UniqueEntityValidator - invalidValue fixed. (Dawid Sajdak) * bug #13527 [Validator] drop grapheme_strlen in LengthValidator (nicolas-grekas) * bug #13376 [FrameworkBundle][config] allow multiple fallback locales. (aitboudad) * bug #12972 Make the container considered non-fresh if the environment parameters are changed (thewilkybarkid) * bug #13309 [Console] fixed 10531 (nacmartin) * bug #13352 [Yaml] fixed parse shortcut Key after unindented collection. (aitboudad) * bug #13039 [HttpFoundation] [Request] fix baseUrl parsing to fix wrong path_info (rk3rn3r) * bug #13250 [Twig][Bridge][TranslationDefaultDomain] add support of named arguments. (aitboudad) * bug #13332 [Console] ArgvInput and empty tokens (Taluu) * bug #13293 [EventDispatcher] Add missing checks to RegisterListenersPass (znerol) * bug #13262 [Yaml] Improve YAML boolean escaping (petert82, larowlan) * bug #13420 [Debug] fix loading order for legacy classes (nicolas-grekas) * bug #13371 fix missing comma in YamlDumper (garak) * bug #13365 [HttpFoundation] Make use of isEmpty() method (xelaris) * bug #13347 [Console] Helper\TableHelper->addRow optimization (boekkooi) * bug #13346 [PropertyAccessor] Allow null value for a array (2.3) (boekkooi) * bug #13170 [Form] Set a child type to text if added to the form without a type. (jakzal) * bug #13334 [Yaml] Fixed #10597: Improved Yaml directive parsing (VictoriaQ) ## 2.3.24 (2015-01-07) * bug #13286 [Security] Don't destroy the session on buggy php releases. (derrabus) * bug #12417 [HttpFoundation] Fix an issue caused by php's Bug #66606. (wusuopu) * bug #13200 Don't add Accept-Range header on unsafe HTTP requests (jaytaph) * bug #12491 [Security] Don't send remember cookie for sub request (blanchonvincent) * bug #12574 [HttpKernel] Fix UriSigner::check when _hash is not at the end of the uri (nyroDev) * bug #13185 Fixes Issue #13184 - incremental output getters now return empty strings (Bailey Parker) * bug #13145 [DomCrawler] Fix behaviour with <base> tag (dkop, WouterJ) * bug #13141 [TwigBundle] Moved the setting of the default escaping strategy from the Twig engine to the Twig environment (fabpot) * bug #13114 [HttpFoundation] fixed error when an IP in the X-Forwarded-For HTTP head... (fabpot) * bug #12572 [HttpFoundation] fix checkip6 (Neime) * bug #13075 [Config] fix error handler restoration in test (nicolas-grekas) * bug #13081 [FrameworkBundle] forward error reporting level to insulated Client (nicolas-grekas) * bug #13053 [FrameworkBundle] Fixed Translation loader and update translation command. (saro0h) * bug #13048 [Security] Delete old session on auth strategy migrate (xelaris) * bug #12999 [FrameworkBundle] fix cache:clear command (nicolas-grekas) * bug #13004 add a limit and a test to FlattenExceptionTest. (Daniel Wehner) * bug #12961 fix session restart on PHP 5.3 (Tobion) * bug #12761 [Filesystem] symlink use RealPath instead LinkTarget (aitboudad) * bug #12855 [DependencyInjection] Perf php dumper (nicolas-grekas) * bug #12894 [FrameworkBundle][Template name] avoid error message for the shortcut n... (aitboudad) * bug #12858 [ClassLoader] Fix undefined index in ClassCollectionLoader (szicsu) ## 2.3.23 (2014-12-03) * bug #12811 Configure firewall's kernel exception listener with configured entry point or a default entry point (rjkip) * bug #12784 [DependencyInjection] make paths relative to __DIR__ in the generated container (nicolas-grekas) * bug #12716 [ClassLoader] define constant only if it wasn't defined before (xabbuh) * bug #12553 [Debug] fix error message on double exception (nicolas-grekas) * bug #12550 [FrameworkBundle] backport #12489 (xabbuh) * bug #12570 Fix initialized() with aliased services (Daniel Wehner) * bug #12137 [FrameworkBundle] cache:clear command fills *.php.meta files with wrong data (Strate) ## 2.3.22 (2014-11-20) * bug #12525 [Bundle][FrameworkBundle] be smarter when guessing the document root (xabbuh) * bug #12296 [SecurityBundle] Authentication entry point is only registered with firewall exception listener, not with authentication listeners (rjkip) * bug #12393 [DependencyInjection] inlined factory not referenced (boekkooi) * bug #12436 [Filesystem] Fixed case for empty folder (yosmanyga) * bug #12370 [Yaml] improve error message for multiple documents (xabbuh) * bug #12170 [Form] fix form handling with OPTIONS request method (Tobion) * bug #12235 [Validator] Fixed Regex::getHtmlPattern() to work with complex and negated patterns (webmozart) * bug #12326 [Session] remove invalid hack in session regenerate (Tobion) * bug #12341 [Kernel] ensure session is saved before sending response (Tobion) * bug #12329 [Routing] serialize the compiled route to speed things up (Tobion) * bug #12316 Break infinite loop while resolving aliases (chx) * bug #12313 [Security][listener] change priority of switchuser (aitboudad) ## 2.3.21 (2014-10-24) * bug #11696 [Form] Fix #11694 - Enforce options value type check in some form types (kix) * bug #12209 [FrameworkBundle] Fixed ide links (hason) * bug #12208 Add missing argument (WouterJ) * bug #12197 [TwigBundle] do not pass a template reference to twig (Tobion) * bug #12196 [TwigBundle] show correct fallback exception template in debug mode (Tobion) * bug #12187 [CssSelector] don't raise warnings when exception is thrown (xabbuh) * bug #11998 [Intl] Integrated ICU data into Intl component #2 (webmozart) * bug #11920 [Intl] Integrated ICU data into Intl component #1 (webmozart) ## 2.3.20 (2014-09-28) * bug #9453 [Form][DateTime] Propagate invalid_message & invalid_message_parameters to date & time (egeloen) * bug #11058 [Security] bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider (glutamatt) * bug #12004 [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required (webmozart) * bug #11904 Make twig ExceptionController conformed with ExceptionListener (megazoll) * bug #11924 [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler (rpg600, webmozart) * bug #11079 Response::isNotModified returns true when If-Modified-Since is later than Last-Modified (skolodyazhnyy) * bug #11989 [Finder][Urgent] Remove asterisk and question mark from folder name in test to prevent windows file system issues. (Adam) * bug #11908 [Translation] [Config] Clear libxml errors after parsing xliff file (pulzarraider) * bug #11937 [HttpKernel] Make sure HttpCache is a trusted proxy (thewilkybarkid) * bug #11970 [Finder] Escape location for regex searches (ymc-dabe) * bug #11837 Use getPathname() instead of string casting to get BinaryFileReponse file path (nervo) * bug #11513 [Translation] made XliffFileDumper support CDATA sections. (hhamon) * bug #11907 [Intl] Improved bundle reader implementations (webmozart) * bug #11874 [Console] guarded against non-traversable aliases (thierrymarianne) * bug #11799 [YAML] fix handling of empty sequence items (xabbuh) * bug #11906 [Intl] Fixed a few bugs in TextBundleWriter (webmozart) * bug #11459 [Form][Validator] All index items after children are to be considered grand-children when resolving ViolationPath (Andrew Moore) * bug #11715 [Form] FormBuilder::getIterator() now deals with resolved children (issei-m) * bug #11892 [SwiftmailerBridge] Bump allowed versions of swiftmailer (ymc-dabe) * bug #11918 [DependencyInjection] remove `service` parameter type from XSD (xabbuh) * bug #11905 [Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle (webmozart) * bug #11497 Use separated function to resolve command and related arguments (JJK801) * bug #11374 [DI] Added safeguards against invalid config in the YamlFileLoader (stof) * bug #11897 [FrameworkBundle] Remove invalid markup (flack) * bug #11860 [Security] Fix usage of unexistent method in DoctrineAclCache. (mauchede) * bug #11850 [YAML] properly mask escape sequences in quoted strings (xabbuh) * bug #11856 [FrameworkBundle] backport more error information from 2.6 to 2.3 (xabbuh) * bug #11843 [Yaml] improve error message when detecting unquoted asterisks (xabbuh) ## 2.3.19 (2014-09-03) * security #11832 CVE-2014-6072 (fabpot) * security #11831 CVE-2014-5245 (stof) * security #11830 CVE-2014-4931 (aitboudad, Jérémy Derussé) * security #11829 CVE-2014-6061 (damz, fabpot) * security #11828 CVE-2014-5244 (nicolas-grekas, larowlan) * bug #10197 [FrameworkBundle] PhpExtractor bugfix and improvements (mtibben) * bug #11772 [Filesystem] Add FTP stream wrapper context option to enable overwrite (Damian Sromek) * bug #11788 [Yaml] fixed mapping keys containing a quoted # (hvt, fabpot) * bug #11160 [DoctrineBridge] Abstract Doctrine Subscribers with tags (merk) * bug #11768 [ClassLoader] Add a __call() method to XcacheClassLoader (tstoeckler) * bug #11726 [Filesystem Component] mkdir race condition fix #11626 (kcassam) * bug #11677 [YAML] resolve variables in inlined YAML (xabbuh) * bug #11639 [DependencyInjection] Fixed factory service not within the ServiceReferenceGraph. (boekkooi) * bug #11778 [Validator] Fixed wrong translations for Collection constraints (samicemalone) * bug #11756 [DependencyInjection] fix @return anno created by PhpDumper (jakubkulhan) * bug #11711 [DoctrineBridge] Fix empty parameter logging in the dbal logger (jakzal) * bug #11692 [DomCrawler] check for the correct field type (xabbuh) * bug #11672 [Routing] fix handling of nullable XML attributes (xabbuh) * bug #11624 [DomCrawler] fix the axes handling in a bc way (xabbuh) * bug #11676 [Form] Fixed #11675 ValueToDuplicatesTransformer accept "0" value (Nek-) * bug #11695 [Validators] Fixed failing tests requiring ICU 52.1 which are skipped otherwise (webmozart) * bug #11529 [WebProfilerBundle] Fixed double height of canvas (hason) * bug #11641 [WebProfilerBundle ] Fix toolbar vertical alignment (blaugueux) * bug #11559 [Validator] Convert objects to string in comparison validators (webmozart) * feature #11510 [HttpFoundation] MongoDbSessionHandler supports auto expiry via configurable expiry_field (catchamonkey) * bug #11408 [HttpFoundation] Update QUERY_STRING when overrideGlobals (yguedidi) * bug #11633 [FrameworkBundle] add missing attribute to XSD (xabbuh) * bug #11601 [Validator] Allow basic auth in url when using UrlValidator. (blaugueux) * bug #11609 [Console] fixed style creation when providing an unknown tag option (fabpot) * bug #10914 [HttpKernel] added an analyze of environment parameters for built-in server (mauchede) * bug #11598 [Finder] Shell escape and windows support (Gordon Franke, gimler) * bug #11499 [BrowserKit] Fixed relative redirects for ambiguous paths (pkruithof) * bug #11516 [BrowserKit] Fix browser kit redirect with ports (dakota) * bug #11545 [Bundle][FrameworkBundle] built-in server: exit when docroot does not exist (xabbuh) * bug #11560 Plural fix (1emming) * bug #11558 [DependencyInjection] Fixed missing 'factory-class' attribute in XmlDumper output (kerdany) * bug #11548 [Component][DomCrawler] fix axes handling in Crawler::filterXPath() (xabbuh) * bug #11422 [DependencyInjection] Self-referenced 'service_container' service breaks garbage collection (sun) * bug #11428 [Serializer] properly handle null data when denormalizing (xabbuh) * bug #10687 [Validator] Fixed string conversion in constraint violations (eagleoneraptor, webmozart) * bug #11475 [EventDispatcher] don't count empty listeners (xabbuh) * bug #11436 fix signal handling in wait() on calls to stop() (xabbuh, romainneutron) * bug #11469 [BrowserKit] Fixed server HTTP_HOST port uri conversion (bcremer, fabpot) * bug #11425 Fix issue described in #11421 (Ben, ben-rosio) * bug #11423 Pass a Scope instance instead of a scope name when cloning a container in the GrahpvizDumper (jakzal) * bug #11120 [Process] Reduce I/O load on Windows platform (romainneutron) * bug #11342 [Form] Check if IntlDateFormatter constructor returned a valid object before using it (romainneutron) * bug #11411 [Validator] Backported #11410 to 2.3: Object initializers are called only once per object (webmozart) * bug #11403 [Translator][FrameworkBundle] Added @ to the list of allowed chars in Translator (takeit) * bug #11381 [Process] Use correct test for empty string in UnixPipes (whs, romainneutron) ## 2.3.18 (2014-07-15) * [Security] Forced validate of locales passed to the translator * feature #11367 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671) (Andrew Moore) * bug #11386 Remove Spaceless Blocks from Twig Form Templates (chrisguitarguy) * bug #9719 [TwigBundle] fix configuration tree for paths (mdavis1982, cordoval) * bug #11244 [HttpFoundation] Remove body-related headers when sending the response, if body is empty (SimonSimCity) ## 2.3.17 (2014-07-07) * bug #11238 [Translation] Added unescaping of ids in PoFileLoader (JustBlackBird) * bug #11194 [DomCrawler] Remove the query string and the anchor of the uri of a link (benja-M-1) * bug #11272 [Console] Make sure formatter is the same. (akimsko) * bug #11259 [Config] Fixed failed config schema loads due to libxml_disable_entity_loader usage (ccorliss) * bug #11234 [ClassLoader] fixed PHP warning on PHP 5.3 (fabpot) * bug #11179 [Process] Fix ExecutableFinder with open basedir (cs278) * bug #11242 [CssSelector] Refactored the CssSelector to remove the circular object graph (stof) * bug #11219 [DomCrawler] properly handle buttons with single and double quotes insid... (xabbuh) * bug #11220 [Components][Serializer] optional constructor arguments can be omitted during the denormalization process (xabbuh) * bug #11186 Added missing `break` statement (apfelbox) * bug #11169 [Console] Fixed notice in DialogHelper (florianv) * bug #11144 [HttpFoundation] Fixed Request::getPort returns incorrect value under IPv6 (kicken) * bug #10966 PHP Fatal error when getContainer method of ContainerAwareCommand has be... (kevinvergauwen) * bug #10981 [HttpFoundation] Fixed isSecure() check to be compliant with the docs (Jannik Zschiesche) * bug #11092 [HttpFoundation] Fix basic authentication in url with PHP-FPM (Kdecherf) * bug #10808 [DomCrawler] Empty select with attribute name="foo[]" bug fix (darles) * bug #11063 [HttpFoundation] fix switch statement (Tobion) * bug #11009 [HttpFoundation] smaller fixes for PdoSessionHandler (Tobion) * bug #11041 Remove undefined variable $e (skydiablo) ## 2.3.16 (2014-05-31) * bug #11014 [Validator] Remove property and method targets from the optional and required constraints (jakzal) * bug #10983 [DomCrawler] Fixed charset detection in html5 meta charset tag (77web) * bug #10979 Make rootPath part of regex greedy (artursvonda) * bug #10995 [TwigBridge][Trans]set %count% only on transChoice from the current context. (aitboudad) * bug #10987 [DomCrawler] Fixed a forgotten case of complex XPath queries (stof) ## 2.3.15 (2014-05-22) * reverted #10908 ## 2.3.14 (2014-05-22) * bug #10849 [WIP][Finder] Fix wrong implementation on sortable callback comparator (ProPheT777) * bug #10929 [Process] Add validation on Process input (romainneutron) * bug #10958 [DomCrawler] Fixed filterXPath() chaining loosing the parent DOM nodes (stof, robbertkl) * bug #10953 [HttpKernel] fixed file uploads in functional tests without file selected (realmfoo) * bug #10937 [HttpKernel] Fix "absolute path" when we look to the cache directory (BenoitLeveque) * bug #10908 [HttpFoundation] implement session locking for PDO (Tobion) * bug #10894 [HttpKernel] removed absolute paths from the generated container (fabpot) * bug #10926 [DomCrawler] Fixed the initial state for options without value attribute (stof) * bug #10925 [DomCrawler] Fixed the handling of boolean attributes in ChoiceFormField (stof) * bug #10777 [Form] Automatically add step attribute to HTML5 time widgets to display seconds if needed (tucksaun) * bug #10909 [PropertyAccess] Fixed plurals for -ves words (csarrazi) * bug #10899 Explicitly define the encoding. (jakzal) * bug #10897 [Console] Fix a console test (jakzal) * bug #10896 [HttpKernel] Fixed cache behavior when TTL has expired and a default "global" TTL is defined (alquerci, fabpot) * bug #10841 [DomCrawler] Fixed image input case sensitive (geoffrey-brier) * bug #10714 [Console]Improve formatter for double-width character (denkiryokuhatsuden) * bug #10872 [Form] Fixed TrimListenerTest as of PHP 5.5 (webmozart) * bug #10762 [BrowserKit] Allow URLs that don't contain a path when creating a cookie from a string (thewilkybarkid) * bug #10863 [Security] Add check for supported attributes in AclVoter (artursvonda) * bug #10833 [TwigBridge][Transchoice] set %count% from the current context. (aitboudad) * bug #10820 [WebProfilerBundle] Fixed profiler seach/homepage with empty token (tucksaun) * bug #10815 Fixed issue #5427 (umpirsky) * bug #10817 [Debug] fix #10313: FlattenException not found (nicolas-grekas) * bug #10803 [Debug] fix ErrorHandlerTest when context is not an array (nicolas-grekas) * bug #10801 [Debug] ErrorHandler: remove $GLOBALS from context in PHP5.3 fix #10292 (nicolas-grekas) * bug #10797 [HttpFoundation] Allow File instance to be passed to BinaryFileResponse (anlutro) * bug #10643 [TwigBridge] Removed strict check when found variables inside a translation (goetas) ## 2.3.13 (2014-04-27) * bug #10789 [Console] Fixed the rendering of exceptions on HHVM with a terminal width (stof) * bug #10773 [WebProfilerBundle ] Fixed an edge case on WDT loading (tucksaun) * bug #10763 [Process] Disable TTY mode on Windows platform (romainneutron) * bug #10772 [Finder] Fix ignoring of unreadable dirs in the RecursiveDirectoryIterator (jakzal) * bug #10757 [Process] Setting STDIN while running should not be possible (romainneutron) * bug #10749 Fixed incompatibility of x509 auth with nginx (alcaeus) * bug #10735 [Translation] [PluralizationRules] Little correction for case 'ar' (klyk50) * bug #10720 [HttpFoundation] Fix DbalSessionHandler (Tobion) * bug #10721 [HttpFoundation] status 201 is allowed to have a body (Tobion) * bug #10728 [Process] Fix #10681, process are failing on Windows Server 2003 (romainneutron) * bug #10733 [DomCrawler] Textarea value should default to empty string instead of null. (Berdir) * bug #10723 [Security] fix DBAL connection typehint (Tobion) * bug #10700 Fixes various inconsistencies in the code (fabpot) * bug #10697 [Translation] Make IcuDatFileLoader/IcuResFileLoader::load invalid resource compatible with HHVM. (idn2104) * bug #10652 [HttpFoundation] fix PDO session handler under high concurrency (Tobion) * bug #10669 [Profiler] Prevent throwing fatal errors when searching timestamps or invalid dates (stloyd) * bug #10670 [Templating] PhpEngine should propagate charset to its helpers (stloyd) * bug #10665 [DependencyInjection] Fix ticket #10663 - Added setCharset method call to PHP templating engine (koku) * bug #10654 Changed the typehint of the EsiFragmentRenderer to the interface (stof) * bug #10649 [BrowserKit] Fix #10641 : BrowserKit is broken when using ip as host (romainneutron) ## 2.3.12 (2014-04-03) * bug #10586 Fixes URL validator to accept single part urls (merk) * bug #10591 [Form] Buttons are now disabled if their containing form is disabled (webmozart) * bug #10579 HHVM fixes (fabpot) * bug #10564 fixed the profiler when an uncalled listener throws an exception when instantiated (fabpot) * bug #10568 [Form] Fixed hashing of choice lists containing non-UTF-8 characters (webmozart) * bug #10536 Avoid levenshtein comparison when using ContainerBuilder. (catch56) * bug #10549 Fixed server values in BrowserKit (fabpot) * bug #10540 [HttpKernel] made parsing controllers more robust (fabpot) * bug #10545 [DependencyInjection] Fixed YamlFileLoader imports path (jrnickell) * bug #10523 [Debug] Check headers sent before sending PHP response (GromNaN) * bug #10275 [Validator] Fixed ACE domain checks on UrlValidator (#10031) (aeoris) * bug #10123 handle array root element (greg0ire) * bug #10532 Fixed regression when using Symfony on filesystems without chmod support (fabpot) * bug #10502 [HttpKernel] Fix #10437: Catch exceptions when reloading a no-cache request (romainneutron) * bug #10493 Fix libxml_use_internal_errors and libxml_disable_entity_loader usage (romainneutron) * bug #9784 [HttpFoundation] Removed ini check to make Uploadedfile work on Google App Engine (micheleorselli) * bug #10416 [Form] Allow options to be grouped by objects (felds) * bug #10410 [Form] Fix "Array was modified outside object" in ResizeFormListener. (Chekote) * bug #10494 [Validator] Minor fix in IBAN validator (sprain) * bug #10491 Fixed bug that incorrectly causes the "required" attribute to be omitted from select even though it contains the "multiple" attribute (fabpot) * bug #10479 [Process] Fix escaping on Windows (romainneutron) * bug #10480 [Process] Fixed fatal errors in getOutput and getErrorOutput when process was not started (romainneutron) * bug #10420 [Process] Make Process::start non-blocking on Windows platform (romainneutron) * bug #10455 [Process] Fix random failures in test suite on TravisCI (romainneutron) * bug #10448 [Process] Fix quoted arguments escaping (romainneutron) * bug #10444 [DomCrawler] Fixed incorrect value name conversion in getPhpValues() and getPhpFiles() (romainneutron) * bug #10423 [Config] XmlUtils::convertDomElementToArray does not handle '0' (bendavies) * bug #10153 [Process] Fixed data in pipe being truncated if not read before process termination (astephens25) * bug #10429 [Process] Fix #9160 : escaping an argument with a trailing backslash on windows fails (romainneutron) * bug #10412 [Process] Fix process status in TTY mode (romainneutron) * bug #10382 10158 get vary multiple (bbinkovitz) * bug #10251 [Form] Fixes empty file-inputs getting treated as extra field. (jenkoian) * bug #10351 [HttpKernel] fix stripComments() normalizing new-lines (sstok) * bug #10348 Update FileLoader to fix issue #10339 (msumme) ## 2.3.11 (2014-02-27) * bug #10146 [WebProfilerBundle] fixed parsing Mongo DSN and added Test for it (malarzm) * bug #10299 [Finder] () is also a valid delimiter (WouterJ) * bug #10255 [FrameworkBundle] Fixed wrong redirect url if path contains some query parameters (pulzarraider) * bug #10285 Bypass sigchild detection if phpinfo is not available (Seldaek) * bug #10269 [Form] Revert "Fix "Array was modified outside object" in ResizeFormListener." (norzechowicz) ## 2.3.10 (2014-02-12) * bug #10231 [Console] removed problematic regex (fabpot) * bug #10245 [DomCrawler] Added support for <area> tags to be treated as links (shamess) * bug #10232 [Form] Fix "Array was modified outside object" in ResizeFormListener. (Chekote) * bug #10215 [Routing] reduced recursion in dumper (arnaud-lb) * bug #10207 [DomCrawler] Fixed filterXPath() chaining (robbertkl) * bug #10205 [DomCrawler] Fixed incorrect handling of image inputs (robbertkl) * bug #10191 [HttpKernel] fixed wrong reference in TraceableEventDispatcher (fabpot) * bug #10195 [Debug] Fixed recursion level incrementing in FlattenException::flattenArgs(). (sun) * bug #10151 [Form] Update DateTime objects only if the actual value has changed (peterrehm) * bug #10140 allow the TextAreaFormField to be used with valid/invalid HTML (dawehner) * bug #10131 added lines to exceptions for the trans and transchoice tags (fabpot) * bug #10119 [Validator] Minor fix in XmlFileLoader (florianv) * bug #10078 [BrowserKit] add non-standard port to HTTP_HOST server param (kbond) * bug #10091 [Translation] Update PluralizationRules.php (guilhermeblanco) * bug #10053 [Form] fixed allow render 0 numeric input value (dczech) * bug #10033 [HttpKernel] Bugfix - Logger Deprecation Notice (Rican7) * bug #10023 [FrameworkBundle] Thrown an HttpException instead returning a Response in RedirectController::redirectAction() (jakzal) * bug #9985 Prevent WDT from creating a session (mvrhov) * bug #10000 [Console] Fixed the compatibility with HHVM (stof) * bug #9979 [Doctrine Bridge][Validator] Fix for null values in assosiated properties when using UniqueEntityValidator (vpetrovych) * bug #9983 [TwigBridge] Update min. version of Twig (stloyd) * bug #9970 [CssSelector] fixed numeric attribute issue (jfsimon) * bug #9747 [DoctrineBridge] Fix: Add type detection. Needed by pdo_dblib (iamluc) * bug #9962 [Process] Fix #9861 : Revert TTY mode (romainneutron) * bug #9960 [Form] Update minimal requirement in composer.json (stloyd) * bug #9952 [Translator] Fix Empty translations with Qt files (vlefort) * bug #9948 [WebProfilerBundle] Fixed profiler toolbar icons for XHTML. (rafalwrzeszcz) * bug #9933 Propel1 exception message (jaugustin) * bug #9949 [BrowserKit] Throw exception on invalid cookie expiration timestamp (anlutro)
high
CVE-2014-5244## 2.3.30 (2015-05-30) * bug #14262 [REVERTED] [TwigBundle] Refresh twig paths when resources change. (aitboudad) ## 2.3.29 (2015-05-26) * security #14759 CVE-2015-4050 [HttpKernel] Do not call the FragmentListener if _controller is already defined (jakzal) * bug #14715 [Form] Check instance of FormBuilderInterface instead of FormBuilder (dosten) * bug #14678 [Security] AbstractRememberMeServices::encodeCookie() validates cookie parts (MacDada) * bug #14635 [HttpKernel] Handle an array vary header in the http cache store (jakzal) * bug #14513 [console][formater] allow format toString object. (aitboudad) * bug #14335 [HttpFoundation] Fix baseUrl when script filename is contained in pathInfo (danez) * bug #14593 [Security][Firewall] Avoid redirection to XHR URIs (asiragusa) * bug #14618 [DomCrawler] Throw an exception if a form field path is incomplete (jakzal) * bug #14698 Fix HTML escaping of to-source links (nicolas-grekas) * bug #14690 [HttpFoundation] IpUtils::checkIp4() should allow `/0` networks (zerkms) * bug #14262 [TwigBundle] Refresh twig paths when resources change. (aitboudad) * bug #13633 [ServerBag] Handled bearer authorization header in REDIRECT_ form (Lance0312) * bug #13637 [CSS] WebProfiler break words (nicovak) * bug #14633 [EventDispatcher] make listeners removable from an executed listener (xabbuh) ## 2.3.28 (2015-05-10) * bug #14266 [HttpKernel] Check if "symfony/proxy-manager-bridge" package is installed (hason) * bug #14501 [ProxyBridge] Fix proxy classnames generation (xphere) * bug #14498 [FrameworkBundle] Added missing log in server:run command (lyrixx) * bug #14484 [SecurityBundle][WebProfiler] check authenticated user by tokenClass instead of username. (aitboudad) * bug #14497 [HttpFoundation] Allow curly braces in trusted host patterns (sgrodzicki) * bug #14436 Show a better error when the port is in use (dosten) * bug #14463 [Validator] Fixed Choice when an empty array is used in the "choices" option (webmozart) * bug #14402 [FrameworkBundle][Translation] Check for 'xlf' instead of 'xliff' (xelaris) * bug #14272 [FrameworkBundle] Workaround php -S ignoring auto_prepend_file (nicolas-grekas) * bug #14345 [FrameworkBundle] Fix Routing\DelegatingLoader resiliency to fatal errors (nicolas-grekas) * bug #14325 [Routing][DependencyInjection] Support .yaml extension in YAML loaders (thunderer) * bug #14344 [Translation][fixed test] refresh cache when resources are no longer fresh. (aitboudad) * bug #14268 [Translator] Cache does not take fallback locales into consideration (sf2.3) (mpdude) * bug #14192 [HttpKernel] Embed the original exception as previous to bounced exceptions (nicolas-grekas) * bug #14102 [Enhancement] netbeans - force interactive shell when limited detection (cordoval) * bug #14191 [StringUtil] Fixed singularification of 'movies' (GerbenWijnja) ## 2.3.27 (2015-04-01) * security #14167 CVE-2015-2308 (nicolas-grekas) * security #14166 CVE-2015-2309 (neclimdul) * bug #14010 Replace GET parameters when changed in form (WouterJ) * bug #13991 [Dependency Injection] Improve PhpDumper Performance for huge Containers (BattleRattle) * bug #13997 [2.3+][Form][DoctrineBridge] Improved loading of entities and documents (guilhermeblanco) * bug #13953 [Translation][MoFileLoader] fixed load empty translation. (aitboudad) * bug #13912 [DependencyInjection] Highest precedence for user parameters (lyrixx) ## 2.3.26 (2015-03-17) * bug #13927 Fixing wrong variable name from #13519 (weaverryan) * bug #13519 [DependencyInjection] fixed service resolution for factories (fabpot) * bug #13901 [Bundle] Fix charset config (nicolas-grekas, bamarni) * bug #13911 [HttpFoundation] MongoDbSessionHandler::read() now checks for valid session age (bzikarsky) * bug #13890 Fix XSS in Debug exception handler (fabpot) * bug #13744 minor #13377 [Console] Change greater by greater or equal for isFresh in FileResource (bijibox) * bug #13708 [HttpFoundation] fixed param order for Nginx's x-accel-mapping (phansys) * bug #13767 [HttpKernel] Throw double-bounce exceptions (nicolas-grekas) * bug #13769 [Form] NativeRequestHandler file handling fix (mpajunen) * bug #13779 [FrameworkBundle] silence E_USER_DEPRECATED in insulated clients (nicolas-grekas) * bug #13715 Enforce UTF-8 charset for core controllers (WouterJ) * bug #13683 [PROCESS] make sure /dev/tty is readable (staabm) * bug #13733 [Process] Fixed PhpProcess::getCommandLine() result (francisbesset) * bug #13618 [PropertyAccess] Fixed invalid feedback -> foodback singularization (WouterJ) * bug #13630 [Console] fixed ArrayInput, if array contains 0 key. (arima-ryunosuke) * bug #13647 [FrameworkBundle] Fix title and placeholder rendering in php form templates (jakzal) * bug #13607 [Console] Fixed output bug, if escaped string in a formatted string. (tronsha) * bug #13466 [Security] Remove ContextListener's onKernelResponse listener as it is used (davedevelopment) * bug #12864 [Console][Table] Fix cell padding with multi-byte (ttsuruoka) * bug #13375 [YAML] Fix one-liners to work with multiple new lines (Alex Pott) * bug #13545 fixxed order of usage (OskarStark) * bug #13567 [Routing] make host matching case-insensitive (Tobion) ## 2.3.25 (2015-01-30) * bug #13528 [Validator] reject ill-formed strings (nicolas-grekas) * bug #13525 [Validator] UniqueEntityValidator - invalidValue fixed. (Dawid Sajdak) * bug #13527 [Validator] drop grapheme_strlen in LengthValidator (nicolas-grekas) * bug #13376 [FrameworkBundle][config] allow multiple fallback locales. (aitboudad) * bug #12972 Make the container considered non-fresh if the environment parameters are changed (thewilkybarkid) * bug #13309 [Console] fixed 10531 (nacmartin) * bug #13352 [Yaml] fixed parse shortcut Key after unindented collection. (aitboudad) * bug #13039 [HttpFoundation] [Request] fix baseUrl parsing to fix wrong path_info (rk3rn3r) * bug #13250 [Twig][Bridge][TranslationDefaultDomain] add support of named arguments. (aitboudad) * bug #13332 [Console] ArgvInput and empty tokens (Taluu) * bug #13293 [EventDispatcher] Add missing checks to RegisterListenersPass (znerol) * bug #13262 [Yaml] Improve YAML boolean escaping (petert82, larowlan) * bug #13420 [Debug] fix loading order for legacy classes (nicolas-grekas) * bug #13371 fix missing comma in YamlDumper (garak) * bug #13365 [HttpFoundation] Make use of isEmpty() method (xelaris) * bug #13347 [Console] Helper\TableHelper->addRow optimization (boekkooi) * bug #13346 [PropertyAccessor] Allow null value for a array (2.3) (boekkooi) * bug #13170 [Form] Set a child type to text if added to the form without a type. (jakzal) * bug #13334 [Yaml] Fixed #10597: Improved Yaml directive parsing (VictoriaQ) ## 2.3.24 (2015-01-07) * bug #13286 [Security] Don't destroy the session on buggy php releases. (derrabus) * bug #12417 [HttpFoundation] Fix an issue caused by php's Bug #66606. (wusuopu) * bug #13200 Don't add Accept-Range header on unsafe HTTP requests (jaytaph) * bug #12491 [Security] Don't send remember cookie for sub request (blanchonvincent) * bug #12574 [HttpKernel] Fix UriSigner::check when _hash is not at the end of the uri (nyroDev) * bug #13185 Fixes Issue #13184 - incremental output getters now return empty strings (Bailey Parker) * bug #13145 [DomCrawler] Fix behaviour with <base> tag (dkop, WouterJ) * bug #13141 [TwigBundle] Moved the setting of the default escaping strategy from the Twig engine to the Twig environment (fabpot) * bug #13114 [HttpFoundation] fixed error when an IP in the X-Forwarded-For HTTP head... (fabpot) * bug #12572 [HttpFoundation] fix checkip6 (Neime) * bug #13075 [Config] fix error handler restoration in test (nicolas-grekas) * bug #13081 [FrameworkBundle] forward error reporting level to insulated Client (nicolas-grekas) * bug #13053 [FrameworkBundle] Fixed Translation loader and update translation command. (saro0h) * bug #13048 [Security] Delete old session on auth strategy migrate (xelaris) * bug #12999 [FrameworkBundle] fix cache:clear command (nicolas-grekas) * bug #13004 add a limit and a test to FlattenExceptionTest. (Daniel Wehner) * bug #12961 fix session restart on PHP 5.3 (Tobion) * bug #12761 [Filesystem] symlink use RealPath instead LinkTarget (aitboudad) * bug #12855 [DependencyInjection] Perf php dumper (nicolas-grekas) * bug #12894 [FrameworkBundle][Template name] avoid error message for the shortcut n... (aitboudad) * bug #12858 [ClassLoader] Fix undefined index in ClassCollectionLoader (szicsu) ## 2.3.23 (2014-12-03) * bug #12811 Configure firewall's kernel exception listener with configured entry point or a default entry point (rjkip) * bug #12784 [DependencyInjection] make paths relative to __DIR__ in the generated container (nicolas-grekas) * bug #12716 [ClassLoader] define constant only if it wasn't defined before (xabbuh) * bug #12553 [Debug] fix error message on double exception (nicolas-grekas) * bug #12550 [FrameworkBundle] backport #12489 (xabbuh) * bug #12570 Fix initialized() with aliased services (Daniel Wehner) * bug #12137 [FrameworkBundle] cache:clear command fills *.php.meta files with wrong data (Strate) ## 2.3.22 (2014-11-20) * bug #12525 [Bundle][FrameworkBundle] be smarter when guessing the document root (xabbuh) * bug #12296 [SecurityBundle] Authentication entry point is only registered with firewall exception listener, not with authentication listeners (rjkip) * bug #12393 [DependencyInjection] inlined factory not referenced (boekkooi) * bug #12436 [Filesystem] Fixed case for empty folder (yosmanyga) * bug #12370 [Yaml] improve error message for multiple documents (xabbuh) * bug #12170 [Form] fix form handling with OPTIONS request method (Tobion) * bug #12235 [Validator] Fixed Regex::getHtmlPattern() to work with complex and negated patterns (webmozart) * bug #12326 [Session] remove invalid hack in session regenerate (Tobion) * bug #12341 [Kernel] ensure session is saved before sending response (Tobion) * bug #12329 [Routing] serialize the compiled route to speed things up (Tobion) * bug #12316 Break infinite loop while resolving aliases (chx) * bug #12313 [Security][listener] change priority of switchuser (aitboudad) ## 2.3.21 (2014-10-24) * bug #11696 [Form] Fix #11694 - Enforce options value type check in some form types (kix) * bug #12209 [FrameworkBundle] Fixed ide links (hason) * bug #12208 Add missing argument (WouterJ) * bug #12197 [TwigBundle] do not pass a template reference to twig (Tobion) * bug #12196 [TwigBundle] show correct fallback exception template in debug mode (Tobion) * bug #12187 [CssSelector] don't raise warnings when exception is thrown (xabbuh) * bug #11998 [Intl] Integrated ICU data into Intl component #2 (webmozart) * bug #11920 [Intl] Integrated ICU data into Intl component #1 (webmozart) ## 2.3.20 (2014-09-28) * bug #9453 [Form][DateTime] Propagate invalid_message & invalid_message_parameters to date & time (egeloen) * bug #11058 [Security] bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider (glutamatt) * bug #12004 [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required (webmozart) * bug #11904 Make twig ExceptionController conformed with ExceptionListener (megazoll) * bug #11924 [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler (rpg600, webmozart) * bug #11079 Response::isNotModified returns true when If-Modified-Since is later than Last-Modified (skolodyazhnyy) * bug #11989 [Finder][Urgent] Remove asterisk and question mark from folder name in test to prevent windows file system issues. (Adam) * bug #11908 [Translation] [Config] Clear libxml errors after parsing xliff file (pulzarraider) * bug #11937 [HttpKernel] Make sure HttpCache is a trusted proxy (thewilkybarkid) * bug #11970 [Finder] Escape location for regex searches (ymc-dabe) * bug #11837 Use getPathname() instead of string casting to get BinaryFileReponse file path (nervo) * bug #11513 [Translation] made XliffFileDumper support CDATA sections. (hhamon) * bug #11907 [Intl] Improved bundle reader implementations (webmozart) * bug #11874 [Console] guarded against non-traversable aliases (thierrymarianne) * bug #11799 [YAML] fix handling of empty sequence items (xabbuh) * bug #11906 [Intl] Fixed a few bugs in TextBundleWriter (webmozart) * bug #11459 [Form][Validator] All index items after children are to be considered grand-children when resolving ViolationPath (Andrew Moore) * bug #11715 [Form] FormBuilder::getIterator() now deals with resolved children (issei-m) * bug #11892 [SwiftmailerBridge] Bump allowed versions of swiftmailer (ymc-dabe) * bug #11918 [DependencyInjection] remove `service` parameter type from XSD (xabbuh) * bug #11905 [Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle (webmozart) * bug #11497 Use separated function to resolve command and related arguments (JJK801) * bug #11374 [DI] Added safeguards against invalid config in the YamlFileLoader (stof) * bug #11897 [FrameworkBundle] Remove invalid markup (flack) * bug #11860 [Security] Fix usage of unexistent method in DoctrineAclCache. (mauchede) * bug #11850 [YAML] properly mask escape sequences in quoted strings (xabbuh) * bug #11856 [FrameworkBundle] backport more error information from 2.6 to 2.3 (xabbuh) * bug #11843 [Yaml] improve error message when detecting unquoted asterisks (xabbuh) ## 2.3.19 (2014-09-03) * security #11832 CVE-2014-6072 (fabpot) * security #11831 CVE-2014-5245 (stof) * security #11830 CVE-2014-4931 (aitboudad, Jérémy Derussé) * security #11829 CVE-2014-6061 (damz, fabpot) * security #11828 CVE-2014-5244 (nicolas-grekas, larowlan) * bug #10197 [FrameworkBundle] PhpExtractor bugfix and improvements (mtibben) * bug #11772 [Filesystem] Add FTP stream wrapper context option to enable overwrite (Damian Sromek) * bug #11788 [Yaml] fixed mapping keys containing a quoted # (hvt, fabpot) * bug #11160 [DoctrineBridge] Abstract Doctrine Subscribers with tags (merk) * bug #11768 [ClassLoader] Add a __call() method to XcacheClassLoader (tstoeckler) * bug #11726 [Filesystem Component] mkdir race condition fix #11626 (kcassam) * bug #11677 [YAML] resolve variables in inlined YAML (xabbuh) * bug #11639 [DependencyInjection] Fixed factory service not within the ServiceReferenceGraph. (boekkooi) * bug #11778 [Validator] Fixed wrong translations for Collection constraints (samicemalone) * bug #11756 [DependencyInjection] fix @return anno created by PhpDumper (jakubkulhan) * bug #11711 [DoctrineBridge] Fix empty parameter logging in the dbal logger (jakzal) * bug #11692 [DomCrawler] check for the correct field type (xabbuh) * bug #11672 [Routing] fix handling of nullable XML attributes (xabbuh) * bug #11624 [DomCrawler] fix the axes handling in a bc way (xabbuh) * bug #11676 [Form] Fixed #11675 ValueToDuplicatesTransformer accept "0" value (Nek-) * bug #11695 [Validators] Fixed failing tests requiring ICU 52.1 which are skipped otherwise (webmozart) * bug #11529 [WebProfilerBundle] Fixed double height of canvas (hason) * bug #11641 [WebProfilerBundle ] Fix toolbar vertical alignment (blaugueux) * bug #11559 [Validator] Convert objects to string in comparison validators (webmozart) * feature #11510 [HttpFoundation] MongoDbSessionHandler supports auto expiry via configurable expiry_field (catchamonkey) * bug #11408 [HttpFoundation] Update QUERY_STRING when overrideGlobals (yguedidi) * bug #11633 [FrameworkBundle] add missing attribute to XSD (xabbuh) * bug #11601 [Validator] Allow basic auth in url when using UrlValidator. (blaugueux) * bug #11609 [Console] fixed style creation when providing an unknown tag option (fabpot) * bug #10914 [HttpKernel] added an analyze of environment parameters for built-in server (mauchede) * bug #11598 [Finder] Shell escape and windows support (Gordon Franke, gimler) * bug #11499 [BrowserKit] Fixed relative redirects for ambiguous paths (pkruithof) * bug #11516 [BrowserKit] Fix browser kit redirect with ports (dakota) * bug #11545 [Bundle][FrameworkBundle] built-in server: exit when docroot does not exist (xabbuh) * bug #11560 Plural fix (1emming) * bug #11558 [DependencyInjection] Fixed missing 'factory-class' attribute in XmlDumper output (kerdany) * bug #11548 [Component][DomCrawler] fix axes handling in Crawler::filterXPath() (xabbuh) * bug #11422 [DependencyInjection] Self-referenced 'service_container' service breaks garbage collection (sun) * bug #11428 [Serializer] properly handle null data when denormalizing (xabbuh) * bug #10687 [Validator] Fixed string conversion in constraint violations (eagleoneraptor, webmozart) * bug #11475 [EventDispatcher] don't count empty listeners (xabbuh) * bug #11436 fix signal handling in wait() on calls to stop() (xabbuh, romainneutron) * bug #11469 [BrowserKit] Fixed server HTTP_HOST port uri conversion (bcremer, fabpot) * bug #11425 Fix issue described in #11421 (Ben, ben-rosio) * bug #11423 Pass a Scope instance instead of a scope name when cloning a container in the GrahpvizDumper (jakzal) * bug #11120 [Process] Reduce I/O load on Windows platform (romainneutron) * bug #11342 [Form] Check if IntlDateFormatter constructor returned a valid object before using it (romainneutron) * bug #11411 [Validator] Backported #11410 to 2.3: Object initializers are called only once per object (webmozart) * bug #11403 [Translator][FrameworkBundle] Added @ to the list of allowed chars in Translator (takeit) * bug #11381 [Process] Use correct test for empty string in UnixPipes (whs, romainneutron) ## 2.3.18 (2014-07-15) * [Security] Forced validate of locales passed to the translator * feature #11367 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671) (Andrew Moore) * bug #11386 Remove Spaceless Blocks from Twig Form Templates (chrisguitarguy) * bug #9719 [TwigBundle] fix configuration tree for paths (mdavis1982, cordoval) * bug #11244 [HttpFoundation] Remove body-related headers when sending the response, if body is empty (SimonSimCity) ## 2.3.17 (2014-07-07) * bug #11238 [Translation] Added unescaping of ids in PoFileLoader (JustBlackBird) * bug #11194 [DomCrawler] Remove the query string and the anchor of the uri of a link (benja-M-1) * bug #11272 [Console] Make sure formatter is the same. (akimsko) * bug #11259 [Config] Fixed failed config schema loads due to libxml_disable_entity_loader usage (ccorliss) * bug #11234 [ClassLoader] fixed PHP warning on PHP 5.3 (fabpot) * bug #11179 [Process] Fix ExecutableFinder with open basedir (cs278) * bug #11242 [CssSelector] Refactored the CssSelector to remove the circular object graph (stof) * bug #11219 [DomCrawler] properly handle buttons with single and double quotes insid... (xabbuh) * bug #11220 [Components][Serializer] optional constructor arguments can be omitted during the denormalization process (xabbuh) * bug #11186 Added missing `break` statement (apfelbox) * bug #11169 [Console] Fixed notice in DialogHelper (florianv) * bug #11144 [HttpFoundation] Fixed Request::getPort returns incorrect value under IPv6 (kicken) * bug #10966 PHP Fatal error when getContainer method of ContainerAwareCommand has be... (kevinvergauwen) * bug #10981 [HttpFoundation] Fixed isSecure() check to be compliant with the docs (Jannik Zschiesche) * bug #11092 [HttpFoundation] Fix basic authentication in url with PHP-FPM (Kdecherf) * bug #10808 [DomCrawler] Empty select with attribute name="foo[]" bug fix (darles) * bug #11063 [HttpFoundation] fix switch statement (Tobion) * bug #11009 [HttpFoundation] smaller fixes for PdoSessionHandler (Tobion) * bug #11041 Remove undefined variable $e (skydiablo) ## 2.3.16 (2014-05-31) * bug #11014 [Validator] Remove property and method targets from the optional and required constraints (jakzal) * bug #10983 [DomCrawler] Fixed charset detection in html5 meta charset tag (77web) * bug #10979 Make rootPath part of regex greedy (artursvonda) * bug #10995 [TwigBridge][Trans]set %count% only on transChoice from the current context. (aitboudad) * bug #10987 [DomCrawler] Fixed a forgotten case of complex XPath queries (stof) ## 2.3.15 (2014-05-22) * reverted #10908 ## 2.3.14 (2014-05-22) * bug #10849 [WIP][Finder] Fix wrong implementation on sortable callback comparator (ProPheT777) * bug #10929 [Process] Add validation on Process input (romainneutron) * bug #10958 [DomCrawler] Fixed filterXPath() chaining loosing the parent DOM nodes (stof, robbertkl) * bug #10953 [HttpKernel] fixed file uploads in functional tests without file selected (realmfoo) * bug #10937 [HttpKernel] Fix "absolute path" when we look to the cache directory (BenoitLeveque) * bug #10908 [HttpFoundation] implement session locking for PDO (Tobion) * bug #10894 [HttpKernel] removed absolute paths from the generated container (fabpot) * bug #10926 [DomCrawler] Fixed the initial state for options without value attribute (stof) * bug #10925 [DomCrawler] Fixed the handling of boolean attributes in ChoiceFormField (stof) * bug #10777 [Form] Automatically add step attribute to HTML5 time widgets to display seconds if needed (tucksaun) * bug #10909 [PropertyAccess] Fixed plurals for -ves words (csarrazi) * bug #10899 Explicitly define the encoding. (jakzal) * bug #10897 [Console] Fix a console test (jakzal) * bug #10896 [HttpKernel] Fixed cache behavior when TTL has expired and a default "global" TTL is defined (alquerci, fabpot) * bug #10841 [DomCrawler] Fixed image input case sensitive (geoffrey-brier) * bug #10714 [Console]Improve formatter for double-width character (denkiryokuhatsuden) * bug #10872 [Form] Fixed TrimListenerTest as of PHP 5.5 (webmozart) * bug #10762 [BrowserKit] Allow URLs that don't contain a path when creating a cookie from a string (thewilkybarkid) * bug #10863 [Security] Add check for supported attributes in AclVoter (artursvonda) * bug #10833 [TwigBridge][Transchoice] set %count% from the current context. (aitboudad) * bug #10820 [WebProfilerBundle] Fixed profiler seach/homepage with empty token (tucksaun) * bug #10815 Fixed issue #5427 (umpirsky) * bug #10817 [Debug] fix #10313: FlattenException not found (nicolas-grekas) * bug #10803 [Debug] fix ErrorHandlerTest when context is not an array (nicolas-grekas) * bug #10801 [Debug] ErrorHandler: remove $GLOBALS from context in PHP5.3 fix #10292 (nicolas-grekas) * bug #10797 [HttpFoundation] Allow File instance to be passed to BinaryFileResponse (anlutro) * bug #10643 [TwigBridge] Removed strict check when found variables inside a translation (goetas) ## 2.3.13 (2014-04-27) * bug #10789 [Console] Fixed the rendering of exceptions on HHVM with a terminal width (stof) * bug #10773 [WebProfilerBundle ] Fixed an edge case on WDT loading (tucksaun) * bug #10763 [Process] Disable TTY mode on Windows platform (romainneutron) * bug #10772 [Finder] Fix ignoring of unreadable dirs in the RecursiveDirectoryIterator (jakzal) * bug #10757 [Process] Setting STDIN while running should not be possible (romainneutron) * bug #10749 Fixed incompatibility of x509 auth with nginx (alcaeus) * bug #10735 [Translation] [PluralizationRules] Little correction for case 'ar' (klyk50) * bug #10720 [HttpFoundation] Fix DbalSessionHandler (Tobion) * bug #10721 [HttpFoundation] status 201 is allowed to have a body (Tobion) * bug #10728 [Process] Fix #10681, process are failing on Windows Server 2003 (romainneutron) * bug #10733 [DomCrawler] Textarea value should default to empty string instead of null. (Berdir) * bug #10723 [Security] fix DBAL connection typehint (Tobion) * bug #10700 Fixes various inconsistencies in the code (fabpot) * bug #10697 [Translation] Make IcuDatFileLoader/IcuResFileLoader::load invalid resource compatible with HHVM. (idn2104) * bug #10652 [HttpFoundation] fix PDO session handler under high concurrency (Tobion) * bug #10669 [Profiler] Prevent throwing fatal errors when searching timestamps or invalid dates (stloyd) * bug #10670 [Templating] PhpEngine should propagate charset to its helpers (stloyd) * bug #10665 [DependencyInjection] Fix ticket #10663 - Added setCharset method call to PHP templating engine (koku) * bug #10654 Changed the typehint of the EsiFragmentRenderer to the interface (stof) * bug #10649 [BrowserKit] Fix #10641 : BrowserKit is broken when using ip as host (romainneutron) ## 2.3.12 (2014-04-03) * bug #10586 Fixes URL validator to accept single part urls (merk) * bug #10591 [Form] Buttons are now disabled if their containing form is disabled (webmozart) * bug #10579 HHVM fixes (fabpot) * bug #10564 fixed the profiler when an uncalled listener throws an exception when instantiated (fabpot) * bug #10568 [Form] Fixed hashing of choice lists containing non-UTF-8 characters (webmozart) * bug #10536 Avoid levenshtein comparison when using ContainerBuilder. (catch56) * bug #10549 Fixed server values in BrowserKit (fabpot) * bug #10540 [HttpKernel] made parsing controllers more robust (fabpot) * bug #10545 [DependencyInjection] Fixed YamlFileLoader imports path (jrnickell) * bug #10523 [Debug] Check headers sent before sending PHP response (GromNaN) * bug #10275 [Validator] Fixed ACE domain checks on UrlValidator (#10031) (aeoris) * bug #10123 handle array root element (greg0ire) * bug #10532 Fixed regression when using Symfony on filesystems without chmod support (fabpot) * bug #10502 [HttpKernel] Fix #10437: Catch exceptions when reloading a no-cache request (romainneutron) * bug #10493 Fix libxml_use_internal_errors and libxml_disable_entity_loader usage (romainneutron) * bug #9784 [HttpFoundation] Removed ini check to make Uploadedfile work on Google App Engine (micheleorselli) * bug #10416 [Form] Allow options to be grouped by objects (felds) * bug #10410 [Form] Fix "Array was modified outside object" in ResizeFormListener. (Chekote) * bug #10494 [Validator] Minor fix in IBAN validator (sprain) * bug #10491 Fixed bug that incorrectly causes the "required" attribute to be omitted from select even though it contains the "multiple" attribute (fabpot) * bug #10479 [Process] Fix escaping on Windows (romainneutron) * bug #10480 [Process] Fixed fatal errors in getOutput and getErrorOutput when process was not started (romainneutron) * bug #10420 [Process] Make Process::start non-blocking on Windows platform (romainneutron) * bug #10455 [Process] Fix random failures in test suite on TravisCI (romainneutron) * bug #10448 [Process] Fix quoted arguments escaping (romainneutron) * bug #10444 [DomCrawler] Fixed incorrect value name conversion in getPhpValues() and getPhpFiles() (romainneutron) * bug #10423 [Config] XmlUtils::convertDomElementToArray does not handle '0' (bendavies) * bug #10153 [Process] Fixed data in pipe being truncated if not read before process termination (astephens25) * bug #10429 [Process] Fix #9160 : escaping an argument with a trailing backslash on windows fails (romainneutron) * bug #10412 [Process] Fix process status in TTY mode (romainneutron) * bug #10382 10158 get vary multiple (bbinkovitz) * bug #10251 [Form] Fixes empty file-inputs getting treated as extra field. (jenkoian) * bug #10351 [HttpKernel] fix stripComments() normalizing new-lines (sstok) * bug #10348 Update FileLoader to fix issue #10339 (msumme) ## 2.3.11 (2014-02-27) * bug #10146 [WebProfilerBundle] fixed parsing Mongo DSN and added Test for it (malarzm) * bug #10299 [Finder] () is also a valid delimiter (WouterJ) * bug #10255 [FrameworkBundle] Fixed wrong redirect url if path contains some query parameters (pulzarraider) * bug #10285 Bypass sigchild detection if phpinfo is not available (Seldaek) * bug #10269 [Form] Revert "Fix "Array was modified outside object" in ResizeFormListener." (norzechowicz) ## 2.3.10 (2014-02-12) * bug #10231 [Console] removed problematic regex (fabpot) * bug #10245 [DomCrawler] Added support for <area> tags to be treated as links (shamess) * bug #10232 [Form] Fix "Array was modified outside object" in ResizeFormListener. (Chekote) * bug #10215 [Routing] reduced recursion in dumper (arnaud-lb) * bug #10207 [DomCrawler] Fixed filterXPath() chaining (robbertkl) * bug #10205 [DomCrawler] Fixed incorrect handling of image inputs (robbertkl) * bug #10191 [HttpKernel] fixed wrong reference in TraceableEventDispatcher (fabpot) * bug #10195 [Debug] Fixed recursion level incrementing in FlattenException::flattenArgs(). (sun) * bug #10151 [Form] Update DateTime objects only if the actual value has changed (peterrehm) * bug #10140 allow the TextAreaFormField to be used with valid/invalid HTML (dawehner) * bug #10131 added lines to exceptions for the trans and transchoice tags (fabpot) * bug #10119 [Validator] Minor fix in XmlFileLoader (florianv) * bug #10078 [BrowserKit] add non-standard port to HTTP_HOST server param (kbond) * bug #10091 [Translation] Update PluralizationRules.php (guilhermeblanco) * bug #10053 [Form] fixed allow render 0 numeric input value (dczech) * bug #10033 [HttpKernel] Bugfix - Logger Deprecation Notice (Rican7) * bug #10023 [FrameworkBundle] Thrown an HttpException instead returning a Response in RedirectController::redirectAction() (jakzal) * bug #9985 Prevent WDT from creating a session (mvrhov) * bug #10000 [Console] Fixed the compatibility with HHVM (stof) * bug #9979 [Doctrine Bridge][Validator] Fix for null values in assosiated properties when using UniqueEntityValidator (vpetrovych) * bug #9983 [TwigBridge] Update min. version of Twig (stloyd) * bug #9970 [CssSelector] fixed numeric attribute issue (jfsimon) * bug #9747 [DoctrineBridge] Fix: Add type detection. Needed by pdo_dblib (iamluc) * bug #9962 [Process] Fix #9861 : Revert TTY mode (romainneutron) * bug #9960 [Form] Update minimal requirement in composer.json (stloyd) * bug #9952 [Translator] Fix Empty translations with Qt files (vlefort) * bug #9948 [WebProfilerBundle] Fixed profiler toolbar icons for XHTML. (rafalwrzeszcz) * bug #9933 Propel1 exception message (jaugustin) * bug #9949 [BrowserKit] Throw exception on invalid cookie expiration timestamp (anlutro)
high