Merge branch '4.0'

nicolas-grekas · nicolas-grekas · commit 9e73cc73e25f · 2018-01-16T19:04:31.000+01:00
* 4.0:
  [appveyor] set memory_limit=-1
  [Console] Keep the modified exception handler
  [Console] Fix restoring exception handler
  [Router] Skip anonymous classes when loading annotated routes
  allow dashes in cwd pathname when running the tests
  Fixed Request::__toString ignoring cookies
  Make sure we only build once and have one time the prefix when importing routes
  [Security] Fix fatal error on non string username
  [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
diff --git a/appveyor.yml b/appveyor.yml
@@ -22,6 +22,7 @@ install:
     - 7z x php_apcu-5.1.8-7.1-ts-vc14-x86.zip -y >nul
     - cd ..
     - copy /Y php.ini-development php.ini-min
+    - echo memory_limit=-1 >> php.ini-min
     - echo serialize_precision=14 >> php.ini-min
     - echo max_execution_time=1200 >> php.ini-min
     - echo date.timezone="America/Los_Angeles" >> php.ini-min
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -21,6 +21,7 @@
 use Symfony\Component\Form\Form;
 use Symfony\Component\Lock\Lock;
 use Symfony\Component\Lock\Store\SemaphoreStore;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Serializer\Serializer;
 use Symfony\Component\Translation\Translator;
 use Symfony\Component\Validator\Validation;
@@ -109,7 +110,14 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode)
         $rootNode
             ->children()
                 ->arrayNode('csrf_protection')
-                    ->canBeEnabled()
+                    ->treatFalseLike(array('enabled' => false))
+                    ->treatTrueLike(array('enabled' => true))
+                    ->treatNullLike(array('enabled' => true))
+                    ->addDefaultsIfNotSet()
+                    ->children()
+                        // defaults to framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
+                        ->booleanNode('enabled')->defaultNull()->end()
+                    ->end()
                 ->end()
             ->end()
         ;
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -17,6 +17,7 @@
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Bundle\FrameworkBundle\Routing\AnnotatedRouteControllerLoader;
+use Symfony\Bundle\FullStack;
 use Symfony\Component\Cache\Adapter\AbstractAdapter;
 use Symfony\Component\Cache\Adapter\AdapterInterface;
 use Symfony\Component\Cache\Adapter\ArrayAdapter;
@@ -65,6 +66,7 @@
 use Symfony\Component\Routing\Loader\AnnotationDirectoryLoader;
 use Symfony\Component\Routing\Loader\AnnotationFileLoader;
 use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Serializer\Encoder\DecoderInterface;
 use Symfony\Component\Serializer\Encoder\EncoderInterface;
 use Symfony\Component\Serializer\Mapping\ClassDiscriminatorFromClassMetadata;
@@ -193,6 +195,11 @@ public function load(array $configs, ContainerBuilder $container)
             $this->registerRequestConfiguration($config['request'], $container, $loader);
         }
 
+        if (null === $config['csrf_protection']['enabled']) {
+            $config['csrf_protection']['enabled'] = $this->sessionConfigEnabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class);
+        }
+        $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
+
         if ($this->isConfigEnabled($container, $config['form'])) {
             if (!class_exists('Symfony\Component\Form\Form')) {
                 throw new LogicException('Form support cannot be enabled as the Form component is not installed.');
@@ -213,8 +220,6 @@ public function load(array $configs, ContainerBuilder $container)
             $container->removeDefinition('console.command.form_debug');
         }
 
-        $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
-
         if ($this->isConfigEnabled($container, $config['assets'])) {
             if (!class_exists('Symfony\Component\Asset\Package')) {
                 throw new LogicException('Asset support cannot be enabled as the Asset component is not installed.');
diff --git a/src/Symfony/Component/Config/Tests/Util/XmlUtilsTest.php b/src/Symfony/Component/Config/Tests/Util/XmlUtilsTest.php
@@ -55,7 +55,7 @@ public function testLoadFile()
             XmlUtils::loadFile($fixtures.'valid.xml', array($mock, 'validate'));
             $this->fail();
         } catch (\InvalidArgumentException $e) {
-            $this->assertRegExp('/The XML file "[\w:\/\\\.]+" is not valid\./', $e->getMessage());
+            $this->assertRegExp('/The XML file "[\w:\/\\\.-]+" is not valid\./', $e->getMessage());
         }
 
         $this->assertInstanceOf('DOMDocument', XmlUtils::loadFile($fixtures.'valid.xml', array($mock, 'validate')));
diff --git a/src/Symfony/Component/Console/Application.php b/src/Symfony/Component/Console/Application.php
@@ -158,10 +158,18 @@ public function run(InputInterface $input = null, OutputInterface $output = null
                 $exitCode = 1;
             }
         } finally {
+            // if the exception handler changed, keep it
+            // otherwise, unregister $renderException
             if (!$phpHandler) {
+                if (set_exception_handler($renderException) === $renderException) {
+                    restore_exception_handler();
+                }
                 restore_exception_handler();
             } elseif (!$debugHandler) {
-                $phpHandler[0]->setExceptionHandler(null);
+                $finalHandler = $phpHandler[0]->setExceptionHandler(null);
+                if ($finalHandler !== $renderException) {
+                    $phpHandler[0]->setExceptionHandler($finalHandler);
+                }
             }
         }
 
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -498,9 +498,21 @@ public function __toString()
             return trigger_error($e, E_USER_ERROR);
         }
 
+        $cookieHeader = '';
+        $cookies = array();
+
+        foreach ($this->cookies as $k => $v) {
+            $cookies[] = $k.'='.$v;
+        }
+
+        if (!empty($cookies)) {
+            $cookieHeader = 'Cookie: '.implode('; ', $cookies)."\r\n";
+        }
+
         return
             sprintf('%s %s %s', $this->getMethod(), $this->getRequestUri(), $this->server->get('SERVER_PROTOCOL'))."\r\n".
-            $this->headers."\r\n".
+            $this->headers.
+            $cookieHeader."\r\n".
             $content;
     }
 
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -1507,8 +1507,18 @@ public function testToString()
         $request = new Request();
 
         $request->headers->set('Accept-language', 'zh, en-us; q=0.8, en; q=0.6');
+        $request->cookies->set('Foo', 'Bar');
 
-        $this->assertContains('Accept-Language: zh, en-us; q=0.8, en; q=0.6', $request->__toString());
+        $asString = (string) $request;
+
+        $this->assertContains('Accept-Language: zh, en-us; q=0.8, en; q=0.6', $asString);
+        $this->assertContains('Cookie: Foo=Bar', $asString);
+
+        $request->cookies->set('Another', 'Cookie');
+
+        $asString = (string) $request;
+
+        $this->assertContains('Cookie: Foo=Bar; Another=Cookie', $asString);
     }
 
     public function testIsMethod()
diff --git a/src/Symfony/Component/Routing/Loader/AnnotationFileLoader.php b/src/Symfony/Component/Routing/Loader/AnnotationFileLoader.php
@@ -111,22 +111,22 @@ protected function findClass($file)
             }
 
             if (T_CLASS === $token[0]) {
-                // Skip usage of ::class constant
-                $isClassConstant = false;
+                // Skip usage of ::class constant and anonymous classes
+                $skipClassToken = false;
                 for ($j = $i - 1; $j > 0; --$j) {
                     if (!isset($tokens[$j][1])) {
                         break;
                     }
 
-                    if (T_DOUBLE_COLON === $tokens[$j][0]) {
-                        $isClassConstant = true;
+                    if (T_DOUBLE_COLON === $tokens[$j][0] || T_NEW === $tokens[$j][0]) {
+                        $skipClassToken = true;
                         break;
                     } elseif (!in_array($tokens[$j][0], array(T_WHITESPACE, T_DOC_COMMENT, T_COMMENT))) {
                         break;
                     }
                 }
 
-                if (!$isClassConstant) {
+                if (!$skipClassToken) {
                     $class = true;
                 }
             }
diff --git a/src/Symfony/Component/Routing/RouteCollectionBuilder.php b/src/Symfony/Component/Routing/RouteCollectionBuilder.php
@@ -76,11 +76,11 @@ public function import($resource, $prefix = '/', $type = null)
             foreach ($collection->getResources() as $resource) {
                 $builder->addResource($resource);
             }
-
-            // mount into this builder
-            $this->mount($prefix, $builder);
         }
 
+        // mount into this builder
+        $this->mount($prefix, $builder);
+
         return $builder;
     }
 
diff --git a/src/Symfony/Component/Routing/Tests/Fixtures/OtherAnnotatedClasses/AnonymousClassInTrait.php b/src/Symfony/Component/Routing/Tests/Fixtures/OtherAnnotatedClasses/AnonymousClassInTrait.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Routing\Tests\Fixtures\OtherAnnotatedClasses;
+
+trait AnonymousClassInTrait
+{
+    public function test()
+    {
+        return new class() {
+            public function foo()
+            {
+            }
+        };
+    }
+}
diff --git a/src/Symfony/Component/Routing/Tests/Loader/AnnotationFileLoaderTest.php b/src/Symfony/Component/Routing/Tests/Loader/AnnotationFileLoaderTest.php
@@ -61,6 +61,17 @@ public function testLoadVariadic()
         $this->loader->load(__DIR__.'/../Fixtures/OtherAnnotatedClasses/VariadicClass.php');
     }
 
+    /**
+     * @requires PHP 7.0
+     */
+    public function testLoadAnonymousClass()
+    {
+        $this->reader->expects($this->never())->method('getClassAnnotation');
+        $this->reader->expects($this->never())->method('getMethodAnnotations');
+
+        $this->loader->load(__DIR__.'/../Fixtures/OtherAnnotatedClasses/AnonymousClassInTrait.php');
+    }
+
     public function testSupports()
     {
         $fixture = __DIR__.'/../Fixtures/annotated.php';
diff --git a/src/Symfony/Component/Routing/Tests/RouteCollectionBuilderTest.php b/src/Symfony/Component/Routing/Tests/RouteCollectionBuilderTest.php
@@ -335,4 +335,30 @@ public function testAutomaticRouteNamesDoNotConflict()
         // there are 2 routes (i.e. with non-conflicting names)
         $this->assertCount(3, $collection->all());
     }
+
+    public function testAddsThePrefixOnlyOnceWhenLoadingMultipleCollections()
+    {
+        $firstCollection = new RouteCollection();
+        $firstCollection->add('a', new Route('/a'));
+
+        $secondCollection = new RouteCollection();
+        $secondCollection->add('b', new Route('/b'));
+
+        $loader = $this->getMockBuilder('Symfony\Component\Config\Loader\LoaderInterface')->getMock();
+        $loader->expects($this->any())
+            ->method('supports')
+            ->will($this->returnValue(true));
+        $loader
+            ->expects($this->any())
+            ->method('load')
+            ->will($this->returnValue(array($firstCollection, $secondCollection)));
+
+        $routeCollectionBuilder = new RouteCollectionBuilder($loader);
+        $routeCollectionBuilder->import('/directory/recurse/*', '/other/', 'glob');
+        $routes = $routeCollectionBuilder->build()->all();
+
+        $this->assertEquals(2, count($routes));
+        $this->assertEquals('/other/a', $routes['a']->getPath());
+        $this->assertEquals('/other/b', $routes['b']->getPath());
+    }
 }
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -44,8 +44,6 @@ class ContextListener implements ListenerInterface
     private $registered;
     private $trustResolver;
 
-    private static $unserializeExceptionCode = 0x37313bc;
-
     /**
      * @param TokenStorageInterface            $tokenStorage
      * @param iterable|UserProviderInterface[] $userProviders
@@ -221,7 +219,7 @@ private function safelyUnserialize($serializedToken)
         $prevUnserializeHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback');
         $prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = array()) use (&$prevErrorHandler) {
             if (__FILE__ === $file) {
-                throw new \UnexpectedValueException($msg, self::$unserializeExceptionCode);
+                throw new \UnexpectedValueException($msg, 0x37313bc);
             }
 
             return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false;
@@ -235,7 +233,7 @@ private function safelyUnserialize($serializedToken)
         restore_error_handler();
         ini_set('unserialize_callback_func', $prevUnserializeHandler);
         if ($e) {
-            if (!$e instanceof \UnexpectedValueException || self::$unserializeExceptionCode !== $e->getCode()) {
+            if (!$e instanceof \UnexpectedValueException || 0x37313bc !== $e->getCode()) {
                 throw $e;
             }
             if ($this->logger) {
@@ -251,6 +249,6 @@ private function safelyUnserialize($serializedToken)
      */
     public static function handleUnserializeCallback($class)
     {
-        throw new \UnexpectedValueException('Class not found: '.$class, self::$unserializeExceptionCode);
+        throw new \UnexpectedValueException('Class not found: '.$class, 0x37313bc);
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
 use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
@@ -84,15 +85,17 @@ protected function attemptAuthentication(Request $request)
             }
         }
 
-        if ($this->options['post_only']) {
-            $username = trim(ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']));
-            $password = ParameterBagUtils::getParameterBagValue($request->request, $this->options['password_parameter']);
-        } else {
-            $username = trim(ParameterBagUtils::getRequestParameterValue($request, $this->options['username_parameter']));
-            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
+        $requestBag = $this->options['post_only'] ? $request->request : $request;
+        $username = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['username_parameter']);
+        $password = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['password_parameter']);
+
+        if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
         }
 
-        if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
+        $username = trim($username);
+
+        if (\strlen($username) > Security::MAX_USERNAME_LENGTH) {
             throw new BadCredentialsException('Invalid username.');
         }
 
diff --git a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\HttpFoundation\Request;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
@@ -76,14 +77,16 @@ protected function attemptAuthentication(Request $request)
             }
         }
 
-        if ($this->options['post_only']) {
-            $username = trim(ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']));
-            $password = ParameterBagUtils::getParameterBagValue($request->request, $this->options['password_parameter']);
-        } else {
-            $username = trim(ParameterBagUtils::getRequestParameterValue($request, $this->options['username_parameter']));
-            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
+        $requestBag = $this->options['post_only'] ? $request->request : $request;
+        $username = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['username_parameter']);
+        $password = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['password_parameter']);
+
+        if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
         }
 
+        $username = trim($username);
+
         if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
             throw new BadCredentialsException('Invalid username.');
         }
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ public function testLoadFile()`
`55`	`55`	`XmlUtils::loadFile($fixtures.'valid.xml', array($mock, 'validate'));`
`56`	`56`	`$this->fail();`
`57`	`57`	`} catch (\InvalidArgumentException $e) {`
`58`		`- $this->assertRegExp('/The XML file "[\w:\/\\\.]+" is not valid\./', $e->getMessage());`
	`58`	`+ $this->assertRegExp('/The XML file "[\w:\/\\\.-]+" is not valid\./', $e->getMessage());`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`$this->assertInstanceOf('DOMDocument', XmlUtils::loadFile($fixtures.'valid.xml', array($mock, 'validate')));`
Original file line number	Diff line number	Diff line change
`@@ -158,10 +158,18 @@ public function run(InputInterface $input = null, OutputInterface $output = null`
`158`	`158`	`$exitCode = 1;`
`159`	`159`	`}`
`160`	`160`	`} finally {`
	`161`	`+ // if the exception handler changed, keep it`
	`162`	`+ // otherwise, unregister $renderException`
`161`	`163`	`if (!$phpHandler) {`
	`164`	`+ if (set_exception_handler($renderException) === $renderException) {`
	`165`	`+ restore_exception_handler();`
	`166`	`+ }`
`162`	`167`	`restore_exception_handler();`
`163`	`168`	`} elseif (!$debugHandler) {`
`164`		`- $phpHandler[0]->setExceptionHandler(null);`
	`169`	`+ $finalHandler = $phpHandler[0]->setExceptionHandler(null);`
	`170`	`+ if ($finalHandler !== $renderException) {`
	`171`	`+ $phpHandler[0]->setExceptionHandler($finalHandler);`
	`172`	`+ }`
`165`	`173`	`}`
`166`	`174`	`}`
`167`	`175`
Original file line number	Diff line number	Diff line change
`@@ -111,22 +111,22 @@ protected function findClass($file)`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`if (T_CLASS === $token[0]) {`
`114`		`- // Skip usage of ::class constant`
`115`		`- $isClassConstant = false;`
	`114`	`+ // Skip usage of ::class constant and anonymous classes`
	`115`	`+ $skipClassToken = false;`
`116`	`116`	`for ($j = $i - 1; $j > 0; --$j) {`
`117`	`117`	`if (!isset($tokens[$j][1])) {`
`118`	`118`	`break;`
`119`	`119`	`}`
`120`	`120`
`121`		`- if (T_DOUBLE_COLON === $tokens[$j][0]) {`
`122`		`- $isClassConstant = true;`
	`121`	`+ if (T_DOUBLE_COLON === $tokens[$j][0] \|\| T_NEW === $tokens[$j][0]) {`
	`122`	`+ $skipClassToken = true;`
`123`	`123`	`break;`
`124`	`124`	`} elseif (!in_array($tokens[$j][0], array(T_WHITESPACE, T_DOC_COMMENT, T_COMMENT))) {`
`125`	`125`	`break;`
`126`	`126`	`}`
`127`	`127`	`}`
`128`	`128`
`129`		`- if (!$isClassConstant) {`
	`129`	`+ if (!$skipClassToken) {`
`130`	`130`	`$class = true;`
`131`	`131`	`}`
`132`	`132`	`}`
Original file line number	Diff line number	Diff line change
`@@ -76,11 +76,11 @@ public function import($resource, $prefix = '/', $type = null)`
`76`	`76`	`foreach ($collection->getResources() as $resource) {`
`77`	`77`	`$builder->addResource($resource);`
`78`	`78`	`}`
`79`		`-`
`80`		`- // mount into this builder`
`81`		`- $this->mount($prefix, $builder);`
`82`	`79`	`}`
`83`	`80`
	`81`	`+ // mount into this builder`
	`82`	`+ $this->mount($prefix, $builder);`
	`83`	`+`
`84`	`84`	`return $builder;`
`85`	`85`	`}`
`86`	`86`