Symfony 5.3.12 has just been released. Here is a list of the most important changes: security #cve-2021-41268 [SecurityBundle] Default signature_properties to the previous behavior (@wouterj) security #cve-2021-41267 [HttpKernel] Fix missing extra trusted header in sub-request (@jderusse) security #cve-2021-41270 [Serializer] Use single quote to escape formulas (@jderusse) bug #44232 [Cache] fix connecting to local Redis sockets (@nicolas-grekas) bug #44204 [HttpClient] fix clos
Symfony 6.0.0-RC1 has just been released. Here is a list of the most important changes: security #cve-2021-41268 [SecurityBundle] Default signature_properties to the previous behavior (@wouterj) security #cve-2021-41267 [HttpKernel] Fix missing extra trusted header in sub-request (@jderusse) security #cve-2021-41270 [Serializer] Use single quote to escape formulas (@jderusse) bug #44230 [Console] Add Suggestion class for more advanced completion suggestion (@wouterj) bug #44232
Symfony 5.4.0-RC1 has just been released. Here is a list of the most important changes: security #cve-2021-41268 [SecurityBundle] Default signature_properties to the previous behavior (@wouterj) security #cve-2021-41267 [HttpKernel] Fix missing extra trusted header in sub-request (@jderusse) security #cve-2021-41270 [Serializer] Use single quote to escape formulas (@jderusse) bug #44230 [Console] Add Suggestion class for more advanced completion suggestion (@wouterj) bug #44232
Description
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker.
In Symfony 4.1, we've added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, - or @ by a tab \t.
Since then, OWASP added 2 chars in that list:
- Tab (0x09)
- Carriage ret
Description
When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-* HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks.
In Symfony 5.2, we've added support for the X-Forwarded-Prefix header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could le
Description
Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password.
Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie.
Resolution
Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore.
T
Inject tagged services in service locators
Contributed by Ion Bazan
in #43015.In Symfony 5.4 you can use tagged iterators as arguments of service locators, which simplifies the injection of tagged services in other services. The following example shows how to use this feature when using YAML config (it works with XML and PHP config too):
12 3 4 5 6 7 8 9 10 11 12 13 14 15
Symfony 5.3.11 has just been released. Here is a list of the most important changes: bug #44188 [VarExporter] fix exporting declared but unset properties when __sleep() is implemented (@nicolas-grekas) bug #44176 [Console] Default ansi option to null (@jderusse) bug #44119 [HttpClient][Mime] Add correct IDN flags for IDNA2008 compliance (@j-bernard) bug #44131 [Yaml] properly parse quoted strings tagged with !!str (@xabbuh) bug #42323 [TwigBridge] do not merge label classes into
Symfony 4.4.34 has just been released. Here is a list of the most important changes: bug #44188 [VarExporter] fix exporting declared but unset properties when __sleep() is implemented (@nicolas-grekas) bug #44119 [HttpClient][Mime] Add correct IDN flags for IDNA2008 compliance (@j-bernard) bug #44131 [Yaml] properly parse quoted strings tagged with !!str (@xabbuh) bug #42323 [TwigBridge] do not merge label classes into expanded choice labels (@xabbuh) bug #44121 [Serializer] fix
This week, Symfony 5.4.0 BETA3 and 6.0.0 BETA3 versions were published so you can test them on your applications before their final release at the end of the month. In addition, the Symfony Core Team added four new members to help grow the Symfony project in the next few years.
Symfony development highlights
This week, 81 pull requests were merged (52 in code and 29 in docs) and 49 issues were closed (36 in code and 13 in docs). Excluding merges, 43 authors made 5,841 addition
