Symfony v5.0.7 Release Notes

Release Date: 2020-03-30 // 8 days ago
  • Changelog (v5.0.6...v5.0.7)

    • 🔒 security #cve-2020-5255 [HttpFoundation] Do not set the default Content-Type based on the Accept header (@yceruto)
    • 🔒 security #cve-2020-5275 [Security] Fix access_control behavior with unanimous decision strategy (@chalasr)
    • 🐛 bug #36262 [DI] fix generating TypedReference from PriorityTaggedServiceTrait (@nicolas-grekas)
    • 🐛 bug #36252 [Security/Http] Allow setting cookie security settings for delete_cookies (@wouterj)
    • 🐛 bug #36261 [FrameworkBundle] revert to legacy wiring of the session when circular refs are detected (@nicolas-grekas)
    • 🐛 bug #36259 [DomCrawler] Fix BC break in assertions breaking Panther (@dunglas)
    • 🐛 bug #36181 [BrowserKit] fixed missing post request parameters in file uploads (@codebay)
    • 🐛 bug #36216 [Validator] Assert Valid with many groups (@phucwan91)
    • 🐛 bug #36222 [Console] Fix OutputStream for PHP 7.4 (@guillbdx)

    [PR] #36269
    🚀 [SECURITY] Security release


Previous changes from v5.0.6

  • Changelog (v5.0.5...v5.0.6)

    • 🐛 bug #36169 [HttpKernel] fix locking for PHP 7.4+ (@nicolas-grekas)
    • 🐛 bug #36175 [Security/Http] Remember me: allow to set the samesite cookie flag (@dunglas)
    • 🐛 bug #36173 [Http Foundation] Fix clear cookie samesite (@guillbdx)
    • 🐛 bug #36176 [Security] Check if firewall is stateless before checking for session/previous session (@koenreiniers)
    • 🐛 bug #36149 [Form] Support customized intl php.ini settings (@jorrit)
    • 🐛 bug #36172 [Debug] fix for PHP 7.3.16+/7.4.4+ (@nicolas-grekas)
    • bug #36151 [Security] Fixed hardcoded value of SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE (@lyrixx)
    • 🐛 bug #36141 Prevent warning in proc_open() (@BenMorel)
    • 🐛 bug #36143 [FrameworkBundle] Fix Router Cache (@guillbdx)
    • 🐛 bug #36103 [DI] fix preloading script generation (@nicolas-grekas)
    • 🐛 bug #36118 [Security/Http] don't require the session to be started when tracking its id (@nicolas-grekas)
    • 🐛 bug #36108 [DI] Fix CheckTypeDeclarationPass (@guillbdx)
    • 🐛 bug #36121 [VarDumper] fix side-effect by not using mt_rand() (@nicolas-grekas)
    • 🐛 bug #36073 [PropertyAccess][DX] Improved errors when reading uninitialized properties (@HeahDude)
    • 🐛 bug #36063 [FrameworkBundle] start session on flashbag injection (@william Arslett)
    • 🐛 bug #36031 [Console] Fallback to default answers when unable to read input (@ostrolucky)
    • 🐛 bug #36083 [DI][Form] Fixed test suite (TimeType changes & unresolved merge conflict) (@wouterj)
    • 🐛 bug #36026 [Mime] Fix boundary header (@guillbdx)
    • 🐛 bug #36020 [Form] ignore microseconds submitted by Edge (@xabbuh)
    • 🐛 bug #36038 [HttpClient] disable debug log with curl 7.64.0 (@nicolas-grekas)
    • 🐛 bug #36041 fix import from config file using type: glob (@Tobion)
    • 🐛 bug #35987 [DoctrineBridge][DoctrineExtractor] Fix wrong guessed type for "json" type (@fancyweb)
    • 🐛 bug #35949 [DI] Fix container lint command when a synthetic service is used in an expression (@HypeMC)
    • bug #36023 [HttpClient] fix requests to hosts that idn_to_ascii() cannot handle (@nicolas-grekas)
    • 🐛 bug #35938 [Form] Handle false as empty value on expanded choices (@fancyweb)
    • 🐛 bug #36030 [SecurityBundle] Minor fix in LDAP config tree builder (@HeahDude)
    • 🐛 bug #36017 [HttpKernel] Fix support for single-colon syntax for controllers (@nicolas-grekas)
    • 🐛 bug #35993 Remove int return type from FlattenException::getCode (@wucdbm)
    • 🐛 bug #36004 [Yaml] fix dumping strings containing CRs (@xabbuh)
    • 🐛 bug #35982 [DI] Fix XmlFileLoader bad error message (@przemyslaw-bogusz)
    • 🐛 bug #35957 [DI] ignore extra tags added by autoconfiguration in PriorityTaggedServiceTrait (@nicolas-grekas)
    • 🐛 bug #35937 Revert "bug #28179 [DomCrawler] Skip disabled fields processing in Form" (@dmaicher)
    • 🐛 bug #35928 [Routing] Prevent localized routes _locale default & requirement from being overridden (@fancyweb)
    • 🐛 bug #35912 [FrameworkBundle] register only existing transport factories (@xabbuh)
    • 🐛 bug #35899 [DomCrawler] prevent deprecation being triggered from assertion (@xabbuh)
    • 🐛 bug #35910 [SecurityBundle] Minor fixes in configuration tree builder (@HeahDude)

    [PR] #36240