* 2.8:
Username and password in basic auth are allowed to contain '.'
Remove obsolete PHPDoc from UriSigner
[Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed
[PropertyInfo] Add support for the iterable type
pdo session fix
Fixed unsetting from loosely equal keys OrderedHashMap
[Debug] Fix same vendor detection in class loader
Updated the source text and translation
reject remember-me token if user check fails
* 2.7:
Username and password in basic auth are allowed to contain '.'
Remove obsolete PHPDoc from UriSigner
[Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed
pdo session fix
Fixed unsetting from loosely equal keys OrderedHashMap
[Debug] Fix same vendor detection in class loader
Updated the source text and translation
reject remember-me token if user check fails
* 2.8:
fix merge
Fix 7.2 compat layer
Fix PHP 7.2 support
[HttpFoundation] Add missing session.lazy_write config option
[HttpFoundation] Combine Cache-Control headers
[Form] fix parsing invalid floating point numbers
Escape command usage when displaying it in the text descriptor
Use for=ID on radio/checkbox label.
* 2.7:
Fix 7.2 compat layer
Fix PHP 7.2 support
[HttpFoundation] Add missing session.lazy_write config option
[HttpFoundation] Combine Cache-Control headers
[Form] fix parsing invalid floating point numbers
Escape command usage when displaying it in the text descriptor
Use for=ID on radio/checkbox label.
* 2.8: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
* 2.7: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
* 2.8:
[VarDumper] Enhance docblock to tell about AbstractDumper::dumpLine(-1)
[Debug] Remove false-positive check in DebugClassLoader
[Validator] Fix use of GroupSequenceProvider in child classes
Change number PHPDoc type to int|float
[VarDumper] Strengthen dumped JS
[travis] Add timing info
[Validator] Fix Greek translation
[Console] Initialize lazily to render exceptions properly
[Validator] Add a property tag for File::$maxSize
* 2.7:
[VarDumper] Enhance docblock to tell about AbstractDumper::dumpLine(-1)
[Debug] Remove false-positive check in DebugClassLoader
[Validator] Fix use of GroupSequenceProvider in child classes
Change number PHPDoc type to int|float
[VarDumper] Strengthen dumped JS
[travis] Add timing info
[Validator] Fix Greek translation
[Console] Initialize lazily to render exceptions properly
[Validator] Add a property tag for File::$maxSize
* 3.2:
[DI] Remove unused props from the PhpDumper
[ProxyManager] Cleanup fixtures
[Debug] HTML-escape array key
Add some phpdocs for IDE autocompletion and better SCA
Fixed typo in docblock
* 2.8:
[DI] Remove unused props from the PhpDumper
[ProxyManager] Cleanup fixtures
[Debug] HTML-escape array key
Add some phpdocs for IDE autocompletion and better SCA
Fixed typo in docblock
* 2.7:
[DI] Remove unused props from the PhpDumper
[ProxyManager] Cleanup fixtures
[Debug] HTML-escape array key
Add some phpdocs for IDE autocompletion and better SCA
This PR was merged into the 2.7 branch.
Discussion
----------
[Debug] Missing escape in debug output
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
When pretty-printing an exception, the debug handler does not properly escape array keys.
The problem only occurs when debug output is enabled, so this is not considered a [security issue](http://symfony.com/doc/current/contributing/code/security.html) (according to @fabpot), because the debug tools [should not be used in production](https://symfony.com/doc/current/components/debug.html#usage).
A test for this is included in my patch for #18722.
Commits
-------
636777d [Debug] HTML-escape array key
@@ -59,6 +59,23 @@ class DebugClassLoaderTest extends TestCase
$this->fail('DebugClassLoader did not register');
}
/**
* @expectedException \Exception
* @expectedExceptionMessage boo
*/
publicfunctiontestThrowingClass()
{
try{
class_exists(__NAMESPACE__.'\Fixtures\Throwing');
$this->fail('Exception expected');
}catch(\Exception$e){
$this->assertSame('boo',$e->getMessage());
}
// the second call also should throw
class_exists(__NAMESPACE__.'\Fixtures\Throwing');
}
publicfunctiontestUnsilencing()
{
if(\PHP_VERSION_ID>=70000){
@@ -124,6 +141,7 @@ class DebugClassLoaderTest extends TestCase
/**
* @expectedException \RuntimeException
* @expectedExceptionMessage Case mismatch between loaded and declared class names
*/
publicfunctiontestNameCaseMismatch()
{
@@ -145,6 +163,7 @@ class DebugClassLoaderTest extends TestCase
/**
* @expectedException \RuntimeException
* @expectedExceptionMessage Case mismatch between loaded and declared class names
*/
publicfunctiontestPsr4CaseMismatch()
{
@@ -185,7 +204,7 @@ class DebugClassLoaderTest extends TestCase
$xError=array(
'type'=>E_USER_DEPRECATED,
'message'=>'The "Test\Symfony\Component\Debug\Tests\\'.$class.'" class '.$type.' "Symfony\Component\Debug\Tests\Fixtures\\'.$super.'" that is deprecated but this is a test deprecation notice.',
'message'=>'The "Test\Symfony\Component\Debug\Tests\\'.$class.'" class '.$type.' "Symfony\Component\Debug\Tests\Fixtures\\'.$super.'" that is deprecated but this is a test deprecation notice',
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
