Merge branch '2.7' into 2.8

nicolas-grekas · nicolas-grekas · commit 410ed830c5b3 · 2018-12-06T11:12:46.000Z
* 2.7: [Security\Http] detect bad redirect targets using backslashes [Form] Filter file uploads out of regular form types Fix CI minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas) [travis] fix composer.lock invalidation for PRs patching several components [travis] fix composer.lock invalidation for deps=low minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas) [travis] ignore ordering when validating composer.lock files for deps=low minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas) fix ci [travis] fix requiring mongodb/mongodb before composer up minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas) [2.7] Make CI green updated VERSION for 2.7.49 updated CHANGELOG for 2.7.49 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer [HttpFoundation] Remove support for legacy and risky HTTP headers updated VERSION for 2.7.48 update CONTRIBUTORS for 2.7.48 updated CHANGELOG for 2.7.48
diff --git a/CHANGELOG-2.7.md b/CHANGELOG-2.7.md
@@ -7,6 +7,19 @@ in 2.7 minor versions.
 To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
 To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.7.0...v2.7.1
 
+* 2.7.49 (2018-08-01)
+
+ * security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)
+ * security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)
+
+* 2.7.48 (2018-05-25)
+
+ * bug #27359 [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization (nicolas-grekas)
+ * security #cve-2018-11408 [SecurityBundle] Fail if security.http_utils cannot be configured
+ * security #cve-2018-11406 clear CSRF tokens when the user is logged out
+ * security #cve-2018-11385 Adding session strategy to ALL listeners to avoid *any* possible fixation
+ * security #cve-2018-11386 [HttpFoundation] Break infinite loop in PdoSessionHandler when MySQL is in loose mode
+
 * 2.7.47 (2018-05-21)
 
  * bug #26781 [Form] Fix precision of MoneyToLocalizedStringTransformer's divisions on transform() (syastrebov)
diff --git a/src/Symfony/Component/Form/Extension/Core/Type/FileType.php b/src/Symfony/Component/Form/Extension/Core/Type/FileType.php
@@ -105,6 +105,7 @@ public function configureOptions(OptionsResolver $resolver)
             'data_class' => $dataClass,
             'empty_data' => $emptyData,
             'multiple' => false,
+            'allow_file_upload' => true,
         ));
     }
 
diff --git a/src/Symfony/Component/Form/Extension/Core/Type/FormType.php b/src/Symfony/Component/Form/Extension/Core/Type/FormType.php
@@ -231,6 +231,7 @@ public function configureOptions(OptionsResolver $resolver)
             'attr' => $defaultAttr,
             'post_max_size_message' => 'The uploaded file was too large. Please try to upload a smaller file.',
             'upload_max_size_message' => $uploadMaxSizeMessage, // internal
+            'allow_file_upload' => false,
         ));
 
         $resolver->setNormalizer('attr', $attrNormalizer);
diff --git a/src/Symfony/Component/Form/Form.php b/src/Symfony/Component/Form/Form.php
@@ -537,6 +537,11 @@ public function submit($submittedData, $clearMissing = true)
             $submittedData = null;
         } elseif (is_scalar($submittedData)) {
             $submittedData = (string) $submittedData;
+        } elseif ($this->config->getOption('allow_file_upload')) {
+            // no-op
+        } elseif ($this->config->getRequestHandler()->isFileUpload($submittedData)) {
+            $submittedData = null;
+            $this->transformationFailure = new TransformationFailedException('Submitted data was expected to be text or number, file upload given.');
         }
 
         $dispatcher = $this->config->getEventDispatcher();
@@ -546,6 +551,10 @@ public function submit($submittedData, $clearMissing = true)
         $viewData = null;
 
         try {
+            if (null !== $this->transformationFailure) {
+                throw $this->transformationFailure;
+            }
+
             // Hook to change content of the data submitted by the browser
             if ($dispatcher->hasListeners(FormEvents::PRE_SUBMIT)) {
                 $event = new FormEvent($this, $submittedData);
diff --git a/src/Symfony/Component/Form/Tests/CompoundFormTest.php b/src/Symfony/Component/Form/Tests/CompoundFormTest.php
@@ -712,7 +712,7 @@ public function testSubmitPostOrPutRequestWithSingleChildForm($method)
             'REQUEST_METHOD' => $method,
         ));
 
-        $form = $this->getBuilder('image')
+        $form = $this->getBuilder('image', null, null, array('allow_file_upload' => true))
             ->setMethod($method)
             ->setRequestHandler(new HttpFoundationRequestHandler())
             ->getForm();
@@ -1088,6 +1088,21 @@ public function testDisabledButtonIsNotSubmitted()
         $this->assertFalse($submit->isSubmitted());
     }
 
+    public function testFileUpload()
+    {
+        $reqHandler = new HttpFoundationRequestHandler();
+        $this->form->add($this->getBuilder('foo')->setRequestHandler($reqHandler)->getForm());
+        $this->form->add($this->getBuilder('bar')->setRequestHandler($reqHandler)->getForm());
+
+        $this->form->submit(array(
+            'foo' => 'Foo',
+            'bar' => new UploadedFile(__FILE__, 'upload.png', 'image/png', 123, UPLOAD_ERR_OK),
+        ));
+
+        $this->assertSame('Submitted data was expected to be text or number, file upload given.', $this->form->get('bar')->getTransformationFailure()->getMessage());
+        $this->assertNull($this->form->get('bar')->getData());
+    }
+
     protected function createForm()
     {
         return $this->getBuilder()
diff --git a/src/Symfony/Component/Security/Http/HttpUtils.php b/src/Symfony/Component/Security/Http/HttpUtils.php
@@ -59,7 +59,7 @@ public function __construct(UrlGeneratorInterface $urlGenerator = null, $urlMatc
      */
     public function createRedirectResponse(Request $request, $path, $status = 302)
     {
-        if (null !== $this->domainRegexp && preg_match('#^https?://[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
+        if (null !== $this->domainRegexp && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
             $path = '/';
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php b/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
@@ -54,14 +54,28 @@ public function testCreateRedirectResponseWithRequestsDomain()
         $this->assertTrue($response->isRedirect('http://localhost/blog'));
     }
 
-    public function testCreateRedirectResponseWithBadRequestsDomain()
+    /**
+     * @dataProvider badRequestDomainUrls
+     */
+    public function testCreateRedirectResponseWithBadRequestsDomain($url)
     {
         $utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');
-        $response = $utils->createRedirectResponse($this->getRequest(), 'http://pirate.net/foo');
+        $response = $utils->createRedirectResponse($this->getRequest(), $url);
 
         $this->assertTrue($response->isRedirect('http://localhost/'));
     }
 
+    public function badRequestDomainUrls()
+    {
+        return array(
+            array('http://pirate.net/foo'),
+            array('http:\\\\pirate.net/foo'),
+            array('http:/\\pirate.net/foo'),
+            array('http:\\/pirate.net/foo'),
+            array('http://////pirate.net/foo'),
+        );
+    }
+
     public function testCreateRedirectResponseWithProtocolRelativeTarget()
     {
         $utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');

Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,7 @@ public function configureOptions(OptionsResolver $resolver)`
`105`	`105`	`'data_class' => $dataClass,`
`106`	`106`	`'empty_data' => $emptyData,`
`107`	`107`	`'multiple' => false,`
	`108`	`+ 'allow_file_upload' => true,`
`108`	`109`	`));`
`109`	`110`	`}`
`110`	`111`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ public function __construct(UrlGeneratorInterface $urlGenerator = null, $urlMatc`
`59`	`59`	`*/`
`60`	`60`	`public function createRedirectResponse(Request $request, $path, $status = 302)`
`61`	`61`	`{`
`62`		`- if (null !== $this->domainRegexp && preg_match('#^https?://[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {`
	`62`	`+ if (null !== $this->domainRegexp && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {`
`63`	`63`	`$path = '/';`
`64`	`64`	`}`
`65`	`65`