Symfony Black Friday 2021 deals will end in just three days, on Monday, November 29, 2021. Here's a quick recap of this year's deals: 30% discount on Symfony and Twig certifications Certification exams are online, so you can take them from your home or office from anywhere in the world; You can take the exam up to one year after your voucher purchase; Vouchers are valid for any present or future Symfony exam version, so you will be allowed to take the upcoming Symfony 6 exam whe
In addition to the redesigned logs panel, Symfony 5.4 includes other improvements related to the Symfony profiler.
Conditional profiling
Contributed by Kévin Dunglas
in #43138.Symfony profiler provides an immense amount of debug information to quickly find the cause of any problem. However, that comes at a price, because the profiler must collect all that information while serving the r
The SymfonyWorld Online 2021 Winter Edition conference will take place in just two weeks, on December 9-10, 2021. The event includes 25 talks covering a wide range of topics related to Symfony and its ecosystem: Talks are in English and they provide manually-reviewed subtitles in English; You won't miss a talk, because all of them are recorded in video and published for attendees right after the conference; You can watch the talk videos as many times as you want after the event
Configurable handlers with PHP attributes
Contributed by Alireza Mirsepassi
in #43588.PHP attributes are a great way of adding metadata to PHP code. In Symfony we're adding the option of using PHP attributes to configure most things. That's why in Symfony 5.4 we're allowing to configure message handlers with attributes. Instead of having to implement the MessageHandlerInterface, you can
Symfony 4.4.35 has just been released. Here is a list of the most important changes: security #cve-2021-41270 [Serializer] Use single quote to escape formulas (@jderusse) bug #44232 [Cache] fix connecting to local Redis sockets (@nicolas-grekas) bug #44204 [HttpClient] fix closing curl multi handle when destructing client (@nicolas-grekas) bug #44208 [Process] exclude argv/argc from possible default env vars (@nicolas-grekas) Want to upgrade to this new release? Because Symfony
Symfony 5.3.12 has just been released. Here is a list of the most important changes: security #cve-2021-41268 [SecurityBundle] Default signature_properties to the previous behavior (@wouterj) security #cve-2021-41267 [HttpKernel] Fix missing extra trusted header in sub-request (@jderusse) security #cve-2021-41270 [Serializer] Use single quote to escape formulas (@jderusse) bug #44232 [Cache] fix connecting to local Redis sockets (@nicolas-grekas) bug #44204 [HttpClient] fix clos
Symfony 6.0.0-RC1 has just been released. Here is a list of the most important changes: security #cve-2021-41268 [SecurityBundle] Default signature_properties to the previous behavior (@wouterj) security #cve-2021-41267 [HttpKernel] Fix missing extra trusted header in sub-request (@jderusse) security #cve-2021-41270 [Serializer] Use single quote to escape formulas (@jderusse) bug #44230 [Console] Add Suggestion class for more advanced completion suggestion (@wouterj) bug #44232
Symfony 5.4.0-RC1 has just been released. Here is a list of the most important changes: security #cve-2021-41268 [SecurityBundle] Default signature_properties to the previous behavior (@wouterj) security #cve-2021-41267 [HttpKernel] Fix missing extra trusted header in sub-request (@jderusse) security #cve-2021-41270 [Serializer] Use single quote to escape formulas (@jderusse) bug #44230 [Console] Add Suggestion class for more advanced completion suggestion (@wouterj) bug #44232
Description
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker.
In Symfony 4.1, we've added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, - or @ by a tab \t.
Since then, OWASP added 2 chars in that list:
- Tab (0x09)
- Carriage ret
Description
When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-* HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks.
In Symfony 5.2, we've added support for the X-Forwarded-Prefix header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could le
