Merge branch '4.4' into 5.0

nicolas-grekas · nicolas-grekas · commit f95a62c61a49 · 2020-03-30T13:42:42.000+02:00
* 4.4:
  Fix versions
  [Security/Http] Allow setting cookie security settings for delete_cookies
  [DI] fix generating TypedReference from PriorityTaggedServiceTrait
  [FrameworkBundle] revert to legacy wiring of the session when circular refs are detected
  bumped Symfony version to 3.4.40
  updated VERSION for 3.4.39
  update CONTRIBUTORS for 3.4.39
  updated CHANGELOG for 3.4.39
  [DomCrawler] Fix BC break in assertions breaking Panther
  [BrowserKit] fixed missing post request parameters in file uploads
  update Italian translation
  [Validator] Add missing Hungarian translations
  [Validator] Add the missing translations for the Arabic (ar) locale
  [Validator] Add missing vietnamese translations
  [Console] Fix OutputStream for PHP 7.4
  add German translations
  bug #36157 [Validator] Assert Valid with many groups
  [Validator] Add missing Lithuanian translations
  Fixed some typos
  Add french "at least" constraint translations
diff --git a/Logout/CookieClearingLogoutHandler.php b/Logout/CookieClearingLogoutHandler.php
@@ -38,7 +38,7 @@ public function __construct(array $cookies)
     public function logout(Request $request, Response $response, TokenInterface $token)
     {
         foreach ($this->cookies as $cookieName => $cookieData) {
-            $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain']);
+            $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain'], isset($cookieData['secure']) ? $cookieData['secure'] : false, true, isset($cookieData['samesite']) ? $cookieData['samesite'] : null);
         }
     }
 }
diff --git a/Tests/Firewall/SwitchUserListenerTest.php b/Tests/Firewall/SwitchUserListenerTest.php
@@ -355,7 +355,7 @@ public function testSwitchUserWithReplacedToken()
         $this->assertSame($replacedToken, $this->tokenStorage->getToken());
     }
 
-    public function testSwitchtUserThrowsAuthenticationExceptionIfNoCurrentToken()
+    public function testSwitchUserThrowsAuthenticationExceptionIfNoCurrentToken()
     {
         $this->expectException('Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException');
         $this->tokenStorage->setToken(null);
diff --git a/Tests/Logout/CookieClearingLogoutHandlerTest.php b/Tests/Logout/CookieClearingLogoutHandlerTest.php
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Http\Tests\Logout;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;
@@ -25,7 +26,7 @@ public function testLogout()
         $response = new Response();
         $token = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock();
 
-        $handler = new CookieClearingLogoutHandler(['foo' => ['path' => '/foo', 'domain' => 'foo.foo'], 'foo2' => ['path' => null, 'domain' => null]]);
+        $handler = new CookieClearingLogoutHandler(['foo' => ['path' => '/foo', 'domain' => 'foo.foo', 'secure' => true, 'samesite' => Cookie::SAMESITE_STRICT], 'foo2' => ['path' => null, 'domain' => null]]);
 
         $cookies = $response->headers->getCookies();
         $this->assertCount(0, $cookies);
@@ -39,12 +40,16 @@ public function testLogout()
         $this->assertEquals('foo', $cookie->getName());
         $this->assertEquals('/foo', $cookie->getPath());
         $this->assertEquals('foo.foo', $cookie->getDomain());
+        $this->assertEquals(Cookie::SAMESITE_STRICT, $cookie->getSameSite());
+        $this->assertTrue($cookie->isSecure());
         $this->assertTrue($cookie->isCleared());
 
         $cookie = $cookies['']['/']['foo2'];
         $this->assertStringStartsWith('foo2', $cookie->getName());
         $this->assertEquals('/', $cookie->getPath());
         $this->assertNull($cookie->getDomain());
+        $this->assertNull($cookie->getSameSite());
+        $this->assertFalse($cookie->isSecure());
         $this->assertTrue($cookie->isCleared());
     }
 }
diff --git a/composer.json b/composer.json
@@ -18,7 +18,7 @@
     "require": {
         "php": "^7.2.5",
         "symfony/security-core": "^4.4|^5.0",
-        "symfony/http-foundation": "^4.4|^5.0",
+        "symfony/http-foundation": "^4.4.7|^5.0.7",
         "symfony/http-kernel": "^4.4|^5.0",
         "symfony/property-access": "^4.4|^5.0"
     },

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ public function __construct(array $cookies)`
`38`	`38`	`public function logout(Request $request, Response $response, TokenInterface $token)`
`39`	`39`	`{`
`40`	`40`	`foreach ($this->cookies as $cookieName => $cookieData) {`
`41`		`- $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain']);`
	`41`	`+ $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain'], isset($cookieData['secure']) ? $cookieData['secure'] : false, true, isset($cookieData['samesite']) ? $cookieData['samesite'] : null);`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -355,7 +355,7 @@ public function testSwitchUserWithReplacedToken()`
`355`	`355`	`$this->assertSame($replacedToken, $this->tokenStorage->getToken());`
`356`	`356`	`}`
`357`	`357`
`358`		`- public function testSwitchtUserThrowsAuthenticationExceptionIfNoCurrentToken()`
	`358`	`+ public function testSwitchUserThrowsAuthenticationExceptionIfNoCurrentToken()`
`359`	`359`	`{`
`360`	`360`	`$this->expectException('Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException');`
`361`	`361`	`$this->tokenStorage->setToken(null);`