This week, Symfony 2.0.19 and 2.1.4 versions were released to address a potential security vulnerability related to Request::getClientIp() method. This security fix also made possible to tweak the algorithm used to determine the trusted client IP and added a way to configure the X-Forwarded header names and a way to disable trusting them.

Development mailing list

Symfony2 development highlights

2.0 branch:

  • ac77c5b: [Form] updated checks for the ICU version from 4.5+ to 4.7+ due to test failures with ICU 4.6
  • 254b110: removed the non-standard Client-IP HTTP header
  • b45873a: fixed algorithm used to determine the trusted client IP
  • 67e12f3, e5536f0: added a way to configure the X-Forwarded-XXX header names and a way to disable trusting them
  • 6a3ba52: fixed the logic in Request::isSecure() (if the information comes from a source that we trust, don't check other ones)

2.1 branch:

  • 7b234db: [HttpFoundation] added a small comment about the meaning of Request::hasSession() as this is a recurrent question

Master branch:

  • 431d593: [TwigBundle] renamed twig.loader to twig.loader.filesystem (this makes possible to use a chain loader)
  • c8e65a2: [Routing] resolved placeholders in hostnamePattern rules
  • 828c95d: [Routing] removed restriction of route names (non-alphanumeric characters are now also allowed)
  • 0a380cf: [HttpFoundation] disabled Request _method feature by default (should now be explicitely enabled via a call to enableHttpMethodOverride())
  • bad50ac: [HttpFoundation] Request::getRealMethod() now returns UPPERCASE
  • 150a138: [Security] fixed cookie creation on loginSuccess in AbstractRememberMeServices

Repository summary: 5,841 watchers (#1 in PHP, #35 overall) and 1,793 forks (#1 in PHP, #15 overall).

They talked about us