This week, Symfony 2.0.19 and 2.1.4 versions were released to address a potential security vulnerability related to Request::getClientIp() method. This security fix also made possible to tweak the algorithm used to determine the trusted client IP and added a way to configure the X-Forwarded header names and a way to disable trusting them.

Development mailing list

Symfony2 development highlights

2.0 branch:

ac77c5b: [Form] updated checks for the ICU version from 4.5+ to 4.7+ due to test failures with ICU 4.6
254b110: removed the non-standard Client-IP HTTP header
b45873a: fixed algorithm used to determine the trusted client IP
67e12f3, e5536f0: added a way to configure the X-Forwarded-XXX header names and a way to disable trusting them
6a3ba52: fixed the logic in Request::isSecure() (if the information comes from a source that we trust, don't check other ones)

2.1 branch:

7b234db: [HttpFoundation] added a small comment about the meaning of Request::hasSession() as this is a recurrent question

Master branch:

431d593: [TwigBundle] renamed twig.loader to twig.loader.filesystem (this makes possible to use a chain loader)
c8e65a2: [Routing] resolved placeholders in hostnamePattern rules
828c95d: [Routing] removed restriction of route names (non-alphanumeric characters are now also allowed)
0a380cf: [HttpFoundation] disabled Request _method feature by default (should now be explicitely enabled via a call to enableHttpMethodOverride())
bad50ac: [HttpFoundation] Request::getRealMethod() now returns UPPERCASE
150a138: [Security] fixed cookie creation on loginSuccess in AbstractRememberMeServices

Repository summary: 5,841 watchers (#1 in PHP, #35 overall) and 1,793 forks (#1 in PHP, #15 overall).

They talked about us

Published in #A week of symfony

A week of symfony #309 (26 November -> 2 December 2012)

Development mailing list

Symfony2 development highlights

They talked about us

Comments

Become a Symfony contributor