migration symfony 5 4 (#300)

* symfony 5.4 (diff dev) * symfony 5.4 (working) * symfony 5.4 (update autoload) * symfony 5.4 (remove swiftmailer mailer implementation) * symfony 5.4 (php doc and split Global accessor class) ### Impacted packages: composer require php:">=7.2.5 <8.0.0" symfony/console:5.4.* symfony/dotenv:5.4.* symfony/framework-bundle:5.4.* symfony/twig-bundle:5.4.* symfony/yaml:5.4.* --update-with-dependencies composer require symfony/stopwatch:5.4.* symfony/web-profiler-bundle:5.4.* --dev --update-with-dependencies
2026-04-25 19:48:49 +02:00 · 2022-06-16 09:13:24 +02:00
parent abb13b70b9
commit 79da71ecf8
2178 changed files with 87439 additions and 59451 deletions
--- a/lib/symfony/web-profiler-bundle/Csp/ContentSecurityPolicyHandler.php
+++ b/lib/symfony/web-profiler-bundle/Csp/ContentSecurityPolicyHandler.php
@@ -38,10 +38,8 @@ class ContentSecurityPolicyHandler
     *  - The request - In case HTML content is fetched via AJAX and inserted in DOM, it must use the same nonce as origin
     *  - The response -  A call to getNonces() has already been done previously. Same nonce are returned
     *  - They are otherwise randomly generated
-     *
-     * @return array
     */
-    public function getNonces(Request $request, Response $response)
+    public function getNonces(Request $request, Response $response): array
    {
        if ($request->headers->has('X-SymfonyProfiler-Script-Nonce') && $request->headers->has('X-SymfonyProfiler-Style-Nonce')) {
            return [
@@ -83,7 +81,7 @@ class ContentSecurityPolicyHandler
     *
     * @return array Nonces used by the bundle in Content-Security-Policy header
     */
-    public function updateResponseHeaders(Request $request, Response $response)
+    public function updateResponseHeaders(Request $request, Response $response): array
    {
        if ($this->cspDisabled) {
            $this->removeCspHeaders($response);
@@ -113,10 +111,8 @@ class ContentSecurityPolicyHandler

    /**
     * Updates Content-Security-Policy headers in a response.
-     *
-     * @return array
     */
-    private function updateCspHeaders(Response $response, array $nonces = [])
+    private function updateCspHeaders(Response $response, array $nonces = []): array
    {
        $nonces = array_replace([
            'csp_script_nonce' => $this->generateNonce(),
@@ -144,6 +140,12 @@ class ContentSecurityPolicyHandler
                        continue;
                    }

+                    if (['\'none\''] === $fallback) {
+                        // Fallback came from "default-src: 'none'"
+                        // 'none' is invalid if it's not the only expression in the source list, so we leave it out
+                        $fallback = [];
+                    }
+
                    $headers[$header][$type] = $fallback;
                }
                $ruleIsSet = true;
@@ -167,22 +169,16 @@ class ContentSecurityPolicyHandler

    /**
     * Generates a valid Content-Security-Policy nonce.
-     *
-     * @return string
     */
-    private function generateNonce()
+    private function generateNonce(): string
    {
        return $this->nonceGenerator->generate();
    }

    /**
     * Converts a directive set array into Content-Security-Policy header.
-     *
-     * @param array $directives The directive set
-     *
-     * @return string The Content-Security-Policy header
     */
-    private function generateCspHeader(array $directives)
+    private function generateCspHeader(array $directives): string
    {
        return array_reduce(array_keys($directives), function ($res, $name) use ($directives) {
            return ('' !== $res ? $res.'; ' : '').sprintf('%s %s', $name, implode(' ', $directives[$name]));
@@ -191,12 +187,8 @@ class ContentSecurityPolicyHandler

    /**
     * Converts a Content-Security-Policy header value into a directive set array.
-     *
-     * @param string $header The header value
-     *
-     * @return array The directive set
     */
-    private function parseDirectives($header)
+    private function parseDirectives(string $header): array
    {
        $directives = [];

@@ -214,13 +206,8 @@ class ContentSecurityPolicyHandler

    /**
     * Detects if the 'unsafe-inline' is prevented for a directive within the directive set.
-     *
-     * @param array  $directivesSet The directive set
-     * @param string $type          The name of the directive to check
-     *
-     * @return bool
     */
-    private function authorizesInline(array $directivesSet, $type)
+    private function authorizesInline(array $directivesSet, string $type): bool
    {
        if (isset($directivesSet[$type])) {
            $directives = $directivesSet[$type];
@@ -231,10 +218,10 @@ class ContentSecurityPolicyHandler
        return \in_array('\'unsafe-inline\'', $directives, true) && !$this->hasHashOrNonce($directives);
    }

-    private function hasHashOrNonce(array $directives)
+    private function hasHashOrNonce(array $directives): bool
    {
        foreach ($directives as $directive) {
-            if ('\'' !== substr($directive, -1)) {
+            if (!str_ends_with($directive, '\'')) {
                continue;
            }
            if ('\'nonce-' === substr($directive, 0, 7)) {
@@ -248,7 +235,7 @@ class ContentSecurityPolicyHandler
        return false;
    }

-    private function getDirectiveFallback(array $directiveSet, $type)
+    private function getDirectiveFallback(array $directiveSet, string $type)
    {
        if (\in_array($type, ['script-src-elem', 'style-src-elem'], true) || !isset($directiveSet['default-src'])) {
            // Let the browser fallback on it's own
@@ -261,10 +248,8 @@ class ContentSecurityPolicyHandler
    /**
     * Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
     * a response.
-     *
-     * @return array An associative array of headers
     */
-    private function getCspHeaders(Response $response)
+    private function getCspHeaders(Response $response): array
    {
        $headers = [];