[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for testing - symfony


On 02/03/2019 18:46, Roberto C. Sánchez wrote:
> I have prepared an update to symfony (version 2.3.21+dfsg-4+deb8u4)
> which is need of testing.  I intend to upload in one week's time if I do
> not receive any reports of problems.  Read on for details if you are in
> a position to help with testing these packages.
> I attempted to test the changes myself (I am familiar with PHP) but it
> turns out that Symfony an entirely different sort of matter.  In
> particular, the Debian package itself contains no documentation about
> how to setup even a basic Symfony app and all of the online
> documentation is geared toward the upstream preferred installation
> method which, among other things requires downloading an installer
> script and ends up creating a symfony executable binary.
> In any event, my attempts at testing have so far been unable to overcome
> these obstacles and I fear that continuing to try to figure this out for
> myself will only result in lots of wasted time and effort.
> To that end, I am requesting that anyone out there using Symfony on
> jessie and familiar with it please consider installing this upload
> candidate and report any issues encountered.
> Note that upstream has a very robust unit test suite and I made sure to
> include any new or updated unit tests with each upstream commit that I
> backported.
> The packages may be downloaded here: https://people.debian.org/~roberto/
> symfony (2.3.21+dfsg-4+deb8u4) jessie-security; urgency=high
>   * Non-maintainer upload by the LTS Team.
>   * Cherry-pick upstream commit to fix unit test regression caused by PHP
>     5.6.27 (specifically, the fix for PHP bug 72972)
>   * Fix additional unit test failures resulting from dates too far in the past
>   * Cherry-pick upstream commits to fix security issues
>     + Fix CVE-2017-16652: [Security] Validate redirect targets using the
>       session cookie domain
>     + Fix CVE-2017-16654: prevent bundle readers from breaking out of paths
>     + Fix CVE-2018-11385: Adding session strategy to ALL listeners to avoid
>       *any* possible fixation
>     + Fix CVE-2018-11408: [SecurityBundle] Fail if security.http_utils cannot
>       be configured
>     + Fix CVE-2018-14773: [HttpFoundation] Remove support for legacy and risky
>       HTTP headers
>     + Fix CVE-2018-19789: [Form] Filter file uploads out of regular form types
>     + Fix CVE-2018-19790: [Security\Http] detect bad redirect targets using
>       backslashes
>  -- Roberto C. Sanchez <roberto@debian.org>  Fri, 01 Mar 2019 09:20:42 -0500

I haven't touched Symfony in a while, but I can contribute a few bits:

- The symfony installer is not packaged in Debian
I tried to run an old version from git but couldn't find the appropriate
tag matching symfony 2.3.21 (which the Symfony installers depends on (sic))
This makes me wonder if the Symfony Framework is used in Debian, or if
only some of its sub-packages are useful.
Alternatively one could use composer which is not in oldstable (composer
create-project symfony/framework-standard-edition <project-name>

- The closest I could get to a test environment is:
curl -LsS https://symfony.com/installer -o /usr/local/bin/symfony
apt install php5-mysql
symfony new myproject 2.3.22  # .21 N/A - we'll ditch this one anyway
cd myproject/
mv vendor/symfony/symfony/src/Symfony vendor/symfony/symfony/src/Symfony.bak
ln -s /usr/share/php/Symfony vendor/symfony/symfony/src/
# edit IP in web/app_dev.php
rm -rf app/bootstrap.php.cache
php app/console server:run

This gives access to a default application and its web control panel.

Not sure if you need people to test for regressions or for the security
fix (or both) :)

Hope this helps,

Reply to: