Symfony 4.2.7 has just been released. Here is a list of the most important changes:

• bug #31107 [Routing] fix trailing slash redirection with non-greedy trailing vars (@nicolas-grekas)
• bug #31108 [FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy (@nicolas-grekas)
• bug #31121 [HttpKernel] Fix get session when the request stack is empty (@yceruto)
• bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (@vermeirentony)
• bug #31142 Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" (@chalasr)
• security #cve-2019-10910 [DI] Check service IDs are valid (@nicolas-grekas)
• security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (@stof)
• security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (@nicolas-grekas)
• security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (@pborreli)
• security #cve-2019-10913 [HttpFoundation] reject invalid method override (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy.Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Affected versions

Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony HttpFoundation component are affected by this security issue.

The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore.

Description

HTTP methods, from either the HTTP method itself or using the X-Http-Method-Override header were previously returned as the method in question without validation being done on the string, meaning that they could be used in dangerous contexts when left unescaped.

Resolution

HTTP methods are now only allowed to contain ASCII letters (A-Z).

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank mschop for reporting the issue and Nicolas Grekas for fixing it.

Affected versions

Symfony 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Cache component are affected by this security issue.

The issue has been fixed in Symfony 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore and that 2.7 is unaffected.

Description

When unserialize() is called with content coming from user input, malicious payloads could be used to trigger file deletions or raw output being echoed.

Resolution

We now prevent some classes from being serialized or unserialized.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Mindaugas Vedegys for reporting the issue and Nicolas Grekas for fixing the issue.

Affected versions

Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of Symfony Framework Bundle templating are affected by this security issue.

The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore.

Description

Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.

Resolution

Ensuring validation form messages are wrapped with $view->escape().

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Christophe Coevoet (stof) for reporting & fixing the issue.

Affected versions

Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of Symfony Security component are affected by this security issue.

The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore.

Description

This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).

Resolution

We now separate the various components (username, expires, password) of the cookie hash with colons.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Jon Cave for reporting and Pascal Borreli & Michael Cullum for fixing the issue.

Affected versions

Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Dependency Injection component are affected by this security issue.

The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore.

Description

Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.

Resolution

On setting of an alias or a service we both confirm that the id does not contain certain characters and that ids are escaped while being dumped.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Nicolas Grekas for reporting & fixing the issue.

This week, Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7 versions were released to address some security issues. Meanwhile, the upcoming Symfony 4.3 version added a native password hasher which chooses the best hashing algorithm automatically.

Symfony development highlights

This week, 44 pull requests were merged (33 in code and 11 in docs) and 52 issues were closed (40 in code and 12 in docs). Excluding merges, 24 authors made 6,899 additions and 1,910 deletions. See details for code and docs.

3.4 changelog:

• 81d11c3: [Form] workaround for \DateInterval::createFromDateString
• 84ee311: [HttpFoundation] reject invalid method override
• 0a4ed67: [Security] added a separator in the remember me cookie hash
• d77e445: [Cache, PHPUnit Bridge] prevent destructors with side-effects from being unserialized
• 4585a41: [FrameworkBundle, Form] fixed XSS issues in the form theme of the PHP templating engine
• 47cd029: [DependencyInjection] check service IDs are valid
• 1311324: [HttpFoundation] made MimeTypeExtensionGuesser case insensitive
• f458e5b: [Validator] updated the Tagalog translation

4.2 changelog:

• c009e60: [HttpKernel] fixed get session when the request stack is empty
• 74a18bc: [FrameworkBundle] decorated the ValidatorBuilder's translator with LegacyTranslatorProxy
• 2d2ff38: [Routing] fixed trailing slash redirection with non-greedy trailing vars
• cc497a5: [FrameworkBundle] called method with Translator component only
• 243b257: [Routing] fixed matching trailing vars with defaults

Master changelog:

• 238f844: [Serializer] use name converter when normalizing constraint violation list
• e683dfa: [Messenger] removed base64_encode & used addslashes
• 7cf96a4: [Form] show all option normalizers on debug:form command
• a59fe66: [VarDumper] added caster for WeakReference instances of PHP 7.4
• 89ec311: [Security] added NativePasswordEncoder
• d9bcfc3: [PhpUnit Bridge] treat undefined env var as strict mode
• 823d375: [Security] deprecated BCryptPasswordEncoder in favor of NativePasswordEncoder

Newest issues and pull requests

• Built-in password hash migrations
• Split the logic of Response::isNotModified()
• Use ReflectionReference in VarCloner to prepare for PHP 7.4
• [DI] Give services defined by hands higher priority than wildcard defined ones
• [Messenger] Remove StackInterface

They talked about us

• Introducing the league/flysystem-bundle
• Continuously Build, Test, and Deploy with Symfony on Google Cloud
• EU Fossa-2 Hackathons — Co-creating the Future of Open Source
• Symfony 4 upload images using EasyAdmin
• Symfony4 Kubernetes Local Development Environment #3 Ksync
• Why many people are going to migrate from Magento 1 to Sylius?
• Fixtures, the right gestures
• How I integrated myFMApiLibrary for PHP with Symfony 3.4
• Implement a 'Read in your language' link with Symfony
• Symfony 4.2 is used Twice More than Symfony 3.4
• How to start build reusable Symfony Bundle
• Cómo filtrar por un campo en una aplicación Symfony dependiendo del usuario conectado
• Nuevo en Symfony 4.3: Mejoras en los formularios
• Se publican las actualizaciones de seguridad 2.7.51, 2.8.50, 3.4.26, 4.1.12 y 4.2.7
• Nuevo en Symfony 4.3: Declaradas obsoletas las clases Role y SwitchUserRole
• Nouveau bundle LexikCronFileGeneratorBundle
• Implémenter un lien 'Lire dans votre langue' avec Symfony
• Acesso mais Simples aos Dados do Componente Intl no Symfony 4.3

Upcoming Symfony Events

• Monolith turned API Gateway and Static Code Analysis: Berlin, Germany (April 24)
• Symfony User Group Osnabrück: Osnabrück, Germany (May 9)
• 8. PHP Symfony User Group Basel: Basel, Switzerland (May 16)
• Symfony Meetup III / 2019: Frankfurt, Germany (May 28)
• Etwas mit FormTypes, AWS und der Unsplash-API: Hamburg, Germany (June 4)

Call to Action

• Give Symfony a star on GitHub
• Follow Symfony on Twitter and retweet this article.
• Follow Symfony on Medium and clap for this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

Contributed by
Valentin Udaltsov
in #30862.

Generating absolute (and relative) URLs for a given path is a common need in lots of applications. In Twig templates this is trivial thanks to theabsolute_url() and relative_path() functions (don't mistake them for thepath() and url() functions that generate URLs using route names).

In Symfony 4.3 we've extracted the internal logic used by the Twig functions into a new class called Symfony\Component\HttpFoundation\UrlHelper that you can inject as a service anywhere in your application. This class provides two public methods called getAbsoluteUrl() and getRelativePath().

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

useSymfony\Component\HttpFoundation\UrlHelper;classUserApiNormalizer{private$urlHelper;publicfunction__construct(UrlHelper$urlHelper){$this->urlHelper=$urlHelper;}publicfunctionnormalize($user,$format=null,array$context=[]){return['avatar'=>$this->urlHelper->getAbsoluteUrl($user->avatar()->path()),// ...];}// ...}

Contributed by
Matthias Pigulla
in #30964.

The Symfony Reverse Proxy provided by the HttpCache feature is a gateway cache written in PHP. It's not a fully-featured reverse proxy like Varnish, but it can provide a big performance boost without having to install, configure and maintain additional applications or services. That's why some projects use it even in production.

In Symfony 4.3 we've added new configuration options to improve the logging of HttpCache responses. First, the trace_level option tells Symfony which logging information must be included in the response via the X-Symfony-Cache HTTP header:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

// src/CacheKernel.phpnamespaceApp;useSymfony\Bundle\FrameworkBundle\HttpCache\HttpCache;classCacheKernelextendsHttpCache{protectedfunctiongetOptions(){return[// ...// 'none'  = log nothing// 'short' = log only the main request// 'full'  = log the main request and all the sub-requests// default value = 'full' if debug = true; 'none' otherwise'trace_level'=>'short',];}}

The logged value is concise and ready for machine processing (e.g.stale/valid/store). If you use Apache, add %{X-Symfony-Cache}o to theLogFormat directive to include this value in the generated logs.

A use case for this feature is to enable it in production and use a tool to process the generated log info to find the slowest URLs, the ones that need extra cache tweaking, etc.

If you prefer to rename the X-Symfony-Cache HTTP header, use thetrace_header option:

1
2
3
4
5
6
7
8

protectedfunctiongetOptions(){return[// ...'trace_level'=>'short','trace_header'=>'X-Cache-Info-Log',];}

Fun fact: this pull request adds the first usage of the array_key_first() PHP function in Symfony codebase. This function was introduced in PHP 7.3 but if you use a lower PHP version, the Polyfill PHP 7.3 component will provide that function for you.

Contributed by
Titouan Galopin
in #29306 and #30892.

The DomCrawler component eases DOM navigation for HTML and XML documents, making it very useful for functional tests and web scrapers. Internally, this component uses the PHP DOM extension (and methods such as loadHtml()) to parse HTML contents, including HTML5.

Sadly, HTML5 support in PHP DOM extension is far from perfect and it includes some inconsistencies. In contrast, the third-party HTML5-PHP library provides a standards-compliant HTML5 parser and writer written entirely in PHP. Moreover it's been battle-tested in projects such as Drupal and has more than 7 million downloads.

That's why in Symfony 4.3 we've decided to optionally integrate this library in DomCrawler. If you don't make any change in your app, the component will keep using the PHP DOM extension. However, if you install the HTML5-PHP library in your app as follows:

1

$ composer require masterminds/html5

If the parsed content is HTML5 (it starts with <!doctype html>), then the DomCrawler component will use that library automatically.

Contributed by
Jan Schädlich
in #28637.

The Symfony Validator component was originally based on the Java JSR-303 Bean Validation specification. While reviewing the Bean Validation 2.0 (JSR 380) specification, we found some new constraints that could be useful for Symfony applications.

That's why in Symfony 4.3 we've added four new constraints related to numbers:Positive, PositiveOrZero, Negative and NegativeOrZero. Although you could already validate that a number is positive/negative with the comparison constraints (GreaterThan, LessThanOrEqual, etc.) these new constraints will make your code easier to read and understand:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

useSymfony\Component\Validator\ConstraintsasAssert;classPerson{/** @Assert\PositiveOrZero */protected$siblings;// ...}classEmployee{/** @Assert\Positive */protected$income;// ...}classUnderGroundGarage{/** @Assert\NegativeOrZero */protected$level;// ...}classTransferItem{/** @Assert\Negative */protected$withdraw;// ...}

This week, the upcoming Symfony 4.3 version optimized the filesystem and Redis cache when using tags and continued working on timezones and forms improvements. Meanwhile, the first edition of the SymfonyLive Tunis 2019 conference took place with great success.

Symfony development highlights

This week, 62 pull requests were merged (35 in code and 27 in docs) and 54 issues were closed (43 in code and 11 in docs). Excluding merges, 37 authors made 55,793 additions and 2,796 deletions. See details for code and docs.

3.4 changelog:

• d98f783: [WebProfilerBundle] intercept redirections only for HTML format
• 7efaa17: [Validator] updated Dutch translations
• 2774705: [Validator] updated Croatian translations
• 148dca6: [Translator] preserve default domain when extracting strings from php files
• 36c3af4: [TwigBundle] use the apply tag instead of the filter tag

4.2 changelog:

• f50ffa9: [Routing] fixed route URL generation in CLI context
• 571647f: [Form] resolve class name parameters
• 701ff3f: fixed left-associative ternary deprecation warnings for PHP 7.4
• ada9aa0: [Routing] fixed URL matcher edge cases with trailing slash

Master changelog:

• 7e56ef1: [DoctrineBridge] unique mapping setting is optional
• fba11b4: [Cache] added optimized FileSystem & Redis TagAware Adapters
• 77f642e: [Messenger] ease testing and allow forking the middleware stack
• 693094a: [TwigBridge] allow setting file widget label attributes declared in label_attr
• 1725a3c: [Routing] do not encode comma in query and fragment
• 73d303a: [Form] added intltimezone input to TimezoneType

Newest issues and pull requests

• [HttpClient] Allow env variables in scoped_client base_uri
• [DependencyInjection] Improve error message when a service is badly configured
• [Translation] Add Mozilla Fluent support to Translation component
• Rename !tagged to !tagged_iterator
• [RFC][Controller] Make query argument nullable when forwarding requests

They talked about us

• Let's Migrate Symfony Project to Kubernetes! Part 1: Containerizing the Application.
• Symfony4 Kubernetes Local Development Environment #4 Helm
• Store translation messages in database in Symfony
• How we Migrated 54 357-lines Application from Nette to Symfony in 2 People under 80 Hours
• Don't Give Up Your PHP Code for Compiler Passes so Easily
• Symfony Performance Improvements: Tips and Techniques
• Configurando Redis como gestor de sesiones en Symfony
• Symfony: realizando tests con Panther
• Nuevo en Symfony 4.3: Mejoradas las colecciones de servicios
• Twig 3.x obligará a usar namespaces
• Nuevo en Symfony 4.3: Protección frente a motores de búsqueda
• Nuevo en Symfony 4.3: Mejoras en el enrutador
• Plongée dans l'injection de dépendances de Symfony
• Jak jsme zmigrovali 50k řádků kódu z Nette do Symfony za 17 dní ve 2 lidech

Upcoming Symfony Events

• Symfony User Group Munich April Edition: Munich, Germany (April 29)
• Symfony User Group Osnabrück: Osnabrück, Germany (May 9)
• 8. PHP Symfony User Group Basel: Basel, Switzerland (May 16)
• Symfony Meetup III / 2019: Frankfurt, Germany (May 28)
• Etwas mit FormTypes, AWS und der Unsplash-API: Hamburg, Germany (June 4)

Call to Action

• Give Symfony a star on GitHub
• Follow Symfony on Twitter and retweet this article.
• Follow Symfony on Medium and clap for this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

Contributed byKévin Dunglas andFabien Potencier in #21035.

The Symfony Templating component provides the tools needed to build any kind of template system, including the loading of template files from multiple sources, monitoring them for changes and using multiple engines to render them.

In Symfony applications this component allowed using both PHP and Twig to create the templates. However, nearly all developers use Twig to create traditional templates or use the serializer to output data. That's why in Symfony 4.3 we've decided to deprecate the integration of the Templating component in Symfony applications.

This means that, starting from Symfony 5.0, we will remove support for using PHP templates and PHP form themes. You'll need to use Twig for those templates. In addition to deprecating several classes, services and service tags, thehinclude_default_template configuration option has been moved to thefragments section:

1
2
3
4
5
6

# config/packages/framework.yaml
framework:
    # ...-    templating:+    fragments:
        hinclude_default_template: hinclude.html.twig

Although the number of people using PHP templates in Symfony applications is minimal compared to Twig, if enough people would volunteer to work on an alternative solution, we'd consider the creation of a new PHPTemplateBundle that provides all the deprecated classes and support files. If you are willing to help, create an issue in the main Symfony GitHub repository to kick off the discussion around this.

Improving your productivity as developer is one of our main obsessions. That's why we work so hard on improving DX (developer experience), reword the error messages until they are crystal clear, improve the performance of the development environment and continue adding features to MakerBundle.

We also make lots of improvements to symfony.com, usually too small to announce them. However, yesterday we added an important new feature to symfony.com that will make you more productive: code examples now display a "Copy code" button.

Click on the blue rounded icon located at the top right of each code example to copy those contents into your clipboard:

For the moment, the "Copy Code" button is not available in console/terminal examples and in "code diff" examples. The reason is that those examples usually contain more contents than what you really want to copy. We'll try to add support for them in the future.

We've tested this feature successfully in multiple combinations of operating systems, devices and browsers, but if you find any issue, please report it to us on GitHub or the comments below.

Symfony 3.4.27 has just been released. Here is a list of the most important changes:

• bug #31338 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session service resettable (dmaicher)" (@nicolas-grekas)
• bug #31326 fix ConsoleFormatter - call to a member function format() on string (@keksa)
• bug #31331 [Workflow] Fixed dumping when many transition with same name exist (@lyrixx)
• bug #31302 [FramworkBundle] mark any env vars found in the ide setting as used (@nicolas-grekas)
• bug #31290 [TwigBundle] Use the apply tag instead of the filter tag (@greg0ire)
• bug #31275 [Translator] Preserve default domain when extracting strings from php files (@Stadly)
• bug #31213 [WebProfilerBundle] Intercept redirections only for HTML format (@javiereguiluz)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy.Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Symfony 4.2.8 has just been released. Here is a list of the most important changes:

• bug #31338 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session service resettable (dmaicher)" (@nicolas-grekas)
• bug #31326 fix ConsoleFormatter - call to a member function format() on string (@keksa)
• bug #31331 [Workflow] Fixed dumping when many transition with same name exist (@lyrixx)
• bug #31302 [FramworkBundle] mark any env vars found in the ide setting as used (@nicolas-grekas)
• bug #31290 [TwigBundle] Use the apply tag instead of the filter tag (@greg0ire)
• bug #31275 [Translator] Preserve default domain when extracting strings from php files (@Stadly)
• bug #31240 Fix url matcher edge cases with trailing slash (@arjenm)
• bug #31201 [Form] resolve class name parameters (@xabbuh)
• bug #31213 [WebProfilerBundle] Intercept redirections only for HTML format (@javiereguiluz)
• bug #31210 [PhpUnitBridge] fix reading phpunit.xml on bootstrap (@nicolas-grekas)
• bug #31023 [Routing] Fix route URL generation in CLI context (@X-Coder264)
• bug #31117 [FrameworkBundle] fix math depth handler configuration (@Raulnet)
• bug #31182 [Routing] fix trailing slash matching with empty-matching trailing vars (@nicolas-grekas)
• bug #31167 [Routing] fix matching trailing vars with defaults (@nicolas-grekas)
• bug #31164 [Validator] fix LegacyTranslatorProxy (@nicolas-grekas)
• bug #31156 [FrameworkBundle] call method with Translator component only (@xabbuh)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy.Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

There are many ways to contribute to the Symfony community besides submitting Pull Requests to the GitHub-Repository, from reviewing issues to joining discussions on Slack. I particularly enjoy answering questions on Stack Overflow.

Most of my questions on Stack Overflow are from when I first started out writing PHP and when I first tried Symfony a few years ago. Even though I rarely post a question, I sometimes go through the motions and solve my problem along the way. This post is meant as a guide to improve how we interact on Stack Overflow both when answering and asking questions, making it a welcoming part of the Symfony community.

Unfortunately, there is a barrier of entry to Stack Overflow as you need to unlock certain functionalities by “earning” points. Another complaint raised is a dismissive attitude by people answering questions and admittedly I have noticed this in some of my past comments as well. One, if not the, major complaint from seasoned Stack Overflow users is the steady decline in quality. It is almost like a rite of passage getting to a point where you proclaim this to others. To be fair, I don’t think that is actually the case and more a bias from noticing repeated questions more easily when you have been around for longer or just having more experience, making certain questions seem obvious. It’s like watching someone work on a puzzle you already solved. You only see the path to the correct solution, whereas they see all the options available to them without knowing where they lead. This can become frustrating and hopefully this guide, will make future experiences more enjoyable.

Voting on questions and answers

As I mentioned before, new members on Stack Overflow face a few roadblocks to meaningfully participate in conversations. Conversely, seasoned members hold a degree of power over them, being able to vote on their questions and answers, determining whether they receive or lose points. This can be a deciding factor on how welcome someone might feel and allow them to, e.g. ask for additional feedback or posting an idea in a comment. This can be doubly negative, since answers that are comments will usually be closed, making them feel their input is not valued.

Spending your daily votes on up-voting questions, especially from new members even if it might be a duplicate or easy to solve is a good way to help closing this gap. Whether a question is useful is not necessarily tied to how challenging you find it. Instead of seeing votes primarily as a way to distinguish perceived quality rather look at it as a way to acknowledge the effort of publicly asking for help. This even holds true, when a question needs follow up comments to be able to answer it. Interacting through comments or leading people to the chat is usually more useful than a down vote, as you are able to interact with each other. Up-voting questions makes sure people have enough points to do so and this will hopefully improve everyone’s experience.

Closing questions

From time to time questions need to be closed. This is not to say that it was a bad question. Since Stack Overflow aims to be a knowledge base useful to many people, moderating the open questions makes it easier to find what others found useful. Despite offering a wide range of reasons why something was flagged for close, it can still be discouraging. I try to mitigate this by also leaving a comment and, if possible, guide to alternative means or how to improve a possible follow up question. This is even something that is automated when you mark a question as duplicate, as this will automatically leave a comment in your name pointing to the previously answered questions.

Asking the “right” question

Asking a question in a way so people trying to answer it have all necessary information and context requires a multitude of skills such as establishing a methodical approach, a certain degree of background knowledge, experience both with the problem at hand as well as with debugging and answering questions and sometimes even requiring special tools, like a profiler or being proficient with a version control system. They are immensely useful skills to have but no one can be asked to have them right away and naturally some might be more important than others in your day to day life or just come easier to you.

Usually when I ask a question on Stack Overflow, I try to cover the following three main questions in that order:

What do I want to achieve?

This can be as short as a single sentence or even just a link to a resource I am using, as long as it helps someone who has no context to know why I am having troubles. Most of the times, this is also the subject of my question. The clearer I can describe it the more likely I am to find a similar question in the suggestions provided when typing in the subject.

What is the problem I have?

When my problem is an error, I will usually post the whole message including the stack trace and then go through it to make sure it does not contain any sensitive information. When the problem is not as clear, e.g. when something has a different result than what I expected, I explain what I expected and why and how the outcome differs. I find it helpful to get that point across with data or pictures, instead of writing long explanations. Especially when comparing expected vs. actual data I try to provide it in a format that is easily reusable. That means both as formatted text to allow copy & pasting as well as making the data-set as small as possible to help people see, where it differs.

How to reproduce the problem?

This is usually the trickiest part for me, as sometimes it can be unclear what is causing the problem in the first place. I try to give a step by step guide of what I was doing up until the point when I (first) encountered the problem. The idea is to give something that looks like an installation instruction, so they know exactly what I did and where I might have done something wrong. For this, I try to stick to a certain sentence structure that is common in a certain style of software testing incorporating keywords like:

GIVEN I have X, WHEN I do Y THEN I expect Z (BUT I see A).

Sometimes, I even create a new, minimal example project just for showcasing the issue, that others can check out e.g. on GitHub. This might sound like a lot of effort, but it helps you focus and isolate the issue and when someone attempts to answer, they can provide a solution that fits your example more easily. If that is not possible, I try to identify a few essential parts of the code that others might find useful. Again, when working with an error/exception this tends to be a bit easier, as you can pretty much always copy the function where the error occurs as a good starting point. Try not to copy framework or library code and instead find the first part in the stack trace, that contains one of your own functions. If the problem really is within a library you use, they can always go to the project page and check out the code as long as it’s open source.

Even when I am not sure which part of the code causes the issue, I try to give a rough outline of what I am doing either with pseudo code or by looking for a particularly relevant part of the code, e.g. the controller action being called or some library being used.

When the question/problem I have contains answers to these three questions, I usually feel that it is enough information for others to - at the very least - guide me in the right direction and which I would enjoy answering, as they usually require little to no follow up questions. A similar approach can be used to describe possible bugs in the issue tracker as it allows people to reproduce the issue you have more easily and may provide a good basis for an automated test for the fix as well.

If these questions do not really fit with my question, then I might have to find different questions that help others not familiar with my task and my code answer it. It might also be that Stack Overflow is not the right place to ask. For example, questions like “What is the best way to…” or “Is there a best practice for…” rarely provide a single, “right” answer as they are subjective and are likely to be closed. It might be better to discuss them somewhere else, e.g. Slack or in person on community events like conferences or meetups.

Community moderation

Stack Overflow has its own moderation system and there are no designated moderators for the Symfony community right now, as far as I can tell. Once you have reached a certain score, you will gain access to more and more moderation privileges. Anyone interested in actively moderating can do so by applying filters to their review queue.

This allows for a community driven approach to making everyone using Symfony related tags welcome and ensuring answers and questions will stay relevant, e.g. through edits for newer Symfony version. On the down side this can be potentially problematic as it is not clear who to reach out to, if you encounter problems. While Stack Overflow provides their own support channels you are always welcome to reach out to the Symfony CARE team should you have any problems or questions. There is also a public channel #stackoverflow-mods on Slack where you can get in contact with people who have moderator privileges, e.g. if you would like to have a closed question reopened.

Contributed by
Ryan Weaver
in #30970.

The Messenger component provides a retry mechanism for messages. In Symfony 4.3 we've improved this feature to add a "failure" transport, so that messages that fail on all their retries can be collected in one spot and retried later if wanted.

Consider the following configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

framework:messenger:failure_transport:failedtransports:async:dsn:'amqp://'failed:dsn:'doctrine://default?queue_name=failed'routing:'App\Message\SmsNotification':async

In this setup, SmsNotification would be retried three times on the async transport and then finally sent to the failed transport. You can consume thefailed transport like a normal transport, but you should handle and consume it by one of these new commands:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

$ php bin/console messenger:failed:show  There are 3 messages waiting in the failed transport.  ---  ---------------------------  -------------------  -----  Id   Class                        Failed at            Error  ---  ---------------------------  -------------------  -----  217  App\Message\SmsNotification  2019-04-10 22:12:01  ...  218  App\Message\SmsNotification  2019-04-10 22:12:00  ...  219  App\Message\SmsNotification  2019-04-10 22:11:59  ...  ---  ---------------------------  -------------------  -----  // Run "messenger:failed:show {id} -vv" to see message details

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

$ php bin/console messenger:failed:show 217  There are 3 messages waiting in the failed transport.  -----------  ---------------------------  Class        App\Message\SmsNotification  Message Id   217  Failed at    2019-04-10 22:12:01  Error        ...  Error Class  Exception  Transport    async  -----------  ---------------------------  Re-run command with "-vv" to see more message & error details.  Run "messenger:failed:retry 217" to retry this message.  Run "messenger:failed:purge 217" to delete it.

This week, Symfony 3.4.27 and 4.2.8 maintenance versions were released. Meanwhile, the upcoming Symfony 4.3 version continued working on polishing its new features, specially those related to timezones.

Symfony development highlights

This week, 54 pull requests were merged (40 in code and 14 in docs) and 28 issues were closed (25 in code and 3 in docs). Excluding merges, 24 authors made 23,738 additions and 10,183 deletions. See details for code and docs.

3.4 changelog:

• 885d08c: [Workflow] fixed dumping when many transition with same name exist
• e197c9a: [Validator] updated Japanese translation

4.2 changelog:

• e0b5fb2: [Monolog Bridge] fixed the call to a member function format() on string in ConsoleFormatter
• 0c3c21a: [FrameworkBundle] made debug:container and debug:autowiring ignore starting backslash in service ID

Master changelog:

• ac4b322: [Intl] added timezone offset utilities
• 1f388ae: [Intl] updated timezones to ICU 64.2 + compile zone to country mapping
• b817c6e: [Form] removed default option grouping in TimezoneType
• 707b1df: [WebServerBundle] changed the default pidfile location to cache directory
• 7cd1bdd: [DependencyInjection] improved exception message on missing $ of named argument
• fd755b4: [Translator] add sources when dumping qt files
• 0c78413: [FrameworkBundle] allowed env variables in scoped_client base_uri
• 8fdcd6e: [Intl] compile localized timezone offset name
• fdeb93e: [Messenger] added failure transport support
• 2b923a7: [Validator] allowed intl timezones
• 1e35f24: [Messenger] RoutableMessageBus route to default bus
• d4baa71: [Form] keep preferred choices order in ChoiceType

Newest issues and pull requests

• Add Promises to the Symfony Kernel
• [Console] Store the Input and Output as Command properties

They talked about us

• First EU-FOSSA Hackathon as it happened
• Symfony: Automatically inject a stack of plugins into a service
• Symfony4 Kubernetes Local Development Environment #5 Postgresql, HTTPS, Xdebug
• Nuevo en Symfony 4.3: Serialización nativa de PHP para Messenger
• Nuevo en Symfony 4.3: Eventos más sencillos
• Protéger son application Symfony contre les attaques CSRF
• Récupérer plus simplement l’utilisateur dans un contrôleur Symfony
• Limiter le nombre de tentatives de connexions sous Symfony
• Parser HTML5 Melhorado para o DomCrawler

Upcoming Symfony Events

• Symfony User Group Osnabrück: Osnabrück, Germany (May 9)
• Sfpot May 2019 edition: Paris, France (May 14)
• 8. PHP Symfony User Group Basel: Basel, Switzerland (May 16)
• Symfony Meetup III / 2019: Frankfurt, Germany (May 28)
• Etwas mit FormTypes, AWS und der Unsplash-API: Hamburg, Germany (June 4)

Call to Action

• Give Symfony a star on GitHub
• Follow Symfony on Twitter and retweet this article.
• Follow Symfony on Medium and clap for this article.
• Subscribe to the Symfony blog RSS and never miss a Symfony story again.

Contributed by
Fabien Potencier
in #30416.

Symfony provides more than 60 decoupled components to solve common needs of web and console applications. New Symfony versions usually introduce new components and Symfony 4.3 will be no exception. In this blog post you'll learn about one of those new components: Mime component.

This component helps you create and manipulate the MIME messages used to send emails and provides utilities related to MIME types. The full MIME standard (Multipurpose Internet Mail Extensions) is a set of standards that define additional capabilities for the original text-based emails (such as rich HTML formatting and file attachments).

The Mime component abstracts all that complexity to provide two ways of creating MIME messages. The first one is a high-level API based on theEmail class to quickly create email messages with all the common features:

1
2
3
4
5
6
7
8
9

useSymfony\Component\Mime\Email;$email=(newEmail())->from('fabien@symfony.com')->to('foo@example.com')->subject('Important Notification')->text('Lorem ipsum...')->html('<h1>Lorem ipsum</h1> <p>...</p>');

The other way to create MIME messages is a low-level API based on theMessage class which gives you absolute control over every single part of the email message:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

useSymfony\Component\Mime\Header\Headers;useSymfony\Component\Mime\Message;useSymfony\Component\Mime\Part\Multipart\AlternativePart;useSymfony\Component\Mime\Part\TextPart;$headers=(newHeaders())->addMailboxListHeader('From',['fabien@symfony.com'])->addMailboxListHeader('To',['foo@example.com'])->addTextHeader('Subject','Important Notification');$textContent=newTextPart('Lorem ipsum...');$htmlContent=newTextPart('<h1>Lorem ipsum</h1> <p>...</p>','html');$body=newAlternativePart($textContent,$htmlContent);$email=newMessage($headers,$body);

The Mime component provides many other utilities to create email messages:

• Flexible definition of email addresses using strings, objects, named addresses, etc.
• Image embedding, which is needed when sending complex HTML emails.
• File attachments, using physical files and/or PHP resources.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

useSymfony\Bridge\Twig\Mime\TemplatedEmail;$email=(newTemplatedEmail())->from('fabien@symfony.com')->fo('foo@example.com')// ...// this method defines the path of the Twig template to render->htmlTemplate('messages/user/signup.html.twig')// this method defines the parameters (name => value) passed to templates->context(['expiration_date'=>new\DateTime('+7 days'),'username'=>'foo',]);