[Security] Notify that symfony/expression-language is not installed if ExpressionLanguage is used #25823
Conversation
| @@ -13,6 +13,10 @@ | ||
|
|
||
| use Symfony\Component\ExpressionLanguage\ExpressionLanguage as BaseExpressionLanguage; | ||
|
|
||
| if (!class_exists('Symfony\Component\ExpressionLanguage\ExpressionLanguage')) { | ||
| throw new \LogicException('Install symfony/expression-language'); |
There was a problem hiding this comment.
To be consistent with (the most) similar exceptions already in the code, what about throwing a \RuntimeException with a more precise message like "The ExpressionLanguage class requires the "ExpressionLanguage" component. Install "symfony/expression-language" to use it." ?
There was a problem hiding this comment.
Ok, thanks!
abbe5b7 to
ef25395
Compare
| @@ -14,6 +14,10 @@ | ||
| use Symfony\Component\ExpressionLanguage\ExpressionFunction; | ||
| use Symfony\Component\ExpressionLanguage\ExpressionFunctionProviderInterface; | ||
|
|
||
| if (!interface_exists('Symfony\Component\ExpressionLanguage\ExpressionFunctionProviderInterface')) { | ||
| throw new \RuntimeException('The ExpressionLanguage class requires the "ExpressionLanguage" component. Install "symfony/expression-language" to use it.'); |
There was a problem hiding this comment.
The name of this class is "ExpressionLanguageProvider".
There was a problem hiding this comment.
Sorry, I've done in a hurry, like a monkey with copy and paste.
| @@ -13,6 +13,10 @@ | ||
|
|
||
| use Symfony\Component\ExpressionLanguage\ExpressionLanguage as BaseExpressionLanguage; | ||
|
|
||
| if (!class_exists('Symfony\Component\ExpressionLanguage\ExpressionLanguage')) { | ||
| throw new \RuntimeException('The ExpressionLanguage class requires the "ExpressionLanguage" component. Install "symfony/expression-language" to use it.'); | ||
| } |
There was a problem hiding this comment.
Unfortunately this approach will not work. The class must be in the "else".
There was a problem hiding this comment.
Why ? If an exception is thrown PHP will never reach the class declaration and won't try to find the parent class.
There was a problem hiding this comment.
because PHP parses class ahead of time, we already got bitten by that in the past
There was a problem hiding this comment.
Yes some things are done ahead of time for class declarations, but in the case we have here it works without having to put the whole class in an else clause : https://3v4l.org/mELj9
There was a problem hiding this comment.
we already merged such kind of code, and it broke, opcache involved maybe
I wouldn't take the risk another time
There was a problem hiding this comment.
@nicolas-grekas I've modified my commit in according with your suggestions. I hope is all ok, thank you.
| @@ -14,6 +14,10 @@ | ||
| use Symfony\Component\ExpressionLanguage\ExpressionFunction; | ||
| use Symfony\Component\ExpressionLanguage\ExpressionFunctionProviderInterface; | ||
|
|
||
| if (!interface_exists('Symfony\Component\ExpressionLanguage\ExpressionFunctionProviderInterface')) { |
There was a problem hiding this comment.
Done really need that logic on this class? Looks superfluous to me, but I may be missing something.
There was a problem hiding this comment.
you are right, this class also used in ExpressionLanguage.
ef25395 to
175d0ed
Compare
| */ | ||
| class ExpressionLanguage extends BaseExpressionLanguage | ||
| { | ||
| if (!class_exists('Symfony\Component\ExpressionLanguage\ExpressionLanguage')) { |
There was a problem hiding this comment.
CS comment: should use BaseExpressionLanguage::class here, and
| class ExpressionLanguage extends BaseExpressionLanguage | ||
| { | ||
| if (!class_exists('Symfony\Component\ExpressionLanguage\ExpressionLanguage')) { | ||
| throw new \RuntimeException('The ExpressionLanguage class requires the "ExpressionLanguage" component. Install "symfony/expression-language" to use it.'); |
There was a problem hiding this comment.
The "%s" class, with FQCN and double quotes around, with ExpressionLanguage::class given
There was a problem hiding this comment.
It's not the case in others similar messages (in the Serializer component for example). I guess we should harmonize them ?
There was a problem hiding this comment.
Actually not: we don't harmonize such CS things because they create merge conflicts when merging lower branches into upper ones.
47bd5c6 to
b16cdc8
Compare
| class ExpressionLanguage extends BaseExpressionLanguage | ||
| { | ||
| if (!class_exists(BaseExpressionLanguage::class)) { | ||
| throw new \RuntimeException(sprintf('The "%s" class requires the "ExpressionLanguage" component. Install "symfony/expression-language" to use it.', ExpressionLanguage::class)); |
There was a problem hiding this comment.
👍 for this. To make the language consistent with other spots:
The "%s" class requires the "ExpressionLanguage" component. Try running "composer require symfony/expression-language".
Is there a specific time when this class is used? I mean, obviously, if you reference the class directly, it's used :). But is it if you try to use expressions inside, for example, access_control? I'm asking only because if there is a specific use-case that activates this class 99% of the time, it might be better to mention that use case (e.g. "To use expressions in access_control, you must install...") versus saying that that ExpressionLanguage class requires the component (when the user is not really interacting with this class directly, so might not be sure where this is coming from)
There was a problem hiding this comment.
I've updated the message, for the rest i don't know if in the future someone will use this class without install ExpressionLanguage.
b16cdc8 to
d58d73f
Compare
|
I wonder if we did that for other classes that extend classes coming from optional dependencies in the past. And if not, why should we do that now for this particular class only? |
| class ExpressionLanguage extends BaseExpressionLanguage | ||
| { | ||
| if (!class_exists(BaseExpressionLanguage::class)) { | ||
| throw new \RuntimeException(sprintf('The "%s" class requires the "ExpressionLanguage" component. Try running "composer require symfony/expression-language".', ExpressionLanguage::class)); |
…f ExpressionLanguage and ExpressionLanguagePrivider are used
d58d73f to
6aa2b7c
Compare
|
Thank you @giovannialbero1992. |
…installed if ExpressionLanguage is used (giovannialbero1992) This PR was merged into the 3.4 branch. Discussion ---------- [Security] Notify that symfony/expression-language is not installed if ExpressionLanguage is used | Q | A | ------------- | --- | Branch? | master for features / 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #25742 | License | MIT | Doc PR | not requested Commits ------- 6aa2b7c [Security] Notify that symfony/expression-language is not installed if ExpressionLanguage and ExpressionLanguagePrivider are used
This is broken since sf 3.4.4, see symfony/symfony#25823 One of api platforms listener depends on a file that now throws if it is loaded and the expression language component is missing. The solution is to avoid creating the service if the component is missing. This fixes an error people will have even if they do not use the access_control annotation attribute.
This is broken since sf 3.4.4, see symfony/symfony#25823 One of api platforms listener depends on a file that now throws if it is loaded and the expression language component is missing. The solution is to avoid creating the service if the component is missing. This fixes an error people will have even if they do not use the access_control annotation attribute.
This is broken since sf 3.4.4, see symfony/symfony#25823 One of api platforms listener depends on a file that now throws if it is loaded and the expression language component is missing. The solution is to avoid creating the service if the component is missing. This fixes an error people will have even if they do not use the access_control annotation attribute.
This is broken since sf 3.4.4, see symfony/symfony#25823 One of api platforms listener depends on a file that now throws if it is loaded and the expression language component is missing. The solution is to avoid creating the service if the component is missing. This fixes an error people will have even if they do not use the access_control annotation attribute.
This is broken since sf 3.4.4, see symfony/symfony#25823 One of api platforms listener depends on a file that now throws if it is loaded and the expression language component is missing. The solution is to avoid creating the service if the component is missing. This fixes an error people will have even if they do not use the access_control annotation attribute.
Uh oh!
There was an error while loading. Please reload this page.