v8.1.0-BETA3
·
286 commits
to 8.1
since this release
v8.1.0-BETA3
fabpot
Fabien Potencier
This tag was signed with the committer’s verified signature.
Changelog (v8.1.0-BETA2...v8.1.0-BETA3)
- data #64307 Release v8.1.0-BETA3
- data #64303 Release v6.4.40
- security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (@nicolas-grekas)
- security #cve-2026-45754 [Notifier][Lox24] Reject webhooks with missing or invalid token (@nicolas-grekas)
- security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (@nicolas-grekas)
- security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
- security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (@alexandre-daubois)
- security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (@nicolas-grekas)
- security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
- security #cve-2026-45066 [HtmlSanitizer] Fix
allowLinkHosts/allowMediaHostsbypass via URL parser differentials and<area>misclassification (@alexandre-daubois) - security #cve-2026-45069 [Security] Add missing claims in
OidcTokenHandler(@alexandre-daubois) - bug #64301 [TwigBundle] Various fixes and hardenings (@nicolas-grekas)
- bug #64300 [TwigBridge] Fix daisyUI form layout and AppVariable locale filtering (@nicolas-grekas)
- bug #64296 [Serializer] Improve normalizer error reporting and deprecations (@nicolas-grekas)
- bug #64297 [Tui] Various fixes and hardenings (@nicolas-grekas)
- bug #64299 [TypeInfo] Harden ObjectShapeType (@nicolas-grekas)
- bug #64294 [RateLimiter] Harden calendar-aligned fixed window mode (@nicolas-grekas)
- bug #64291 [MonologBridge] Harden MailerHandler subject truncation (@nicolas-grekas)
- bug #64290 [Security] Various fixes and hardenings (@nicolas-grekas)
- bug #64287 [Translation] Various fixes and hardenings (@nicolas-grekas)
- bug #64286 [WebProfilerBundle] Various fixes and hardenings (@nicolas-grekas)
- bug #64283 [Lock] Various fixes and hardenings (@nicolas-grekas)
- bug #64285 [WebLink] Add missing
Link::AS_*constants forrel=preload/rel=modulepreload(@nicolas-grekas) - feature #64284 [PasswordHasher] Support stdin input and refine warning in security:hash-password (@nicolas-grekas)
- bug #64273 [HttpKernel] Various fixes and hardenings (@nicolas-grekas)
- bug #64276 [Runtime] Various fixes and hardenings (@nicolas-grekas)
- bug #64280 [Workflow] Various fixes and hardenings (@nicolas-grekas)
- bug #64275 [Routing] Fix missing HostTrait in ContentLoaderTrait (@nicolas-grekas)
- bug #64274 [SecurityBundle] Various fixes and hardenings (@nicolas-grekas)
- bug #64272 [Mailer] Preserve the sent message object as is when sending it (@nicolas-grekas)
- bug #64243 [HttpClient] Various fixes and hardenings (@nicolas-grekas)
- bug #64269 [HttpFoundation] Various fixes and hardenings (@nicolas-grekas)
- bug #64268 [FrameworkBundle] Various fixes and hardenings (@nicolas-grekas)
- bug #64263 [ExpressionLanguage] Various fixes and hardenings (@nicolas-grekas)
- bug #64262 [EventDispatcher] Various fixes and hardenings (@nicolas-grekas)
- bug #64256 [DomCrawler] Various fixes and hardenings (@nicolas-grekas)
- bug #64254 [DependencyInjection] Various fixes and hardenings (@nicolas-grekas)
- bug #64252 [AssetMapper] Various fixes and hardenings (@nicolas-grekas)
- bug #64251 [ObjectMapper] Various fixes and hardenings (@nicolas-grekas)
- bug #64250 [CssSelector] Various fixes and hardenings (@nicolas-grekas)
- bug #64249 [Form] Various fixes and hardenings (@nicolas-grekas)
- bug #64248 [Mailer] Various fixes and hardenings (@nicolas-grekas)
- bug #64239 [Validator] Various fixes and hardenings (@nicolas-grekas)
- bug #64237 [Messenger] Various fixes and hardenings (@nicolas-grekas)
- bug #64242 [TwigBridge] Require Twig to 3.25 for
EscaperRuntimeservice definition (@GromNaN) - bug #64258 [DomCrawler] Fix
ChoiceFormField::addChoice()clobbering values on multi-selects (@nicolas-grekas) - bug #64261 [Messenger] Fix PhpSerializer::getMessageType() when getting payload with Serializable instances (@nicolas-grekas)
- bug #64207 [MonologBridge] Fix
interactive_onlynot preventing propagation (@philbates35) - bug #64241 [JsonStreamer] Various fixes and hardenings (@nicolas-grekas)
- bug #64255 [DoctrineBridge] Various fixes and hardenings (@nicolas-grekas)
- bug #64246 [Console] Various fixes and hardenings (@nicolas-grekas)
- bug #64244 [Semaphore] Various fixes and hardenings (@nicolas-grekas)
- bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (@nicolas-grekas)
- bug #64215 [Runtime] Fix TypeError when resolving untyped arguments (@nicolas-grekas)
- security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (@nicolas-grekas)
- security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (@nicolas-grekas)
- security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (@nicolas-grekas)
- security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling
validateOnParse(@alexandre-daubois) - security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@alexandre-daubois)
- security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
- security #cve-2026-45065 [Routing] Fix regex alternation anchoring in
UrlGeneratorrequirement validation (@alexandre-daubois) - security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (@alexandre-daubois)
- security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (@nicolas-grekas)
- security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (@nicolas-grekas)
- security #cve-2026-45755 [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature (@alexandre-daubois)
- security #cve-2026-45756 [JsonPath] Cap regex backtracking in
match()/search()to prevent ReDoS (@alexandre-daubois) - security #cve-2026-45074 [Security] Require configuring trusted hosts when using CAS authentication (@nicolas-grekas)
- security #cve-2026-45075 [Security][HttpKernel] Fix HEAD requests bypassing methods filter in
IsGranted,IsCsrfTokenValidandIsSignatureValidattributes (@nicolas-grekas) - bug #64213 [Security] Fix impersonation being deauthenticated on every request (@nicolas-grekas)
- data #64202 Release v8.0.11
- data #64201 Release v7.4.11
- data #64200 Release v6.4.39
Contributors
nicolas-grekas, GromNaN, and 2 other contributors