Merge branch '4.0'

* 4.0:
  [appveyor] set memory_limit=-1
  [Console] Keep the modified exception handler
  [Console] Fix restoring exception handler
  [Router] Skip anonymous classes when loading annotated routes
  allow dashes in cwd pathname when running the tests
  Fixed Request::__toString ignoring cookies
  Make sure we only build once and have one time the prefix when importing routes
  [Security] Fix fatal error on non string username
  [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded

Author: nicolas-grekas

DependencyInjection/Configuration.php

@@ -21,6 +21,7 @@
 use Symfony\Component\Form\Form;
 use Symfony\Component\Lock\Lock;
 use Symfony\Component\Lock\Store\SemaphoreStore;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Serializer\Serializer;
 use Symfony\Component\Translation\Translator;
 use Symfony\Component\Validator\Validation;
@@ -109,7 +110,14 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode)
         $rootNode
             ->children()
                 ->arrayNode('csrf_protection')
-                    ->canBeEnabled()
+                    ->treatFalseLike(array('enabled' => false))
+                    ->treatTrueLike(array('enabled' => true))
+                    ->treatNullLike(array('enabled' => true))
+                    ->addDefaultsIfNotSet()
+                    ->children()
+                        // defaults to framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
+                        ->booleanNode('enabled')->defaultNull()->end()
+                    ->end()
                 ->end()
             ->end()
         ;

DependencyInjection/FrameworkExtension.php

@@ -17,6 +17,7 @@
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Bundle\FrameworkBundle\Routing\AnnotatedRouteControllerLoader;
+use Symfony\Bundle\FullStack;
 use Symfony\Component\Cache\Adapter\AbstractAdapter;
 use Symfony\Component\Cache\Adapter\AdapterInterface;
 use Symfony\Component\Cache\Adapter\ArrayAdapter;
@@ -65,6 +66,7 @@
 use Symfony\Component\Routing\Loader\AnnotationDirectoryLoader;
 use Symfony\Component\Routing\Loader\AnnotationFileLoader;
 use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Serializer\Encoder\DecoderInterface;
 use Symfony\Component\Serializer\Encoder\EncoderInterface;
 use Symfony\Component\Serializer\Mapping\ClassDiscriminatorFromClassMetadata;
@@ -193,6 +195,11 @@ public function load(array $configs, ContainerBuilder $container)
             $this->registerRequestConfiguration($config['request'], $container, $loader);
         }
 
+        if (null === $config['csrf_protection']['enabled']) {
+            $config['csrf_protection']['enabled'] = $this->sessionConfigEnabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class);
+        }
+        $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
+
         if ($this->isConfigEnabled($container, $config['form'])) {
             if (!class_exists('Symfony\Component\Form\Form')) {
                 throw new LogicException('Form support cannot be enabled as the Form component is not installed.');
@@ -213,8 +220,6 @@ public function load(array $configs, ContainerBuilder $container)
             $container->removeDefinition('console.command.form_debug');
         }
 
-        $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
-
         if ($this->isConfigEnabled($container, $config['assets'])) {
             if (!class_exists('Symfony\Component\Asset\Package')) {
                 throw new LogicException('Asset support cannot be enabled as the Asset component is not installed.');