Merge branch '6.4' into 7.0

* 6.4: (43 commits)
  [AssetMapper] Fix entrypoint scripts are not preloaded
  Fix typo in method resolvePackages
  Make FormPerformanceTestCase compatible with PHPUnit 10
  Avoid calling getInvocationCount()
  [AssetMapper] Always downloading vendor files
  [Security] Fix resetting traceable listeners
  [HttpClient] Fix type error with http_version 1.1
  [DependencyInjection] Add tests for `AutowireLocator`/`AutowireIterator`
  [DependencyInjection] Add `#[AutowireIterator]` attribute and improve `#[AutowireLocator]`
  Update documentation link
  Fix typo that causes unit test to fail
  Fix CS
  [AssetMapper] Add audit command
  [Mailer] Use idn encoded address otherwise Brevo throws an error
  [Messenger] Resend failed retries back to failure transport
  [FrameworkBundle] Fix call to invalid method in NotificationAssertionsTrait
  [Validator] Add missing italian translations
  [Notifier] Fix failing testcase
  Fix order array sum normalizedData and nestedData
  Add test for 0 and '0' in PeriodicalTrigger Fix '0' case error and remove duplicate code
  ...

Author: derrabus

CHANGELOG.md

@@ -17,6 +17,7 @@ CHANGELOG
 
  * Make `HeaderBag::getDate()`, `Response::getDate()`, `getExpires()` and `getLastModified()` return a `DateTimeImmutable`
  * Support root-level `Generator` in `StreamedJsonResponse`
+ * Add `UriSigner` from the HttpKernel component
 
 6.3
 ---

Request.php

@@ -122,31 +122,31 @@ class Request
     protected $content;
 
     /**
-     * @var string[]
+     * @var string[]|null
      */
-    protected array $languages;
+    protected ?array $languages = null;
 
     /**
-     * @var string[]
+     * @var string[]|null
      */
-    protected array $charsets;
+    protected ?array $charsets = null;
 
     /**
-     * @var string[]
+     * @var string[]|null
      */
-    protected array $encodings;
+    protected ?array $encodings = null;
 
     /**
-     * @var string[]
+     * @var string[]|null
      */
-    protected array $acceptableContentTypes;
+    protected ?array $acceptableContentTypes = null;
 
-    protected string $pathInfo;
-    protected string $requestUri;
-    protected string $baseUrl;
-    protected string $basePath;
-    protected string $method;
-    protected ?string $format;
+    protected ?string $pathInfo = null;
+    protected ?string $requestUri = null;
+    protected ?string $baseUrl = null;
+    protected ?string $basePath = null;
+    protected ?string $method = null;
+    protected ?string $format = null;
     protected SessionInterface|\Closure|null $session = null;
     protected ?string $locale = null;
     protected string $defaultLocale = 'en';
@@ -231,16 +231,16 @@ public function initialize(array $query = [], array $request = [], array $attrib
         $this->headers = new HeaderBag($this->server->getHeaders());
 
         $this->content = $content;
-        unset($this->languages);
-        unset($this->charsets);
-        unset($this->encodings);
-        unset($this->acceptableContentTypes);
-        unset($this->pathInfo);
-        unset($this->requestUri);
-        unset($this->baseUrl);
-        unset($this->basePath);
-        unset($this->method);
-        unset($this->format);
+        $this->languages = null;
+        $this->charsets = null;
+        $this->encodings = null;
+        $this->acceptableContentTypes = null;
+        $this->pathInfo = null;
+        $this->requestUri = null;
+        $this->baseUrl = null;
+        $this->basePath = null;
+        $this->method = null;
+        $this->format = null;
     }
 
     /**
@@ -414,16 +414,16 @@ public function duplicate(array $query = null, array $request = null, array $att
             $dup->server = new ServerBag($server);
             $dup->headers = new HeaderBag($dup->server->getHeaders());
         }
-        unset($dup->languages);
-        unset($dup->charsets);
-        unset($dup->encodings);
-        unset($dup->acceptableContentTypes);
-        unset($dup->pathInfo);
-        unset($dup->requestUri);
-        unset($dup->baseUrl);
-        unset($dup->basePath);
-        unset($dup->method);
-        unset($dup->format);
+        $dup->languages = null;
+        $dup->charsets = null;
+        $dup->encodings = null;
+        $dup->acceptableContentTypes = null;
+        $dup->pathInfo = null;
+        $dup->requestUri = null;
+        $dup->baseUrl = null;
+        $dup->basePath = null;
+        $dup->method = null;
+        $dup->format = null;
 
         if (!$dup->get('_format') && $this->get('_format')) {
             $dup->attributes->set('_format', $this->get('_format'));
@@ -1115,7 +1115,7 @@ public function getHost(): string
      */
     public function setMethod(string $method): void
     {
-        unset($this->method);
+        $this->method = null;
         $this->server->set('REQUEST_METHOD', $method);
     }
 
@@ -1134,7 +1134,7 @@ public function setMethod(string $method): void
      */
     public function getMethod(): string
     {
-        if (isset($this->method)) {
+        if (null !== $this->method) {
             return $this->method;
         }
 
@@ -1182,7 +1182,7 @@ public function getRealMethod(): string
      */
     public function getMimeType(string $format): ?string
     {
-        if (!isset(static::$formats)) {
+        if (null === static::$formats) {
             static::initializeFormats();
         }
 
@@ -1196,7 +1196,7 @@ public function getMimeType(string $format): ?string
      */
     public static function getMimeTypes(string $format): array
     {
-        if (!isset(static::$formats)) {
+        if (null === static::$formats) {
             static::initializeFormats();
         }
 
@@ -1213,7 +1213,7 @@ public function getFormat(?string $mimeType): ?string
             $canonicalMimeType = trim(substr($mimeType, 0, $pos));
         }
 
-        if (!isset(static::$formats)) {
+        if (null === static::$formats) {
             static::initializeFormats();
         }
 
@@ -1236,7 +1236,7 @@ public function getFormat(?string $mimeType): ?string
      */
     public function setFormat(?string $format, string|array $mimeTypes): void
     {
-        if (!isset(static::$formats)) {
+        if (null === static::$formats) {
             static::initializeFormats();
         }
 
@@ -1499,13 +1499,13 @@ public function isNoCache(): bool
      */
     public function getPreferredFormat(?string $default = 'html'): ?string
     {
-        if (isset($this->preferredFormat) || null !== $preferredFormat = $this->getRequestFormat(null)) {
-            return $this->preferredFormat ??= $preferredFormat;
+        if ($this->preferredFormat ??= $this->getRequestFormat(null)) {
+            return $this->preferredFormat;
         }
 
         foreach ($this->getAcceptableContentTypes() as $mimeType) {
-            if ($preferredFormat = $this->getFormat($mimeType)) {
-                return $this->preferredFormat = $preferredFormat;
+            if ($this->preferredFormat = $this->getFormat($mimeType)) {
+                return $this->preferredFormat;
             }
         }
 
@@ -1552,7 +1552,7 @@ public function getPreferredLanguage(array $locales = null): ?string
      */
     public function getLanguages(): array
     {
-        if (isset($this->languages)) {
+        if (null !== $this->languages) {
             return $this->languages;
         }
 

Tests/UriSignerTest.php

@@ -0,0 +1,86 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpFoundation\Tests;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\UriSigner;
+
+class UriSignerTest extends TestCase
+{
+    public function testSign()
+    {
+        $signer = new UriSigner('foobar');
+
+        $this->assertStringContainsString('?_hash=', $signer->sign('http://example.com/foo'));
+        $this->assertStringContainsString('?_hash=', $signer->sign('http://example.com/foo?foo=bar'));
+        $this->assertStringContainsString('&foo=', $signer->sign('http://example.com/foo?foo=bar'));
+    }
+
+    public function testCheck()
+    {
+        $signer = new UriSigner('foobar');
+
+        $this->assertFalse($signer->check('http://example.com/foo?_hash=foo'));
+        $this->assertFalse($signer->check('http://example.com/foo?foo=bar&_hash=foo'));
+        $this->assertFalse($signer->check('http://example.com/foo?foo=bar&_hash=foo&bar=foo'));
+
+        $this->assertTrue($signer->check($signer->sign('http://example.com/foo')));
+        $this->assertTrue($signer->check($signer->sign('http://example.com/foo?foo=bar')));
+        $this->assertTrue($signer->check($signer->sign('http://example.com/foo?foo=bar&0=integer')));
+
+        $this->assertSame($signer->sign('http://example.com/foo?foo=bar&bar=foo'), $signer->sign('http://example.com/foo?bar=foo&foo=bar'));
+    }
+
+    public function testCheckWithDifferentArgSeparator()
+    {
+        $this->iniSet('arg_separator.output', '&amp;');
+        $signer = new UriSigner('foobar');
+
+        $this->assertSame(
+            'http://example.com/foo?_hash=rIOcC%2FF3DoEGo%2FvnESjSp7uU9zA9S%2F%2BOLhxgMexoPUM%3D&baz=bay&foo=bar',
+            $signer->sign('http://example.com/foo?foo=bar&baz=bay')
+        );
+        $this->assertTrue($signer->check($signer->sign('http://example.com/foo?foo=bar&baz=bay')));
+    }
+
+    public function testCheckWithRequest()
+    {
+        $signer = new UriSigner('foobar');
+
+        $this->assertTrue($signer->checkRequest(Request::create($signer->sign('http://example.com/foo'))));
+        $this->assertTrue($signer->checkRequest(Request::create($signer->sign('http://example.com/foo?foo=bar'))));
+        $this->assertTrue($signer->checkRequest(Request::create($signer->sign('http://example.com/foo?foo=bar&0=integer'))));
+    }
+
+    public function testCheckWithDifferentParameter()
+    {
+        $signer = new UriSigner('foobar', 'qux');
+
+        $this->assertSame(
+            'http://example.com/foo?baz=bay&foo=bar&qux=rIOcC%2FF3DoEGo%2FvnESjSp7uU9zA9S%2F%2BOLhxgMexoPUM%3D',
+            $signer->sign('http://example.com/foo?foo=bar&baz=bay')
+        );
+        $this->assertTrue($signer->check($signer->sign('http://example.com/foo?foo=bar&baz=bay')));
+    }
+
+    public function testSignerWorksWithFragments()
+    {
+        $signer = new UriSigner('foobar');
+
+        $this->assertSame(
+            'http://example.com/foo?_hash=EhpAUyEobiM3QTrKxoLOtQq5IsWyWedoXDPqIjzNj5o%3D&bar=foo&foo=bar#foobar',
+            $signer->sign('http://example.com/foo?bar=foo&foo=bar#foobar')
+        );
+        $this->assertTrue($signer->check($signer->sign('http://example.com/foo?bar=foo&foo=bar#foobar')));
+    }
+}

UriSigner.php

@@ -0,0 +1,111 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpFoundation;
+
+/**
+ * Signs URIs.
+ *
+ * @author Fabien Potencier <fabien@symfony.com>
+ */
+class UriSigner
+{
+    private string $secret;
+    private string $parameter;
+
+    /**
+     * @param string $secret    A secret
+     * @param string $parameter Query string parameter to use
+     */
+    public function __construct(#[\SensitiveParameter] string $secret, string $parameter = '_hash')
+    {
+        $this->secret = $secret;
+        $this->parameter = $parameter;
+    }
+
+    /**
+     * Signs a URI.
+     *
+     * The given URI is signed by adding the query string parameter
+     * which value depends on the URI and the secret.
+     */
+    public function sign(string $uri): string
+    {
+        $url = parse_url($uri);
+        $params = [];
+
+        if (isset($url['query'])) {
+            parse_str($url['query'], $params);
+        }
+
+        $uri = $this->buildUrl($url, $params);
+        $params[$this->parameter] = $this->computeHash($uri);
+
+        return $this->buildUrl($url, $params);
+    }
+
+    /**
+     * Checks that a URI contains the correct hash.
+     */
+    public function check(string $uri): bool
+    {
+        $url = parse_url($uri);
+        $params = [];
+
+        if (isset($url['query'])) {
+            parse_str($url['query'], $params);
+        }
+
+        if (empty($params[$this->parameter])) {
+            return false;
+        }
+
+        $hash = $params[$this->parameter];
+        unset($params[$this->parameter]);
+
+        return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
+    }
+
+    public function checkRequest(Request $request): bool
+    {
+        $qs = ($qs = $request->server->get('QUERY_STRING')) ? '?'.$qs : '';
+
+        // we cannot use $request->getUri() here as we want to work with the original URI (no query string reordering)
+        return $this->check($request->getSchemeAndHttpHost().$request->getBaseUrl().$request->getPathInfo().$qs);
+    }
+
+    private function computeHash(string $uri): string
+    {
+        return base64_encode(hash_hmac('sha256', $uri, $this->secret, true));
+    }
+
+    private function buildUrl(array $url, array $params = []): string
+    {
+        ksort($params, \SORT_STRING);
+        $url['query'] = http_build_query($params, '', '&');
+
+        $scheme = isset($url['scheme']) ? $url['scheme'].'://' : '';
+        $host = $url['host'] ?? '';
+        $port = isset($url['port']) ? ':'.$url['port'] : '';
+        $user = $url['user'] ?? '';
+        $pass = isset($url['pass']) ? ':'.$url['pass'] : '';
+        $pass = ($user || $pass) ? "$pass@" : '';
+        $path = $url['path'] ?? '';
+        $query = $url['query'] ? '?'.$url['query'] : '';
+        $fragment = isset($url['fragment']) ? '#'.$url['fragment'] : '';
+
+        return $scheme.$user.$pass.$host.$port.$path.$query.$fragment;
+    }
+}
+
+if (!class_exists(\Symfony\Component\HttpKernel\UriSigner::class, false)) {
+    class_alias(UriSigner::class, \Symfony\Component\HttpKernel\UriSigner::class);
+}