Merge branch '2.6' into 2.7

* 2.6: (30 commits)
  [Translation] fixed JSON loader on PHP 7 when file is empty
  Fix typo
  Check instance of FormBuilderInterface instead of FormBuilder
  [Security] TokenBasedRememberMeServices test to show why encoding username is required
  [Security] AbstractRememberMeServices::encodeCookie() validates cookie parts
  fixed typo
  [console][formater] allow format toString object.
  [HttpFoundation] Fix baseUrl when script filename is contained in pathInfo
  Avoid redirection to XHR URIs
  [HttpFoundation] IpUtils::checkIp4() should allow  networks
  [2.6] Fix HTML escaping of to-source links
  Fix HTML escaping of to-source links
  ExceptionHandler: More Encoding
  Fix the rendering of deprecation log messages
  [FrameworkBundle] Removed unnecessary parameter in TemplateController
  [DomCrawler] Throw an exception if a form field path is incomplete.
  Fixed the indentation in the compiled template for the DumpNode
  [Console] Delete duplicate test in CommandTest
  [TwigBundle] Refresh twig paths when resources change.
  WebProfiler break words
  ...

Conflicts:
	src/Symfony/Bridge/Twig/composer.json
	src/Symfony/Bundle/WebProfilerBundle/Resources/views/Collector/logger.html.twig
	src/Symfony/Component/Debug/ExceptionHandler.php

Author: fabpot

Http/Firewall/ExceptionListener.php

@@ -205,7 +205,7 @@ private function startAuthentication(Request $request, AuthenticationException $
     protected function setTargetPath(Request $request)
     {
         // session isn't required when using HTTP basic authentication mechanism for example
-        if ($request->hasSession() && $request->isMethodSafe()) {
+        if ($request->hasSession() && $request->isMethodSafe() && !$request->isXmlHttpRequest()) {
             $request->getSession()->set('_security.'.$this->providerKey.'.target_path', $request->getUri());
         }
     }

Http/RememberMe/AbstractRememberMeServices.php

@@ -268,9 +268,17 @@ protected function decodeCookie($rawCookie)
      * @param array $cookieParts
      *
      * @return string
+     *
+     * @throws \InvalidArgumentException When $cookieParts contain the cookie delimiter. Extending class should either remove or escape it.
      */
     protected function encodeCookie(array $cookieParts)
     {
+        foreach ($cookieParts as $cookiePart) {
+            if (false !== strpos($cookiePart, self::COOKIE_DELIMITER)) {
+                throw new \InvalidArgumentException(sprintf('$cookieParts should not contain the cookie delimiter "%s"', self::COOKIE_DELIMITER));
+            }
+        }
+
         return base64_encode(implode(self::COOKIE_DELIMITER, $cookieParts));
     }
 

Http/RememberMe/TokenBasedRememberMeServices.php

@@ -95,12 +95,12 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
      * @param int    $expires  The Unix timestamp when the cookie expires
      * @param string $password The encoded password
      *
-     * @throws \RuntimeException if username contains invalid chars
-     *
      * @return string
      */
     protected function generateCookieValue($class, $username, $expires, $password)
     {
+        // $username is encoded because it might contain COOKIE_DELIMITER,
+        // we assume other values don't
         return $this->encodeCookie(array(
             $class,
             base64_encode($username),
@@ -117,8 +117,6 @@ protected function generateCookieValue($class, $username, $expires, $password)
      * @param int    $expires  The Unix timestamp when the cookie expires
      * @param string $password The encoded password
      *
-     * @throws \RuntimeException when the private key is empty
-     *
      * @return string
      */
     protected function generateCookieHash($class, $username, $expires, $password)

Http/Tests/RememberMe/AbstractRememberMeServicesTest.php

@@ -14,6 +14,7 @@
 use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices;
 
 class AbstractRememberMeServicesTest extends \PHPUnit_Framework_TestCase
 {
@@ -236,6 +237,30 @@ public function getPositiveRememberMeParameterValues()
         );
     }
 
+    public function testEncodeCookieAndDecodeCookieAreInvertible()
+    {
+        $cookieParts = array('aa', 'bb', 'cc');
+        $service = $this->getService();
+
+        $encoded = $this->callProtected($service, 'encodeCookie', array($cookieParts));
+        $this->assertInternalType('string', $encoded);
+
+        $decoded = $this->callProtected($service, 'decodeCookie', array($encoded));
+        $this->assertSame($cookieParts, $decoded);
+    }
+
+    /**
+     * @expectedException InvalidArgumentException
+     * @expectedExceptionMessage cookie delimiter
+     */
+    public function testThereShouldBeNoCookieDelimiterInCookieParts()
+    {
+        $cookieParts = array('aa', 'b'.AbstractRememberMeServices::COOKIE_DELIMITER.'b', 'cc');
+        $service = $this->getService();
+
+        $this->callProtected($service, 'encodeCookie', array($cookieParts));
+    }
+
     protected function getService($userProvider = null, $options = array(), $logger = null)
     {
         if (null === $userProvider) {
@@ -258,4 +283,13 @@ protected function getProvider()
 
         return $provider;
     }
+
+    private function callProtected($object, $method, array $args)
+    {
+        $reflection = new \ReflectionClass(get_class($object));
+        $reflectionMethod = $reflection->getMethod($method);
+        $reflectionMethod->setAccessible(true);
+
+        return $reflectionMethod->invokeArgs($object, $args);
+    }
 }

Http/Tests/RememberMe/TokenBasedRememberMeServicesTest.php

@@ -105,7 +105,12 @@ public function testAutoLoginDoesNotAcceptAnExpiredCookie()
         $this->assertTrue($request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME)->isCleared());
     }
 
-    public function testAutoLogin()
+    /**
+     * @dataProvider provideUsernamesForAutoLogin
+     *
+     * @param string $username
+     */
+    public function testAutoLogin($username)
     {
         $user = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
         $user
@@ -123,13 +128,13 @@ public function testAutoLogin()
         $userProvider
             ->expects($this->once())
             ->method('loadUserByUsername')
-            ->with($this->equalTo('foouser'))
+            ->with($this->equalTo($username))
             ->will($this->returnValue($user))
         ;
 
         $service = $this->getService($userProvider, array('name' => 'foo', 'always_remember_me' => true, 'lifetime' => 3600));
         $request = new Request();
-        $request->cookies->set('foo', $this->getCookie('fooclass', 'foouser', time() + 3600, 'foopass'));
+        $request->cookies->set('foo', $this->getCookie('fooclass', $username, time() + 3600, 'foopass'));
 
         $returnedToken = $service->autoLogin($request);
 
@@ -138,6 +143,14 @@ public function testAutoLogin()
         $this->assertEquals('fookey', $returnedToken->getKey());
     }
 
+    public function provideUsernamesForAutoLogin()
+    {
+        return array(
+            array('foouser', 'Simple username'),
+            array('foo'.TokenBasedRememberMeServices::COOKIE_DELIMITER.'user', 'Username might contain the delimiter'),
+        );
+    }
+
     public function testLogout()
     {
         $service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));

Resources/translations/security.fr.xlf

@@ -8,23 +8,23 @@
             </trans-unit>
             <trans-unit id="2">
                 <source>Authentication credentials could not be found.</source>
-                <target>Les droits d'authentification n'ont pas pu être trouvés.</target>
+                <target>Les identifiants d'authentification n'ont pas pu être trouvés.</target>
             </trans-unit>
             <trans-unit id="3">
                 <source>Authentication request could not be processed due to a system problem.</source>
                 <target>La requête d'authentification n'a pas pu être executée à cause d'un problème système.</target>
             </trans-unit>
             <trans-unit id="4">
                 <source>Invalid credentials.</source>
-                <target>Droits invalides.</target>
+                <target>Identifiants invalides.</target>
             </trans-unit>
             <trans-unit id="5">
                 <source>Cookie has already been used by someone else.</source>
                 <target>Le cookie a déjà été utilisé par quelqu'un d'autre.</target>
             </trans-unit>
             <trans-unit id="6">
                 <source>Not privileged to request the resource.</source>
-                <target>Pas de privilèges pour accéder à la ressource.</target>
+                <target>Privilèges insuffisants pour accéder à la ressource.</target>
             </trans-unit>
             <trans-unit id="7">
                 <source>Invalid CSRF token.</source>
@@ -40,23 +40,23 @@
             </trans-unit>
             <trans-unit id="10">
                 <source>No session available, it either timed out or cookies are not enabled.</source>
-                <target>Pas de session disponible, celle-ci a expiré ou les cookies ne sont pas activés.</target>
+                <target>Aucune session disponible, celle-ci a expiré ou les cookies ne sont pas activés.</target>
             </trans-unit>
             <trans-unit id="11">
                 <source>No token could be found.</source>
                 <target>Aucun jeton n'a pu être trouvé.</target>
             </trans-unit>
             <trans-unit id="12">
                 <source>Username could not be found.</source>
-                <target>Le nom d'utilisateur ne peut pas être trouvé.</target>
+                <target>Le nom d'utilisateur n'a pas pu être trouvé.</target>
             </trans-unit>
             <trans-unit id="13">
                 <source>Account has expired.</source>
                 <target>Le compte a expiré.</target>
             </trans-unit>
             <trans-unit id="14">
                 <source>Credentials have expired.</source>
-                <target>Les droits ont expirés.</target>
+                <target>Les identifiants ont expiré.</target>
             </trans-unit>
             <trans-unit id="15">
                 <source>Account is disabled.</source>