Skip to content

HttpFoundation 4.0.12 breaks the web debug toolbar #27726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nicwortel opened this issue Jun 26, 2018 · 8 comments
Closed

HttpFoundation 4.0.12 breaks the web debug toolbar #27726

nicwortel opened this issue Jun 26, 2018 · 8 comments
Labels
Bug HttpFoundation HttpKernel Status: Needs Review

Comments

@nicwortel
Copy link

nicwortel commented Jun 26, 2018
edited
Loading

Symfony version(s) affected: >=4.0.12, >=4.1.1

Description
afbeelding

After upgrading HttpFoundation to version 4.0.12 (due to a security issue reported by SensioLabs Security Checker), our web debug toolbar stopped working. Debugging this issue shows that there seems to be a mismatch between version 4.0.4 of HttpKernel and version 4.0.12 of HttpFoundation, because the method hasBeenStarted has been removed from Symfony\Component\HttpFoundation\Session\Session.

This sounds to me like a BC break. I'm not sure if we are supposed to upgrade all symfony packages at the same time, but I think the composer.json of symfony/http-foundation should at least contain a conflicts entry. I realize that the hasBeenStarted method was tagged as @internal but apparently it was being used in other Symfony components.

Apparently this affects the web debug toolbar, but not our actual application.

The same issue seems to occur with version 4.1.1.

How to reproduce
Have symfony/http-foundation on version 4.0.12 and symfony/http-kernel on a lower version. Open the web interface with the debug toolbar enabled.

Possible Solution

  • Restore the hasBeenStarted method
  • Add a conflicts entry to the composer.json of HttpFoundation, to point out the conflict with older versions of HttpKernel

Additional context
This screenshot shows the request made by the web debug toolbar:
afbeelding

Installed Symfony components with their versions (from composer show symfony/*):
afbeelding
@xabbuh
Copy link
Member

xabbuh commented Jun 26, 2018

The problem should disappear when updating symfony/http-kernel. I don't think there is anything we can do to prevent this issue.

@javiereguiluz
Copy link
Member

@xabbuh but according to the issue report:

it seems to be a mismatch between version 4.0.4 of HttpKernel and version 4.0.12 of HttpFoundation, because the method hasBeenStarted has been removed from Symfony\Component\HttpFoundation\Session\Session.

Is this correct? Was that method really removed in a patch version?

@nicolas-grekas
Copy link
Member

Yes, that was an internal one.

@javiereguiluz
Copy link
Member

@nicwortel I've checked this and as @xabbuh and @nicolas-grekas said, this is sadly expected. As you can see in this line v4.0.11...v4.0.12#diff-6ea44a1c02e94a4394cbc7076fe26bbeL147 the removed method is marked as @internal, so there's no promise to keep it:

internal-method

I'm afraid the only solution possible is to upgrade these two dependencies to the same version. We're closing this issue report for that reason. Thanks!

@nicwortel
Copy link
Author

@javiereguiluz if it is internal, then why is it used by another component? What is Symfony's policy on this?

@javiereguiluz
Copy link
Member

I don't know the fine print of this, but a quick review of our BC policy promise shows that none of it applies to anything marked as @internal. I'm sorry.

@nicolas-grekas
Copy link
Member

we may miss a "conflict" rule somewhere, but I would advise upgrading all components to 4.1.1 instead.

@stof
Copy link
Member

stof commented Jun 26, 2018

@javiereguiluz but the mistake was on our side. The internal HttpFoundation method was used by HttpKernel, not by the user.
so for this case, it is indeed too late as the release is already done. But it means we have to be more careful ourselves with our own cross-component usages of internal APIs.

@linaori linaori mentioned this issue Jun 27, 2018
Closed
@nicolas-grekas nicolas-grekas mentioned this issue Jun 29, 2018
Closed
@ossinkine ossinkine mentioned this issue Jul 18, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HttpFoundation HttpKernel Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@javiereguiluz @nicolas-grekas @stof @nicwortel @xabbuh @carsonbot