Description
Symfony version(s) affected: >=4.0.12, >=4.1.1
Description
After upgrading HttpFoundation to version 4.0.12 (due to a security issue reported by SensioLabs Security Checker), our web debug toolbar stopped working. Debugging this issue shows that there seems to be a mismatch between version 4.0.4 of HttpKernel and version 4.0.12 of HttpFoundation, because the method hasBeenStarted has been removed from Symfony\Component\HttpFoundation\Session\Session.
This sounds to me like a BC break. I'm not sure if we are supposed to upgrade all symfony packages at the same time, but I think the composer.json of symfony/http-foundation should at least contain a conflicts entry. I realize that the hasBeenStarted method was tagged as @internal but apparently it was being used in other Symfony components.
Apparently this affects the web debug toolbar, but not our actual application.
The same issue seems to occur with version 4.1.1.
How to reproduce
Have symfony/http-foundation on version 4.0.12 and symfony/http-kernel on a lower version. Open the web interface with the debug toolbar enabled.
Possible Solution
- Restore the
hasBeenStartedmethod - Add a
conflictsentry to thecomposer.jsonof HttpFoundation, to point out the conflict with older versions of HttpKernel
Additional context
This screenshot shows the request made by the web debug toolbar:
Installed Symfony components with their versions (from composer show symfony/*):
Activity
xabbuh commentedon Jun 26, 2018
The problem should disappear when updating
symfony/http-kernel. I don't think there is anything we can do to prevent this issue.javiereguiluz commentedon Jun 26, 2018
@xabbuh but according to the issue report:
Is this correct? Was that method really removed in a patch version?
nicolas-grekas commentedon Jun 26, 2018
Yes, that was an internal one.
javiereguiluz commentedon Jun 26, 2018
@nicwortel I've checked this and as @xabbuh and @nicolas-grekas said, this is sadly expected. As you can see in this line v4.0.11...v4.0.12#diff-6ea44a1c02e94a4394cbc7076fe26bbeL147 the removed method is marked as
@internal, so there's no promise to keep it:I'm afraid the only solution possible is to upgrade these two dependencies to the same version. We're closing this issue report for that reason. Thanks!
nicwortel commentedon Jun 26, 2018
@javiereguiluz if it is internal, then why is it used by another component? What is Symfony's policy on this?
javiereguiluz commentedon Jun 26, 2018
I don't know the fine print of this, but a quick review of our BC policy promise shows that none of it applies to anything marked as
@internal. I'm sorry.nicolas-grekas commentedon Jun 26, 2018
we may miss a "conflict" rule somewhere, but I would advise upgrading all components to 4.1.1 instead.
stof commentedon Jun 26, 2018
@javiereguiluz but the mistake was on our side. The internal HttpFoundation method was used by HttpKernel, not by the user.
so for this case, it is indeed too late as the release is already done. But it means we have to be more careful ourselves with our own cross-component usages of internal APIs.