Skip to content

Latest commit

 

History

History
43 lines (37 loc) · 2.8 KB

UPGRADE-v7.2.2.md

File metadata and controls

43 lines (37 loc) · 2.8 KB
Raw

Upgrade from v7.2.1 to v7.2.2

This guide contains instructions to upgrade from version v7.2.1 to v7.2.2.

Before you start, don't forget to take a look at general instructions about upgrading. There you can find links to upgrade notes for other versions too.

shopsys/framework

Application

  • escape the values of replacements passed as a sixth argument of the MessageData's constructor to prevent HTML injection (#1120)
    • all values passed to the $variablesReplacementsForBody argument in MessageData::__construct() should either be trusted (such as URLs generated by the Router or HTML content) or escaped via htmlspecialchars($value, ENT_QUOTES)
    • check the calls of new MessageData(...) in your project's repository and possible overwritten methods:
      • \Shopsys\FrameworkBundle\Model\Customer\Mail\RegistrationMail::getVariablesReplacements()
      • \Shopsys\FrameworkBundle\Model\Customer\Mail\ResetPasswordMail::getBodyValuesIndexedByVariableName()
      • \Shopsys\FrameworkBundle\Model\Order\Mail\OrderMail::getVariablesReplacementsForBody()
      • \Shopsys\FrameworkBundle\Model\PersonalData\Mail\PersonalDataAccessMail::getBodyValuesIndexedByVariableName()
      • \Shopsys\FrameworkBundle\Model\PersonalData\Mail\PersonalDataExportMail::getBodyValuesIndexedByVariableName()
    • if you haven't extended any of these methods and haven't called new MessageData(...) in your code, you should be protected by the upgrade alone
    • if you have customized e-mailing on your project (eg. by implementing Twig templates for mail content), you should check your code to avoid double escaping (eg. execute htmlspecialchars_decode($value, ENT_QUOTES) before passing the variables replacements to you implementation)

Configuration

  • do not update symfony/monolog-bundle to the version 3.4.0 and higher (#1148) or fix the bundle configuration, see #1154
    • in app/config/packages/dev/monolog.yml: 
          monolog:
       handlers:
           main:
               # change "fingers_crossed" handler to "group" that works as a passthrough to "nested"
               type: group
               members: [ nested ]
+              excluded_404s: false
    • in app/config/packages/test/monolog.yml: 
          monolog:
        handlers:
            main:
                type: "null"
+               excluded_404s: false