4.3.16 (2019-06-14)

Overview of merged pull requests

BUGFIX: Avoid error in Debugger::findProxyAndShortFilePath()

If $file points to eval’d code, the @file(…) code does not return an array, leading to count() being called on an incompatible value.

  • Packages: Flow

BUGFIX: Flow CLI command warns of mismatching php version

If Flow builds a PHP command for a subrequest, it uses the system default if nothing else is configured. With this change, we avoid Flow executing that request if it isn’t explicitly configured to use that same PHP version internally too. This should avoid some errors especially in shared hosting scenarios for less experienced users.

  • Packages: Flow

TASK: Translator uses locale chain

This change makes getTranslationById and getTranslationByOriginalLabel use the configured locale chain.

This is an updated version of #327 and #328. Please see the discussions there. May be retargeted on master.

  • Packages: Flow

BUGFIX: Remove Doctrine from require-dev

It’s already a require, so the duplication just causes problems, when the versions don’t match any more (as they do in current master).

BUGFIX: Use source as target if target-language is empty in XLIFF

The target element in XLIFF is optional, and even though we recommend in the documentation to set it, most people omit the target for “source” XLIFF files (i.e. having english content and target-language being unset).

For these cases the XliffParser now reads the source element content into the target element. This makes the fallback rules work for individual translations and not only full XLIFF files.

In other words: when a new string is added to a source catalog, it will be used as is even when no translation is available – instead of simply the id being output.

  • Packages: Flow

[SECURITY] Avoid OpenSSL padding oracle attacks

This avoids OpenSSL Padding Oracle Information Disclosure by allowing to specify the padding algorithm used in the RSA wallet service.

Most probably you are not even affected, since only OpenSSL 1.0.1t and 1.0.2h are vulnerable, but better safe than sorry.

The padding algorithm default is changed to OPENSSL_PKCS1_OAEP_PADDING, but a fallback decryption is in place for all data that was encrypted with the previously unsafe padding algorithm. Therefore you should migrate all your existing encrypted data, by running it through decryptWithPrivateKey and then again through encryptWithPublicKey ONCE.

Fixes #1566

TASK: Better naming for include and exclude paths/patterns

Get rid of wording “blacklist”/”whitelist” because there’s better terms. Should have been named like this from the start. I’m to blame.

  • Packages: Flow