Merge branch '6.4' into 7.0

javiereguiluz · javiereguiluz · commit 650277cfe631 · 2023-12-26T16:08:45.000+01:00
* 6.4:
  Mutate some `cautions` to `dangers`
diff --git a/components/http_foundation.rst b/components/http_foundation.rst
@@ -849,7 +849,7 @@ class, which can make this even easier::
 The ``JsonResponse`` class sets the ``Content-Type`` header to
 ``application/json`` and encodes your data to JSON when needed.
 
-.. caution::
+.. danger::
 
     To avoid XSSI `JSON Hijacking`_, you should pass an associative array
     as the outermost array to ``JsonResponse`` and not an indexed array so
diff --git a/components/lock.rst b/components/lock.rst
@@ -809,7 +809,7 @@ instance, to clean up the ``/tmp`` directory or after a reboot of the machine
 when a directory uses ``tmpfs``. It's not an issue if the lock is released when
 the process ended, but it is in case of ``Lock`` reused between requests.
 
-.. caution::
+.. danger::
 
     Do not store locks on a volatile file system if they have to be reused in
     several requests.
@@ -842,7 +842,7 @@ When the Memcached service is shared and used for multiple usage, Locks could be
 removed by mistake. For instance some implementation of the PSR-6 ``clear()``
 method uses the Memcached's ``flush()`` method which purges and removes everything.
 
-.. caution::
+.. danger::
 
     The method ``flush()`` must not be called, or locks should be stored in a
     dedicated Memcached service away from Cache.
@@ -950,7 +950,7 @@ be lost without notifying the running processes.
 When the Redis service is shared and used for multiple usages, locks could be
 removed by mistake.
 
-.. caution::
+.. danger::
 
     The command ``FLUSHDB`` must not be called, or locks should be stored in a
     dedicated Redis service away from Cache.
diff --git a/components/process.rst b/components/process.rst
@@ -247,7 +247,7 @@ are done doing other stuff::
     **synchronously** inside this event. Be aware that ``kernel.terminate``
     is called only if you use PHP-FPM.
 
-.. caution::
+.. danger::
 
     Beware also that if you do that, the said PHP-FPM process will not be
     available to serve any new request until the subprocess is finished. This
diff --git a/components/yaml.rst b/components/yaml.rst
@@ -239,7 +239,7 @@ And parse them by using the ``PARSE_OBJECT`` flag::
 The YAML component uses PHP's ``serialize()`` method to generate a string
 representation of the object.
 
-.. caution::
+.. danger::
 
     Object serialization is specific to this implementation, other PHP YAML
     parsers will likely not recognize the ``php/object`` tag and non-PHP
diff --git a/configuration.rst b/configuration.rst
@@ -732,7 +732,7 @@ To do so, define a parameter with the same name as the env var using this syntax
     always exists, because its value will be ``null`` when the related env var
     is not defined.
 
-.. caution::
+.. danger::
 
     Beware that dumping the contents of the ``$_SERVER`` and ``$_ENV`` variables
     or outputting the ``phpinfo()`` contents will display the values of the
diff --git a/configuration/secrets.rst b/configuration/secrets.rst
@@ -47,7 +47,7 @@ running:
 This will generate ``config/secrets/prod/prod.encrypt.public.php`` and
 ``config/secrets/prod/prod.decrypt.private.php``.
 
-.. caution::
+.. danger::
 
     The ``prod.decrypt.private.php`` file is highly sensitive. Your team of developers
     and even Continuous Integration services don't need that key. If the
diff --git a/controller.rst b/controller.rst
@@ -144,7 +144,7 @@ and ``redirect()`` methods::
         return $this->redirect('http://symfony.com/doc');
     }
 
-.. caution::
+.. danger::
 
     The ``redirect()`` method does not check its destination in any way. If you
     redirect to a URL provided by end-users, your application may be open
diff --git a/deployment/proxies.rst b/deployment/proxies.rst
@@ -108,7 +108,7 @@ so you can also pass your own value (e.g. ``0b00110``).
             # ...
             trusted_proxies: '%env(TRUSTED_PROXIES)%'
 
-.. caution::
+.. danger::
 
     The "trusted proxies" feature does not work as expected when using the
     `nginx realip module`_. Disable that module when serving Symfony applications.
diff --git a/http_cache/cache_invalidation.rst b/http_cache/cache_invalidation.rst
@@ -152,7 +152,7 @@ Then, register the class as a service that :doc:`decorates </service_container/s
             ;
         };
 
-.. caution::
+.. danger::
 
     You must protect the ``PURGE`` HTTP method somehow to avoid random people
     purging your cached data.
diff --git a/http_cache/ssi.rst b/http_cache/ssi.rst
@@ -27,7 +27,7 @@ The SSI instructions are done via HTML comments:
 There are some other `available directives`_ but
 Symfony manages only the ``#include virtual`` one.
 
-.. caution::
+.. danger::
 
     Be careful with SSI, your website may fall victim to injections.
     Please read this `OWASP article`_ first!
diff --git a/profiler.rst b/profiler.rst
@@ -4,7 +4,7 @@ Profiler
 The profiler is a powerful **development tool** that gives detailed information
 about the execution of any request.
 
-.. caution::
+.. danger::
 
     **Never** enable the profiler in production environments
     as it will lead to major security vulnerabilities in your project.
diff --git a/rate_limiter.rst b/rate_limiter.rst
@@ -11,7 +11,7 @@ Symfony uses these rate limiters in built-in features like :ref:`login throttlin
 which limits how many failed login attempts a user can make in a given period of
 time, but you can use them for your own features too.
 
-.. caution::
+.. danger::
 
     By definition, the Symfony rate limiters require Symfony to be booted
     in a PHP process. This makes them not useful to protect against `DoS attacks`_.
diff --git a/security.rst b/security.rst
@@ -880,7 +880,7 @@ The form can look like anything, but it usually follows some conventions:
     Actually, all of this can be configured under the ``form_login`` key. See
     :ref:`reference-security-firewall-form-login` for more details.
 
-.. caution::
+.. danger::
 
     This login form is currently not protected against CSRF attacks. Read
     :ref:`form_login-csrf` on how to protect your login form.
diff --git a/serializer.rst b/serializer.rst
@@ -83,7 +83,7 @@ custom normalizers and/or encoders can also be loaded by tagging them as
 :ref:`serializer.encoder <reference-dic-tags-serializer-encoder>`. It's also
 possible to set the priority of the tag in order to decide the matching order.
 
-.. caution::
+.. danger::
 
     Always make sure to load the ``DateTimeNormalizer`` when serializing the
     ``DateTime`` or ``DateTimeImmutable`` classes to avoid excessive memory
diff --git a/session.rst b/session.rst
@@ -1679,7 +1679,7 @@ Then, register the ``SodiumMarshaller`` service using this key:
                 ]);
         };
 
-.. caution::
+.. danger::
 
     This will encrypt the values of the cache items, but not the cache keys. Be
     careful not to leak sensitive data in the keys.

Original file line number	Diff line number	Diff line change
@@ -144,7 +144,7 @@ and ``redirect()`` methods::
`144`	`144`	`return $this->redirect('http://symfony.com/doc');`
`145`	`145`	`}`
`146`	`146`
`147`		`-.. caution::`
	`147`	`+.. danger::`
`148`	`148`
`149`	`149`	The ``redirect()`` method does not check its destination in any way. If you
`150`	`150`	`redirect to a URL provided by end-users, your application may be open`
Original file line number	Diff line number	Diff line change
@@ -152,7 +152,7 @@ Then, register the class as a service that :doc:`decorates </service_container/s
`152`	`152`	`;`
`153`	`153`	`};`
`154`	`154`
`155`		`-.. caution::`
	`155`	`+.. danger::`
`156`	`156`
`157`	`157`	You must protect the ``PURGE`` HTTP method somehow to avoid random people
`158`	`158`	`purging your cached data.`