Merge branch '4.1' into 4.2

* 4.1:
  Add severity rankings to security policy
  Replaced the table of cache warmers by the debug:container command
  Add $user variable in ->createForm(...)
  Fix list of core cache warmers
  Remove minor bugs from docs.
  Fixed another link to MakerBundle
  Improving link to Maker Bundle

Author: javiereguiluz

contributing/code/security.rst

@@ -91,6 +91,78 @@ of the downstream projects included in this process:
 * Drupal (releases typically happen on Wednesdays)
 * eZPublish
 
+Issue Severity
+--------------
+
+In order to determine the severity of a security issue we take into account
+the complexity of any potential attack, the impact of the vulnerability and
+also how many projects it is likely to affect. This score out of 15 is then
+converted into a level of: Low, Medium, High, Critical, or Exceptional.
+
+Attack Complexity
+~~~~~~~~~~~~~~~~~
+
+*Score of between 1 and 5 depending on how complex it is to exploit the
+vulnerability*
+
+* 4 - 5 Basic: attacker must follow a set of simple steps
+* 2 - 3 Complex: attacker must follow non-intuitive steps with a high level
+  of dependencies
+* 1 - 2 High: A successful attack depends on conditions beyond the attacker's
+  control. That is, a successful attack cannot be accomplished at will, but
+  requires the attacker to invest in some measurable amount of effort in
+  preparation or execution against the vulnerable component before a successful
+  attack can be expected.
+
+Impact
+~~~~~~
+
+*Scores from the following areas are added together to produce a score. The
+score for Impact is capped at 6. Each area is scored between 0 and 4.*
+
+* Integrity: Does this vulnerability cause non-public data to be accessible?
+  If so, does the attacker have control over the data disclosed? (0-4)
+* Disclosure: Can this exploit allow system data (or data handled by the
+  system) to be compromised? If so, does the attacker have control over
+  modification? (0-4)
+* Code Execution: Does the vulnerability allow arbitrary code to be executed
+  on an end-users system, or the server that it runs on? (0-4)
+* Availability: Is the availability of a service or application affected? Is
+  it reduced availability or total loss of availability of a service /
+  application? Availability includes networked services (e.g., databases) or
+  resources such as consumption of network bandwidth, processor cycles, or
+  disk space. (0-4)
+
+Affected Projects
+~~~~~~~~~~~~~~~~~
+
+*Scores from the following areas are added together to produce a score. The
+score for Affected Projects is capped at 4.*
+
+* Will it affect some or all using a component? (1-2)
+* Is the usage of the component that would cause such a thing already
+  considered bad practice? (0-1)
+* How common/popular is the component (e.g. Console vs HttpFoundation vs
+  Lock)? (0-2)
+* Are a number of well-known open source projects using Symfony affected
+  that requires coordinated releases? (0-1)
+
+Score Totals
+~~~~~~~~~~~~
+
+* Attack Complexity: 1 - 4
+* Impact: 1 - 6
+* Affected Projects: 1 - 4
+
+Severity levels
+~~~~~~~~~~~~~~~
+
+* Low: 1 - 5
+* Medium: 6 - 10
+* High: 11 - 12
+* Critical: 13 - 14
+* Exceptional: 15
+
 Security Advisories
 -------------------
 

controller.rst

@@ -148,7 +148,7 @@ and ``redirect()`` methods::
         // redirect to a route with parameters
         return $this->redirectToRoute('app_lucky_number', array('max' => 10));
 
-        // redirects to a route and mantains the original query string parameters
+        // redirects to a route and maintains the original query string parameters
         return $this->redirectToRoute('blog_show', $request->query->all());
 
         // redirects externally

doctrine/registration_form.rst

@@ -152,7 +152,7 @@ saves the user::
         public function register(Request $request, UserPasswordEncoderInterface $passwordEncoder): Response
         {
             $user = new User();
-            $form = $this->createForm(RegistrationFormType::class);
+            $form = $this->createForm(RegistrationFormType::class, $user);
             $form->handleRequest($request);
 
             if ($form->isSubmitted() && $form->isValid()) {

introduction/from_flat_php_to_symfony2.rst

@@ -181,7 +181,7 @@ of the application are isolated in a new file called ``model.php``::
     in this example, only a portion (or none) of the model is actually concerned
     with accessing a database.
 
-The controller (``index.php``) is now is just a few lines of code::
+The controller (``index.php``) is now just a few lines of code::
 
     // index.php
     require_once 'model.php';
@@ -262,7 +262,7 @@ an individual blog result based on a given id::
     {
         $connection = open_database_connection();
 
-        $query = 'SELECT created_at, title, body FROM post WHERE  id=:id';
+        $query = 'SELECT created_at, title, body FROM post WHERE id=:id';
         $statement = $connection->prepare($query);
         $statement->bindValue(':id', $id, PDO::PARAM_INT);
         $statement->execute();
@@ -533,7 +533,7 @@ a simple application. Along the way, you've made a simple routing
 system and a method using ``ob_start()`` and ``ob_get_clean()`` to render
 templates. If, for some reason, you needed to continue building this "framework"
 from scratch, you could at least use Symfony's standalone
-:doc:`Routing </components/routing>` and component and :doc:`Twig </templating>`,
+:doc:`Routing </components/routing>` component and :doc:`Twig </templating>`,
 which already solve these problems.
 
 Instead of re-solving common problems, you can let Symfony take care of

reference/dic_tags.rst

@@ -400,18 +400,15 @@ can also register it manually:
     application and/or bundles should be prepared for when the contents
     generated by the cache warmer are not available.
 
-Core Cache Warmers
-~~~~~~~~~~~~~~~~~~
-
-+-------------------------------------------------------------------------------------------+-----------+
-| Cache Warmer Class Name                                                                   | Priority  |
-+===========================================================================================+===========+
-| :class:`Symfony\\Bundle\\FrameworkBundle\\CacheWarmer\\TemplatePathsCacheWarmer`          | 20        |
-+-------------------------------------------------------------------------------------------+-----------+
-| :class:`Symfony\\Bundle\\FrameworkBundle\\CacheWarmer\\RouterCacheWarmer`                 | 0         |
-+-------------------------------------------------------------------------------------------+-----------+
-| :class:`Symfony\\Bundle\\TwigBundle\\CacheWarmer\\TemplateCacheCacheWarmer`               | 0         |
-+-------------------------------------------------------------------------------------------+-----------+
+.. _core-cache-warmers:
+
+In addition to your own cache warmers, Symfony components and third-party
+bundles define cache warmers too for their own purposes. You can list them all
+with the following command:
+
+.. code-block:: terminal
+
+    $ php bin/console debug:container --tag=kernel.cache_warmer
 
 .. _dic-tags-kernel-event-listener:
 

security.rst

@@ -1009,4 +1009,4 @@ Authorization (Denying Access)
 .. _`HWIOAuthBundle`: https://github.com/hwi/HWIOAuthBundle
 .. _`Symfony ACL bundle`: https://github.com/symfony/acl-bundle
 .. _`Symfony Security screencast series`: https://symfonycasts.com/screencast/symfony-security
-.. _`MakerBundle`: https://github.com/symfony/maker-bundle
+.. _`MakerBundle`: https://symfony.com/doc/current/bundles/SymfonyMakerBundle/index.html

security/form_login_setup.rst

@@ -315,4 +315,4 @@ deal with this low level session variable. However, the
 :class:`Symfony\\Component\\Security\\Http\\Util\\TargetPathTrait` utility
 can be used to read (like in the example above) or set this value manually.
 
-.. _`MakerBundle`: https://github.com/symfony/maker-bundle
+.. _`MakerBundle`: https://symfony.com/doc/current/bundles/SymfonyMakerBundle/index.html

templating.rst

@@ -125,7 +125,7 @@ Throughout this article, template examples will be shown in both Twig and PHP.
     Twig can also do things that PHP can't, such as whitespace control,
     sandboxing, automatic HTML escaping, manual contextual output escaping,
     and the inclusion of custom functions and filters that only affect templates.
-    Twig contains little features that make writing templates easier and more concise.
+    Twig contains a lot of features that make writing templates easier and more concise.
     Take the following example, which combines a loop with a logical ``if``
     statement: