diff --git a/components/http_foundation.rst b/components/http_foundation.rst index 68d686ff211..e5d8be12b2d 100644 --- a/components/http_foundation.rst +++ b/components/http_foundation.rst @@ -718,7 +718,7 @@ class, which can make this even easier:: The ``JsonResponse`` class sets the ``Content-Type`` header to ``application/json`` and encodes your data to JSON when needed. -.. caution:: +.. danger:: To avoid XSSI `JSON Hijacking`_, you should pass an associative array as the outermost array to ``JsonResponse`` and not an indexed array so diff --git a/components/lock.rst b/components/lock.rst index 14c787e16cd..bac1f835b9a 100644 --- a/components/lock.rst +++ b/components/lock.rst @@ -843,7 +843,7 @@ instance, to clean up the ``/tmp`` directory or after a reboot of the machine when a directory uses ``tmpfs``. It's not an issue if the lock is released when the process ended, but it is in case of ``Lock`` reused between requests. -.. caution:: +.. danger:: Do not store locks on a volatile file system if they have to be reused in several requests. @@ -876,7 +876,7 @@ When the Memcached service is shared and used for multiple usage, Locks could be removed by mistake. For instance some implementation of the PSR-6 ``clear()`` method uses the Memcached's ``flush()`` method which purges and removes everything. -.. caution:: +.. danger:: The method ``flush()`` must not be called, or locks should be stored in a dedicated Memcached service away from Cache. @@ -984,7 +984,7 @@ be lost without notifying the running processes. When the Redis service is shared and used for multiple usages, locks could be removed by mistake. -.. caution:: +.. danger:: The command ``FLUSHDB`` must not be called, or locks should be stored in a dedicated Redis service away from Cache. diff --git a/components/process.rst b/components/process.rst index 12ee096df4e..d11618cb119 100644 --- a/components/process.rst +++ b/components/process.rst @@ -251,7 +251,7 @@ are done doing other stuff:: **synchronously** inside this event. Be aware that ``kernel.terminate`` is called only if you use PHP-FPM. -.. caution:: +.. danger:: Beware also that if you do that, the said PHP-FPM process will not be available to serve any new request until the subprocess is finished. This diff --git a/components/yaml.rst b/components/yaml.rst index 0f4f76ef05f..e9e16073282 100644 --- a/components/yaml.rst +++ b/components/yaml.rst @@ -239,7 +239,7 @@ And parse them by using the ``PARSE_OBJECT`` flag:: The YAML component uses PHP's ``serialize()`` method to generate a string representation of the object. -.. caution:: +.. danger:: Object serialization is specific to this implementation, other PHP YAML parsers will likely not recognize the ``php/object`` tag and non-PHP diff --git a/configuration.rst b/configuration.rst index ba35e868df1..7c6090b0987 100644 --- a/configuration.rst +++ b/configuration.rst @@ -737,7 +737,7 @@ To do so, define a parameter with the same name as the env var using this syntax always exists, because its value will be ``null`` when the related env var is not defined. -.. caution:: +.. danger:: Beware that dumping the contents of the ``$_SERVER`` and ``$_ENV`` variables or outputting the ``phpinfo()`` contents will display the values of the diff --git a/configuration/secrets.rst b/configuration/secrets.rst index 56270b75ca5..3927fa6161f 100644 --- a/configuration/secrets.rst +++ b/configuration/secrets.rst @@ -50,7 +50,7 @@ running: This will generate ``config/secrets/prod/prod.encrypt.public.php`` and ``config/secrets/prod/prod.decrypt.private.php``. -.. caution:: +.. danger:: The ``prod.decrypt.private.php`` file is highly sensitive. Your team of developers and even Continuous Integration services don't need that key. If the diff --git a/controller.rst b/controller.rst index c3a11e99a6a..7866a97818b 100644 --- a/controller.rst +++ b/controller.rst @@ -146,7 +146,7 @@ and ``redirect()`` methods:: return $this->redirect('http://symfony.com/doc'); } -.. caution:: +.. danger:: The ``redirect()`` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open diff --git a/deployment/proxies.rst b/deployment/proxies.rst index 416039ee040..38141df17da 100644 --- a/deployment/proxies.rst +++ b/deployment/proxies.rst @@ -104,7 +104,7 @@ and what headers your reverse proxy uses to send information: # ... trusted_proxies: '%env(TRUSTED_PROXIES)%' -.. caution:: +.. danger:: Enabling the ``Request::HEADER_X_FORWARDED_HOST`` option exposes the application to `HTTP Host header attacks`_. Make sure the proxy really diff --git a/http_cache/cache_invalidation.rst b/http_cache/cache_invalidation.rst index 76c13ab975b..8e0b022a5a1 100644 --- a/http_cache/cache_invalidation.rst +++ b/http_cache/cache_invalidation.rst @@ -136,7 +136,7 @@ Then, register the class as a service that :doc:`decorates `. It's also possible to set the priority of the tag in order to decide the matching order. -.. caution:: +.. danger:: Always make sure to load the ``DateTimeNormalizer`` when serializing the ``DateTime`` or ``DateTimeImmutable`` classes to avoid excessive memory diff --git a/session.rst b/session.rst index 6d685244a75..d112e9acfb4 100644 --- a/session.rst +++ b/session.rst @@ -1573,7 +1573,7 @@ Then, register the ``SodiumMarshaller`` service using this key: ]); }; -.. caution:: +.. danger:: This will encrypt the values of the cache items, but not the cache keys. Be careful not to leak sensitive data in the keys.