Symfony version(s) affected

all

Description

From libxml 2.12 release announcement:

Several bugs in the regex determinism checks were fixed. Invalid XML Schemas which previous versions erroneously accepted will now be rejected.

This impacts the http://symfony.com/schema/dic/security schema.

How to reproduce

Run the SecurityBundle’s XmlCompleteConfigurationTest with an up-to-date PHP’s libxml version (check php -i | grep libxml):

./phpunit src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/XmlCompleteConfigurationTest.php

It will fail/error with

[ERROR 3070] complex type 'provider': The content model is not determinist.
[ERROR 3070] complex type 'firewall': The content model is not determinist.

Possible Solution

This issue comes from the fact provider and firewall must allow custom elements besides Symfony’s using xsd:any. Unfortunately that means that a parser cannot know if e.g. a memory provider comes from Symfony’s security schema or another.

Setting the xsd:any’s namespace attribute to ##other fixes it (see https://www.w3.org/TR/xmlschema-0/#ref34), at the price that any custom provider or authenticator would need its own namespace. That being said, xsd:any’s processContents="lax" allows to not link it to an XSD.

<provider name="default">
-    <my-provider />
+    <custom:my-provider xmlns:custom="whatever" />
</provider>

The XmlFileLoader would have to be updated. Looking into it.