Update dependency symfony/symfony to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/symfony (source)	3.3.* -> 5.4.*

GitHub Vulnerability Alerts

CVE-2019-10909

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

CVE-2019-18889

An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.

CVE-2019-10913

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

CVE-2019-18888

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

CVE-2019-10912

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

CVE-2019-10911

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.

CVE-2019-18887

When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

CVE-2022-24895

Description

When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

Resolution

Symfony removes all CSRF tokens from the session on successful login.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

CVE-2022-24894

Description

The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients.

In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session.

Resolution

The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers.
The default value for this parameter is Set-Cookie, but it can be overridden or extended by the application.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.

CVE-2019-10910

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

CVE-2018-14774

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.

CVE-2018-11386

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

CVE-2018-11408

The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.

CVE-2018-19789

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint string in a setter method (e.g. setName(string $name)) of a class that's the data_class of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then UploadedFile::__toString() is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.

CVE-2017-16652

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

CVE-2023-46734

Description

Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe.

Resolution

Symfony now escapes the output of the affected filters.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.

CVE-2017-16653

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

CVE-2017-16654

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.

CVE-2018-11385

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

CVE-2018-11406

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

CVE-2018-14773

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

CVE-2021-21424

Description

The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user.

Resolution

We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

CVE-2017-16790

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a "FileType" is sent as normal POST data that could be interpreted as a local file path on the server-side (for example, "file:///etc/passwd"). If the application did not perform any additional checks about the value submitted to the "FileType", the contents of the given file on the server could have been exposed to the attacker.

CVE-2018-11407

An issue was discovered in the LDAP component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.

CVE-2018-19790

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

CVE-2024-50343

Description

It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n.

Resolution

Symfony now uses the D regex modifier to match the entire input.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.

CVE-2024-51736

Description

On Window, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking.

Resolution

The Process class now uses the absolute path to cmd.exe.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.

---

Release Notes

symfony/symfony (symfony/symfony)

v5.4.46

Compare Source

Changelog (symfony/symfony@v5.4.45...v5.4.46)

• bug #​58772 [DoctrineBridge] Backport detection fix of Xml/Yaml driver in DoctrineExtension (@​MatTheCat)
• security #cve-2024-51736 [Process] Use PATH before CD to load the shell on Windows (@​nicolas-grekas)
• security #cve-2024-50342 [HttpClient] Filter private IPs before connecting when Host == IP (@​nicolas-grekas)
• security #cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid characters (@​nicolas-grekas)
• security #cve-2024-50340 [Runtime] Do not read from argv on non-CLI SAPIs (@​wouterj)
• bug #​58765 [VarDumper] fix detecting anonymous exception classes on Windows and PHP 7 (@​xabbuh)
• bug #​58757 [RateLimiter] Fix DateInterval normalization (@​danydev)
• bug #​58754 [Security] Store original token in token storage when implicitly exiting impersonation (@​wouterj)
• bug #​58753 [Cache] Fix clear() when using Predis (@​nicolas-grekas)
• bug #​58713 [Config] Handle Phar absolute path in FileLocator (@​alexandre-daubois)
• bug #​58739 [WebProfilerBoundle] form data collector check passed and resolved options are defined (@​vltrof)
• bug #​58752 [Process] Fix escaping /X arguments on Windows (@​nicolas-grekas)
• bug #​58735 [Process] Return built-in cmd.exe commands directly in ExecutableFinder (@​Seldaek)
• bug #​58723 [Process] Properly deal with not-found executables on Windows (@​nicolas-grekas)
• bug #​58711 [Process] Fix handling empty path found in the PATH env var with ExecutableFinder (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/587777
[SECURITY] Security release

v5.4.45

Compare Source

Changelog (symfony/symfony@v5.4.44...v5.4.45)

• bug #​58669 [Cache] Revert "Initialize RedisAdapter cursor to 0" (@​nicolas-grekas)
• bug #​58649 [TwigBridge] ensure compatibility with Twig 3.15 (@​xabbuh)
• bug #​58661 [Cache] Initialize RedisAdapter cursor to 0 (@​thomas-hiron)
• bug #​58593 [Mime] fix encoding issue with UTF-8 addresses containing doubles spaces (@​0xb4lint)
• bug #​58615 [Validator] [Choice] Fix callback option if not array returned (@​symfonyaml)
• bug #​58618 [DependencyInjection] Fix linting factories implemented via __callStatic (@​KevinVanSonsbeek)
• bug #​58619 [HttpFoundation][Lock] Ensure compatibility with ext-mongodb v2 (@​GromNaN)
• bug #​58627 Minor fixes around parse_url() checks (@​nicolas-grekas)
• bug #​58617 [DependencyInjection] Fix replacing abstract arguments with bindings (@​nicolas-grekas)
• bug #​58613 Symfony 5.4 LTS will get security fixes until Feb 2029 thanks to Ibexa' sponsoring (@​nicolas-grekas)
• bug #​58523 [DoctrineBridge] fix: DoctrineTokenProvider not oracle compatible (@​jjjb03)
• bug #​58492 [MonologBridge] Fix PHP deprecation with preg_match() (@​simoheinonen)
• bug #​58449 [Form] Support intl.use_exceptions/error_level in NumberToLocalizedStringTransformer (@​bram123)
• bug #​58459 [FrameworkBundle] Fix displayed stack trace when session is used on stateless routes (@​nicolas-grekas)
• bug #​58376 [HttpKernel] Correctly merge max-age/s-maxage and Expires headers (@​aschempp)
• bug #​58299 [DependencyInjection] Fix XmlFileLoader not respecting when env for services (Bradley Zeggelaar)
• bug #​58332 [Console] Suppress proc_open errors within Terminal::readFromProcess (@​fritzmg)
• bug #​58404 [TwigBridge] Remove usage of Node() instantiations (@​fabpot)
• bug #​58393 [Dotenv] Default value can be empty (@​HypeMC)
• bug #​58372 Tweak error/exception handler registration (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/586811

v5.4.44

Compare Source

Changelog (symfony/symfony@v5.4.43...v5.4.44)

• bug #​58327 [FrameworkBundle] Do not access the container when the kernel is shut down (@​jderusse)
• bug #​58316 [Form] Don't call the constructor of LogicalOr (@​derrabus)
• bug #​58290 [FrameworkBundle] fix XSD to allow to configure locks without resources (@​xabbuh)
• bug #​58291 [Process] Fix finding executables independently of open_basedir (@​BlackbitDevs)
• bug #​58279 [Yaml] parse empty sequence elements as null (@​xabbuh)
• bug #​58289 [HttpKernel] Skip logging uncaught exceptions in ErrorHandler, assume $kernel->terminateWithException() will do it (@​nicolas-grekas)
• bug #​58185 [Filesystem] make sure temp files can be cleaned up on Windows (@​xabbuh)
• bug #​58260 [Cache] Fix RedisSentinel param types (Paweł Stasicki)
• bug #​58278 [HttpClient] Fix setting CURLMOPT_MAXCONNECTS (@​HypeMC)
• bug #​58274 [Dotenv] throw a meaningful exception when parsing dotenv files with BOM (@​xabbuh)
• bug #​58240 [FrameworkBundle] Fix service reset between tests (@​HypeMC)
• bug #​58266 [HttpKernel] pass CSV escape characters explicitly (@​xabbuh)
• bug #​58181 [HttpFoundation] Update links for X-Accel-Redirect and fail properly when X-Accel-Mapping is missing (@​nicolas-grekas)
• bug #​58218 Work around parse_url() bug (@​nicolas-grekas)
• bug #​58207 [TwigBridge] Avoid calling deprecated mergeGlobals() (@​derrabus)
• bug #​58198 [TwigBundle] Add support for resetting globals between HTTP requests (@​fabpot)
• bug #​58143 [Ldap] Fix extension deprecation (@​alexandre-daubois)

[PR]https://github.com/symfony/symfony/pull/583444

v5.4.43

Compare Source

Changelog (symfony/symfony@v5.4.42...v5.4.43)

• bug #​58110 [PropertyAccess] Fix handling property names with a . (@​alexandre-daubois)
• bug #​58127 [Validator] synchronize IBAN formats (@​xabbuh)
• bug #​58112 fix Twig 3.12 compatibility (@​xabbuh)
• bug #​58078 [TwigBridge] Fix Twig deprecation notice (@​yceruto)
• bug #​58000 [DependencyInjection] Fix issue between decorator and service locator index (@​lyrixx)
• bug #​58044 [HttpClient] Do not overwrite the host to request when using option "resolve" (@​xabbuh)
• bug #​57298 [DependencyInjection] Fix handling of repeated #[Autoconfigure] attributes (@​alexandre-daubois)
• bug #​57493 [SecurityBundle] Make security schema deterministic (@​MatTheCat)
• bug #​58020 [TwigBridge] fix compatibility with Twig 3.12 and 4.0 (@​xabbuh)
• bug #​58002 [Security] Revert stateless check for ContextListener (@​VincentLanglet)
• bug #​57853 [Console] Fix side-effects from running bash completions (@​Seldaek)
• bug #​57997 [Console][PhpUnitBridge][VarDumper] Fix handling NO_COLOR env var (@​nicolas-grekas)
• bug #​57984 [Validator] Add D regex modifier in relevant validators (@​alexandre-daubois)
• bug #​57981 [HttpClient] reject malformed URLs with a meaningful exception (@​xabbuh)
• bug #​57968 [Yaml] 🐛 throw ParseException on invalid date (@​homersimpsons)
• bug #​57925 [Validator] reset the validation context after validating nested constraints (@​xabbuh)
• bug #​57920 [Form] Fix handling empty data in ValueToDuplicatesTransformer (@​xabbuh)
• bug #​57917 [HttpKernel] [WebProfileBundle] Fix Routing panel for URLs with a colon (@​akeylimepie)
• bug #​57861 [Form] NumberType: Fix parsing of numbers in exponential notation with negative exponent (@​jbtronics)
• bug #​57921 [Finder] do not duplicate directory separators (@​xabbuh)
• bug #​57895 [Finder] do not duplicate directory separators (@​xabbuh)
• bug #​57905 [Validator] allow more unicode characters in URL paths (@​xabbuh)
• bug #​57899 [String] [EnglishInflector] Fix words ending with le, e.g., articles (@​aleho)
• bug #​57887 [Uid] Ensure UuidV1 is created in lowercase (@​smnandre)
• bug #​57870 [HttpClient] Disable HTTP/2 PUSH by default when using curl (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/581311

v5.4.42

Compare Source

Changelog (symfony/symfony@v5.4.41...v5.4.42)

• bug #​57815 [Console][PhpUnitBridge][VarDumper] Fix NO_COLOR empty value handling (@​alexandre-daubois)
• bug #​57828 [Translation] Fix CSV escape char in CsvFileLoader on PHP >= 7.4 (@​alexandre-daubois)
• bug #​57812 [Validator] treat uninitialized properties referenced by property paths as null (@​xabbuh)
• bug #​57816 [DoctrineBridge] fix messenger bus dispatch inside an active transaction (@​IndraGunawan)
• bug #​57799 [ErrorHandler][VarDumper] Remove PHP 8.4 deprecations (@​alexandre-daubois)
• bug #​57802 [PropertyInfo] Fix nullable value returned from extractFromMutator on CollectionType (@​benjilebon)
• bug #​57832 [DependencyInjection] Do not try to load default method name on interface (@​lyrixx)
• bug #​57753 [ErrorHandler] restrict the maximum length of the X-Debug-Exception header (@​xabbuh)
• bug #​57674 [Cache] Improve dbindex DSN parameter parsing (@​constantable)
• bug #​57663 [Cache] use copy() instead of rename() on Windows (@​xabbuh)
• bug #​57617 [PropertyInfo] Handle collection in PhpStan same as PhpDoc (@​mtarld)
• bug #​54057 [Messenger] Passing actual Envelope to WorkerMessageRetriedEvent (@​daffoxdev)
• bug #​57645 [Routing] Discard in-memory cache of routes when writing the file-based cache (@​mpdude)
• bug #​57621 [Mailer]  force HTTP 1.1 for Mailgun API requests (@​xabbuh)
• bug #​57616 [String] Revert "Fixed u()->snake(), b()->snake() and s()->snake() methods" (@​nicolas-grekas)
• bug #​57594 [String] Normalize underscores in snake() (@​xabbuh)
• bug #​57585 [HttpFoundation] Fix MockArraySessionStorage to generate more conform ids (@​Seldaek)

[PR]https://github.com/symfony/symfony/pull/578433

v5.4.41

Compare Source

Changelog (symfony/symfony@v5.4.40...v5.4.41)

• bug #​57497 [String] Fixed u()->snake(), b()->snake() and s()->snake() methods (@​arczinosek)
• bug #​57574 [Filesystem] Fix Filesystem::remove() on Windows (@​nicolas-grekas)
• bug #​57572 [DoctrineBridge] Fix compat with DI >= 6.4 (@​nicolas-grekas)
• bug #​57538 [String] Add alias case to EnglishInflector (@​alexandre-daubois)
• feature #​57557 Ibexa is sponsoring Symfony 5.4, thanks to them! \o/ (@​nicolas-grekas)
• bug #​57569 [HttpClient][Mailer] Revert "Let curl handle transfer encoding", use HTTP/1.1 for Mailgun (@​nicolas-grekas)
• bug #​57453 [HttpClient] Fix parsing SSE (@​fancyweb)
• bug #​57467 [SecurityBundle] Add provider XML attribute to the authenticators it’s missing from (@​MatTheCat)
• bug #​57384 [Notifier] Fix thread key in GoogleChat bridge (@​romain-jacquart)
• bug #​57372 [HttpKernel][Security] Fix accessing session for stateless request (@​VincentLanglet)
• bug #​57112 [Messenger] Handle AMQPConnectionException when publishing a message (@​jwage)
• bug #​57341 [Serializer] properly handle invalid data for false/true types (@​xabbuh)
• bug #​57187 [Serializer] Fix ObjectNormalizer with property path (@​HypeMC)
• bug #​57355 [ErrorHandler] Fix rendered exception code highlighting on PHP 8.3 (@​tscni)
• bug #​57273 [FrameworkBundle] Fix setting default context for certain normalizers (@​HypeMC)
• bug #​52699 [Serializer] [PropertyAccessor] Ignore non-collection interface generics (@​mtarld)
• bug #​54634 [String] Fix #​54611 pluralization of -on ending words + singularization of -a ending foreign words (@​Geordie, @​DesLynx)
• bug #​57213 [Validator] [UniqueValidator] Use correct variable as parameter in (custom) error message (@​seho-nl, Sebastien Hoek)
• bug #​54920 [Messenger] Comply with Amazon SQS requirements for message body (@​VincentLanglet)
• bug #​57110 [PhpUnitBridge] Fix error handler triggered outside of tests (@​HypeMC)
• bug #​57297 [FrameworkBundle] not registered definitions must not be modified (@​xabbuh)
• bug #​57234 [String] Fix Inflector for 'hardware' (@​podhy)

[PR]https://github.com/symfony/symfony/pull/575799

v5.4.40

Compare Source

Changelog (symfony/symfony@v5.4.39...v5.4.40)

• bug #​57275 Fix autoload configs to avoid warnings when building optimized autoloaders (@​Seldaek)
• bug #​54572 [Mailer] Fix sendmail transport failure handling and interactive mode (@​bobvandevijver)
• bug #​57228 [Mime] fix PHP 7 compatibility (@​xabbuh)
• bug #​57065 [Mime] Fixed Mime\Message::ensureValidity() when a required header is set, but has an empty body (@​rhertogh)
• bug #​57109 [Notifier] keep boolean options when their value is false (@​xabbuh)
• bug #​54694 [PropertyInfo] Update DoctrineExtractor for new DBAL 4 BIGINT type (@​llupa)
• bug #​54913 [Serializer] Fix CurrentType for missing property (@​ElisDN)
• bug #​54797 [PhpUnitBridge] Fix DeprecationErrorHandler with PhpUnit 10 (@​HypeMC)
• bug #​54878 [Filesystem] Fix dumpFile stat failed error hitting custom handler (@​acoulton)
• bug #​54924 [Validator] IBAN Check digits should always between 2 and 98 (@​karstennilsen)
• bug #​54919 [ErrorHandler] Do not call xdebug_get_function_stack() with xdebug >= 3.0 when not in develop mode (@​fmata)
• bug #​54910 [HttpFoundation]  filter out empty HTTP header parts (@​xabbuh)
• bug #​54888 [String] Fix folded in compat mode (@​smnandre)
• bug #​54860 [HttpClient] Revert fixing curl default options (@​alexandre-daubois)
• bug #​54839 Fix exception thrown during LDAP_MODIFY_BATCH_REMOVE_ALL batch operations (@​phasdev)
• bug #​54834 [Validator] Check Locale class existence before using it (@​alexandre-daubois)
• bug #​54830 [HttpClient] Fix cURL default options for PHP 8.4 (@​alexandre-daubois)
• bug #​54828 [Serializer] Fix GetSetMethodNormalizer not working with setters with optional args (@​HypeMC)
• bug #​54816 [Cache] Fix support for predis/predis:^2.0 (@​mfettig)
• bug #​54804 [Serializer] separate the property info and write info extractors (@​xabbuh)
• bug #​54800 [WebProfilerBundle] fix compatibility with Twig 3.10 (@​xabbuh)
• bug #​54794 [Strings][EnglishInflector] Fix incorrect pluralisation of 'Album' (@​timporter)
• bug #​54714 [Serializer] convert empty CSV header names into numeric keys (@​xabbuh)
• bug #​54775 [Messenger] accept AbstractAsset instances when filtering schemas (@​xabbuh)
• bug #​54759 [Filesystem] better distinguish URL schemes and Windows drive letters (@​xabbuh)
• bug #​54791 [FrameworkBundle] move wiring of the property info extractor to the ObjectNormalizer (@​xabbuh)
• bug #​54760 [Validator] handle union and intersection types for cascaded validations (@​xabbuh)
• bug #​54776 [Cache] fix: remove unwanted cast to int (Arend Hummeling)
• bug #​54700 [Dotenv] show overridden vars too when running debug:dotenv (@​HMRDevil)

[PR]https://github.com/symfony/symfony/pull/572900

v5.4.39

Compare Source

Changelog (symfony/symfony@v5.4.38...v5.4.39)

• bug #​54751 [Validator]  detect wrong e-mail validation modes (@​xabbuh)
• bug #​54723 [Form] read form values using the chain data accessor (@​xabbuh)
• bug #​54706 [Yaml] call substr() with integer offsets (@​xabbuh)
• bug #​54675 [PropertyInfo] Fix PHPStan properties type in trait (@​mtarld)
• bug #​54635 [Serializer] Revert "Fix object normalizer when properties has the same name as their accessor" - it was a BC Break (@​NeilPeyssard)
• bug #​54625 [Intl] Remove resources data from classmap generation (@​shyim)
• bug #​54598 [TwigBridge]  implement NodeVisitorInterface instead of extending AbstractNodeVisitor (@​xabbuh)
• bug #​54072 [HttpKernel] Fix datacollector caster for reference object property (@​ebuildy)
• bug #​54564 [Translation] Skip state=needs-translation entries only when source == target (@​nicolas-grekas)
• bug #​54579 [Cache] Always select database for persistent redis connections (@​uncaught)
• bug #​54059 [Security] Validate that CSRF token in form login is string similar to username/password (@​glaubinix)
• bug #​54547 [HttpKernel] Force non lazy controller services (@​smnandre)
• bug #​54517 [HttpClient] Let curl handle transfer encoding (@​michaelhue)
• bug #​52917 [Serializer] Fix unexpected allowed attributes (@​mtarld)
• bug #​54063 [FrameworkBundle] Fix registration of the bundle path to translation (@​FlyingDR)
• bug #​54392 [Messenger] Make Doctrine connection ignore unrelated tables on setup (@​MatTheCat)
• bug #​54506 [HttpFoundation] Set content-type header in RedirectResponse (@​smnandre)
• bug #​52698 [Serializer] Fix XML scalar to object denormalization (@​mtarld)
• bug #​54485 [Serializer] Ignore when using #[Ignore] on a non-accessor (@​nicolas-grekas)
• bug #​54242 [HttpClient] [EventSourceHttpClient] Fix consuming SSEs with \r\n separator (@​fancyweb)
• bug #​54456 [DomCrawler] Encode html entities only if nessecary (@​ausi)
• bug #​54471 [Filesystem] Strengthen the check of file permissions in dumpFile (@​alexandre-daubois)
• bug #​54403 [FrameworkBundle] [Command] Fix #​54402: Suppress PHP warning when is_readable() tries to access dirs outside of open_basedir restrictions (Jeldrik Geraedts)
• bug #​54440 [Console] return null when message with name is not set (@​xabbuh)

[PR]https://github.com/symfony/symfony/pull/547644

v5.4.38

Compare Source

Changelog (symfony/symfony@v5.4.37...v5.4.38)

• bug #​54400 [HttpClient] stop all server processes after tests have run (@​xabbuh)
• bug #​54425 [TwigBridge] Remove whitespaces from block form_help output (@​rosier)
• bug #​54372 [Config] Fix YamlReferenceDumper handling of array examples (@​MatTheCat)
• bug #​54362 [Filesystem] preserve the file modification time when mirroring directories (@​xabbuh)
• bug #​54121 [Messenger] Catch TableNotFoundException in MySQL delete (@​acbramley)
• bug #​54271 [DoctrineBridge] Fix deprecation warning with ORM 3 when guessing field lengths (@​eltharin)
• bug #​54306 Throw TransformationFailedException when there is a null bytes injection (@​sormes)
• bug #​54148 [Serializer] Fix object normalizer when properties has the same name as their accessor (@​NeilPeyssard)
• bug #​54305 [Cache][Lock] Identify missing table in pgsql correctly and address failing integration tests (@​arifszn)
• bug #​54292 [FrameworkBundle] Fix mailer config with XML (@​lyrixx)
• bug #​54298 [Filesystem] Fix str_contains deprecation (@​NeilPeyssard)
• bug #​54248 [Security] Correctly initialize the voter property (@​aschempp)
• bug #​54201 [Lock] Check the correct SQLSTATE error code for MySQL (@​edomato)
• bug #​54252 [Lock] compatiblity with redis cluster 7 (@​bastnic)
• bug #​54219 [Validator] Allow BICs’ first four characters to be digits (@​MatTheCat)
• bug #​54239 [Mailer] Fix sendmail transport not handling failure (@​aboks)
• bug #​54207 [HttpClient] Lazily initialize CurlClientState (@​arjenm)
• bug #​53865 [Workflow]Fix Marking when it must contains more than one tokens (@​lyrixx)
• bug #​54187 [FrameworkBundle] Fix PHP 8.4 deprecation on ReflectionMethod (@​alexandre-daubois)

[PR]https://github.com/symfony/symfony/pull/544622

v5.4.37

Compare Source

Changelog (symfony/symfony@v5.4.36...v5.4.37)

• bug #​54102 [HttpClient] Fix deprecation on PHP 8.3 (@​nicolas-grekas)
• bug #​54081 [DoctrineBridge] Safeguard dynamic access to Doctrine metadata properties (@​derrabus)
• bug #​54080 [Routing] Enhance error handling in StaticPrefixCollection for compatibility with libpcre2-10.43 (@​Lustmored)

[PR]https://github.com/symfony/symfony/pull/541577

v5.4.36

Compare Source

Changelog (symfony/symfony@v5.4.35...v5.4.36)

• bug #​54045 [Config][Messenger][Security] Don't turn deprecations into exceptions when unserializing ([@​nicolas-grekas](https://redirect.githu

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update symfony/symfony:4.4.51 --with-dependencies --ignore-platform-reqs --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Package "symfony/symfony:4.4.51" listed for update is not installed. Ignoring.
Loading composer repositories with package information
Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/
Updating dependencies (including require-dev)