Update dependency symfony/http-foundation to v5.4.46 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/http-foundation (source)	5.4.10 -> 5.4.46

GitHub Vulnerability Alerts

CVE-2024-50345

Description

The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain.

Resolution

The Request::create methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

---

Release Notes

symfony/http-foundation (symfony/http-foundation)

v5.4.46

Compare Source

Changelog (symfony/http-foundation@v5.4.45...v5.4.46)

• security symfony/symfony#cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid characters (@​nicolas-grekas)

v5.4.45

Compare Source

Changelog (symfony/http-foundation@v5.4.44...v5.4.45)

• bug symfony/symfony#58619 [HttpFoundation][Lock] Ensure compatibility with ext-mongodb v2 (@​GromNaN)

v5.4.44

Compare Source

Changelog (symfony/http-foundation@v5.4.43...v5.4.44)

• bug symfony/symfony#58181 [HttpFoundation] Update links for X-Accel-Redirect and fail properly when X-Accel-Mapping is missing (@​nicolas-grekas)
• bug symfony/symfony#58218 Work around parse_url() bug (@​nicolas-grekas)

v5.4.42

Compare Source

Changelog (symfony/http-foundation@v5.4.41...v5.4.42)

• bug symfony/symfony#57585 [HttpFoundation] Fix MockArraySessionStorage to generate more conform ids (@​Seldaek)

v5.4.40

Compare Source

Changelog (symfony/http-foundation@v5.4.39...v5.4.40)

• bug symfony/symfony#54910 [HttpFoundation]  filter out empty HTTP header parts (@​xabbuh)
• bug symfony/symfony#54816 [Cache] Fix support for predis/predis:^2.0 (@​mfettig)

v5.4.39

Compare Source

Changelog (symfony/http-foundation@v5.4.38...v5.4.39)

• bug symfony/symfony#54506 [HttpFoundation] Set content-type header in RedirectResponse (@​smnandre)

v5.4.38

Compare Source

Changelog (symfony/http-foundation@v5.4.37...v5.4.38)

• no significant changes

v5.4.35

Compare Source

Changelog (symfony/http-foundation@v5.4.34...v5.4.35)

• bug symfony/symfony#53432 [HttpFoundation] Request without content-type or content-length header should result in null values, not empty strings (@​priyadi)

v5.4.34

Compare Source

Changelog (symfony/http-foundation@v5.4.33...v5.4.34)

• no significant changes

v5.4.32

Compare Source

Changelog (symfony/http-foundation@v5.4.31...v5.4.32)

• bug symfony/symfony#52459 [Cache][HttpFoundation][Lock] Fix PDO store not creating table + add tests (@​HypeMC)

v5.4.31

Compare Source

Changelog (symfony/http-foundation@v5.4.30...v5.4.31)

• bug symfony/symfony#52474 [HttpFoundation] ensure string type with mbstring func overloading enabled (@​xabbuh)
• bug symfony/symfony#52457 [Cache][HttpFoundation][Lock] Fix empty username/password for PDO PostgreSQL (@​HypeMC)
• bug symfony/symfony#52444 Remove full DSNs from exception messages (@​nicolas-grekas)

v5.4.30

Compare Source

Changelog (symfony/http-foundation@v5.4.29...v5.4.30)

• no significant changes

v5.4.28

Compare Source

Changelog (symfony/http-foundation@v5.4.27...v5.4.28)

• bug symfony/symfony#51424 [HttpFoundation] Fix base URI detection on IIS with UrlRewriteModule (@​derrabus)

v5.4.26

Compare Source

Changelog (symfony/http-foundation@v5.4.25...v5.4.26)

• bug symfony/symfony#51031 Fix deprecations on PHP 8.3 (@​nicolas-grekas)

v5.4.25

Compare Source

Changelog (symfony/http-foundation@v5.4.24...v5.4.25)

• bug symfony/symfony#50524 Fix Doctrine deprecations (@​nicolas-grekas)

v5.4.24

Compare Source

Changelog (symfony/http-foundation@v5.4.23...v5.4.24)

• bug symfony/symfony#50315 [Translation] Fix handling of null messages in ArrayLoader (@​rob006)
• bug symfony/symfony#50338 [Console] Remove exec and replace it by shell_exec (@​maxbeckers)
• bug symfony/symfony#50362 [FrameworkBundle] Fix Workflow without a marking store definition uses marking store definition of previously defined workflow (@​krciga22)
• bug symfony/symfony#50309 [HttpFoundation] UrlHelper is now aware of RequestContext changes (@​giosh94mhz)
• bug symfony/symfony#50309 [HttpFoundation] UrlHelper is now aware of RequestContext changes (@​giosh94mhz)
• bug symfony/symfony#49063 [Messenger] Respect isRetryable decision of the retry strategy for re-delivery (@​FlyingDR)
• bug symfony/symfony#50266 [HttpFoundation] Fix file streaming after connection aborted (@​rlshukhov)
• bug symfony/symfony#49557 [PropertyInfo] Fix phpDocExtractor nullable array value type (@​fabpot)

v5.4.23

Compare Source

Changelog (symfony/http-foundation@v5.4.22...v5.4.23)

• bug #​48972 Fix memory limit problems in BinaryFileResponse (glady)

v5.4.22

Compare Source

Changelog (symfony/http-foundation@v5.4.21...v5.4.22)

• bug #​49758 Use separate caches for IpUtils checkIp4 and checkIp6 (danielburger1337)
• bug #​49745 Fix wiring session.handler when handler_id is null (nicolas-grekas)

v5.4.21

Compare Source

Changelog (symfony/http-foundation@v5.4.20...v5.4.21)

• bug #​48880 getMaxAge() returns non-negative integer (pkruithof, fabpot)

v5.4.20

Compare Source

Changelog (symfony/http-foundation@v5.4.19...v5.4.20)

• bug #​49141 Fix bad return type in IpUtils::checkIp4() (tristankretzer)

v5.4.19

Compare Source

Changelog (symfony/http-foundation@v5.4.18...v5.4.19)

• no significant changes

v5.4.17

Compare Source

Changelog (symfony/http-foundation@v5.4.16...v5.4.17)

• bug #​48635 Use relative timestamps with MemcachedSessionHandler (tvlooy)
• bug #​48628 Fix dumping array cookies (nicolas-grekas)
• bug #​48421 IPv4-mapped IPv6 addresses incorrectly rejected (bonroyage)

v5.4.16

Compare Source

Changelog (symfony/http-foundation@v5.4.15...v5.4.16)

• bug #​48112 Compare cookie with null value as empty string in ResponseCookieValueSame (fancyweb)
• bug #​48050 Check IPv6 is valid before comparing it (PhilETaylor)

v5.4.15

Compare Source

Changelog (symfony/http-foundation@v5.4.14...v5.4.15)

• no significant changes

v5.4.14

Compare Source

Changelog (symfony/http-foundation@v5.4.13...v5.4.14)

• bug #​47746 Fix BinaryFileResponse content type detection logic (X-Coder264)

v5.4.13

Compare Source

Changelog (symfony/http-foundation@v5.4.12...v5.4.13)

• bug #​47516 Prevent BinaryFileResponse::prepare from adding content type if no content is sent (naitsirch)
• bug #​47530 Always return strings from accept headers (ausi)
• bug #​47434 move flushing outside of Response::closeOutputBuffers (nicolas-grekas)

v5.4.12

Compare Source

Changelog (symfony/http-foundation@v5.4.11...v5.4.12)

• bug #​47283 Prevent accepted rate limits with no remaining token to be preferred over denied ones (MatTheCat)
• bug #​47273 Do not send Set-Cookie header twice for deleted session cookie (X-Coder264)
• bug #​47130 Fix invalid ID not regenerated with native PHP file sessions (BrokenSourceCode)

v5.4.11

Compare Source

Changelog (symfony/http-foundation@v5.4.10...v5.4.11)

• bug #​46931 Flush backend output buffer after closing. (bradjones1)
• bug #​42033 Fix deleteFileAfterSend on client abortion (nerg4l)
• bug #​46790 Prevent PHP Warning: Session ID is too long or contains illegal characters (BrokenSourceCode)
• bug #​46808 Fix TypeError on null $_SESSION in NativeSessionStorage::save() (chalasr)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.