[Security] Bump symfony/http-foundation from 6.4.7 to 6.4.21

Bumps symfony/http-foundation from 6.4.7 to 6.4.21. This update includes a security fix.

Vulnerabilities fixed

Symfony vulnerable to open redirect via browser-sanitized URLs

Description

The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain.

Resolution

The Request::create methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

Patched versions: 7.1.7; 6.4.14; 5.4.46 Affected versions: >= 7.0.0, = 6.0.0, < 6.4.14; < 5.4.46

Release notes

Sourced from symfony/http-foundation's releases.

v6.4.21

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.20...v6.4.21)

• no significant changes

v6.4.18

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.17...v6.4.18)

• bug symfony/symfony#59403 [FrameworkBundle][HttpFoundation] Reset Request's formats using the service resetter (@​nicolas-grekas)
• bug symfony/symfony#59055 [HttpFoundation] Fixed IpUtils::anonymize exception when using IPv6 link-local addresses with RFC4007 scoping (@​jbtronics)

v6.4.16

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.15...v6.4.16)

• bug symfony/symfony#58862 [Notifier] Fix GoIpTransport (@​nicolas-grekas)
• bug symfony/symfony#58836 Work around parse_url() bug (bis) (@​nicolas-grekas)

v6.4.15

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.14...v6.4.15)

• no significant changes

v6.4.14

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.13...v6.4.14)

• security symfony/symfony#cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid characters (@​nicolas-grekas)

v6.4.13

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.12...v6.4.13)

• bug symfony/symfony#58619 [HttpFoundation][Lock] Ensure compatibility with ext-mongodb v2 (@​GromNaN)

v6.4.12

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.11...v6.4.12)

• bug symfony/symfony#58181 [HttpFoundation] Update links for X-Accel-Redirect and fail properly when X-Accel-Mapping is missing (@​nicolas-grekas)
• bug symfony/symfony#58218 Work around parse_url() bug (@​nicolas-grekas)

v6.4.10

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.9...v6.4.10)

• bug symfony/symfony#57585 [HttpFoundation] Fix MockArraySessionStorage to generate more conform ids (@​Seldaek)

v6.4.8

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.7...v6.4.8)

• bug symfony/symfony#54910 [HttpFoundation]  filter out empty HTTP header parts (@​xabbuh)
• bug symfony/symfony#54816 [Cache] Fix support for predis/predis:^2.0 (@​mfettig)

Commits

• 3f0c7ea Remove unneeded use statements
• b0e234d chore: fix some typos
• d0492d6 [HttpFoundation][FrameworkBundle] Reset Request's formats using the service r...
• e8fdc47 [HttpFoundation] Fixed IpUtils::anonymize exception when using IPv6 link-lo...
• 431771b Merge branch '5.4' into 6.4
• 3f38b8a [HttpFoundation] Fix test
• 40e6615 bug #58862 [Notifier] Fix GoIpTransport (nicolas-grekas)
• d2737ec Merge branch '5.4' into 6.4
• 897e8a2 [HttpFoundation] Revert risk change
• 69094c8 [Notifier] Fix GoIpTransport
• Additional commits viewable in compare view