[Security] Bump symfony/http-foundation from 6.4.7 to 6.4.24

Bumps symfony/http-foundation from 6.4.7 to 6.4.24. This update includes a security fix.

Vulnerabilities fixed

Symfony vulnerable to open redirect via browser-sanitized URLs

Description

The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain.

Resolution

The Request::create methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

Patched versions: 7.1.7; 6.4.14; 5.4.46 Affected versions: >= 7.0.0, = 6.0.0, < 6.4.14; < 5.4.46

Release notes

Sourced from symfony/http-foundation's releases.

v6.4.24

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.23...v6.4.24)

• no significant changes

v6.4.23

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.22...v6.4.23)

• bug symfony/symfony#60547 [HttpFoundation] Fixed 'Via' header regex (@​thecaliskan)

v6.4.22

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.21...v6.4.22)

• bug symfony/symfony#60292 [HttpFoundation] Encode path in X-Accel-Redirect header (@​Athorcis)

v6.4.21

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.20...v6.4.21)

• no significant changes

v6.4.18

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.17...v6.4.18)

• bug symfony/symfony#59403 [FrameworkBundle][HttpFoundation] Reset Request's formats using the service resetter (@​nicolas-grekas)
• bug symfony/symfony#59055 [HttpFoundation] Fixed IpUtils::anonymize exception when using IPv6 link-local addresses with RFC4007 scoping (@​jbtronics)

v6.4.16

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.15...v6.4.16)

• bug symfony/symfony#58862 [Notifier] Fix GoIpTransport (@​nicolas-grekas)
• bug symfony/symfony#58836 Work around parse_url() bug (bis) (@​nicolas-grekas)

v6.4.15

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.14...v6.4.15)

• no significant changes

v6.4.14

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.13...v6.4.14)

• security symfony/symfony#cve-2024-50345 [HttpFoundation] Reject URIs that contain invalid characters (@​nicolas-grekas)

v6.4.13

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.12...v6.4.13)

• bug symfony/symfony#58619 [HttpFoundation][Lock] Ensure compatibility with ext-mongodb v2 (@​GromNaN)

v6.4.12

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.11...v6.4.12)

... (truncated)

Commits

• 0341e41 CS fixes
• 95f9645 Fix php.net links
• 452d19f fixed Via regex
• 6b7c97f [HttpFoundation] Fix: Encode path in X-Accel-Redirect header
• ef8252e minor #60285 [Form][HttpFoundation] Fix overwriting an array element (wkania)
• 7965dc6 Fix overwriting an array element
• 3f0c7ea Remove unneeded use statements
• b0e234d chore: fix some typos
• d0492d6 [HttpFoundation][FrameworkBundle] Reset Request's formats using the service r...
• e8fdc47 [HttpFoundation] Fixed IpUtils::anonymize exception when using IPv6 link-lo...
• Additional commits viewable in compare view