[Security] Bump symfony/http-foundation from 6.4.7 to 6.4.29

Dependabotrequested to merge
dependabot-composer-symfony-http-foundation-6.4.29 into main

Bumps symfony/http-foundation from 6.4.7 to 6.4.29. This update includes security fixes.

Vulnerabilities fixed

Symfony vulnerable to open redirect via browser-sanitized URLs

Description

The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain.

Resolution

The Request::create methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

Patched versions: 7.1.7; 6.4.14; 5.4.46 Affected versions: >= 7.0.0, = 6.0.0, < 6.4.14; < 5.4.46

Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass

Description

The Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption.

Resolution

The Request class now ensures that URL paths always start with a /.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.

Patched versions: 7.3.7; 6.4.29; 5.4.50 Affected versions: >= 7.0.0, = 6.0.0, < 6.4.29; < 5.4.50

Release notes

Sourced from symfony/http-foundation's releases.

v6.4.29

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.28...v6.4.29)

  • no significant changes

v6.4.28

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.27...v6.4.28)

v6.4.26

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.25...v6.4.26)

v6.4.25

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.24...v6.4.25)

  • no significant changes

v6.4.24

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.23...v6.4.24)

  • no significant changes

v6.4.23

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.22...v6.4.23)

v6.4.22

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.21...v6.4.22)

v6.4.21

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.20...v6.4.21)

  • no significant changes

v6.4.18

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.17...v6.4.18)

v6.4.16

Changelog (https://github.com/symfony/http-foundation/compare/v6.4.15...v6.4.16)

... (truncated)

Commits
  • b03d11e Merge branch '5.4' into 6.4
  • 1ba1d5f [HttpFoundation] Fix parsing hosts and schemes in URLs
  • 1a0706e [HttpFoundation] Fix parsing pathinfo with no leading slash
  • ee93009 [HttpFoundation] Allow Request::setFormat() to override predefined formats
  • 3692415 Fix ord()-related PHP 8.5 deprecations
  • 67729f8 use the empty string instead of null as an array offset
  • e868881 SQLSRV: Change column type from TEXT to STRING
  • 6bc974c fix session cookie options assertions on PHP 8.5
  • 0341e41 CS fixes
  • 95f9645 Fix php.net links
  • Additional commits viewable in compare view

Merge request reports