Update dependency symfony/symfony to v4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/symfony (source)	3.3.* -> 4.4.*

GitHub Vulnerability Alerts

CVE-2019-10909

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

CVE-2019-18889

An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.

CVE-2019-10913

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

CVE-2019-18888

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

CVE-2019-10912

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

CVE-2019-10911

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.

CVE-2019-18887

When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

CVE-2022-24895

Description

When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

Resolution

Symfony removes all CSRF tokens from the session on successful login.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

CVE-2022-24894

Description

The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients.

In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session.

Resolution

The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers.
The default value for this parameter is Set-Cookie, but it can be overridden or extended by the application.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.

CVE-2019-10910

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

CVE-2018-14774

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.

CVE-2018-11386

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

CVE-2018-11408

The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.

CVE-2018-19789

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint string in a setter method (e.g. setName(string $name)) of a class that's the data_class of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then UploadedFile::__toString() is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.

CVE-2017-16652

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

CVE-2023-46734

Description

Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe.

Resolution

Symfony now escapes the output of the affected filters.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.

CVE-2017-16653

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

CVE-2017-16654

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.

CVE-2018-11385

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

CVE-2018-11406

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

CVE-2018-14773

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

CVE-2021-21424

Description

The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user.

Resolution

We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

CVE-2017-16790

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a "FileType" is sent as normal POST data that could be interpreted as a local file path on the server-side (for example, "file:///etc/passwd"). If the application did not perform any additional checks about the value submitted to the "FileType", the contents of the given file on the server could have been exposed to the attacker.

CVE-2018-11407

An issue was discovered in the LDAP component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.

CVE-2018-19790

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

---

Release Notes

symfony/symfony (symfony/symfony)

v4.4.51

Compare Source

Changelog (symfony/symfony@v4.4.50...v4.4.51)

• security #cve-2023-46734 [TwigBridge] Ensure CodeExtension's filters properly escape their input (@​nicolas-grekas, @​GromNaN)

[PR]https://github.com/symfony/symfony/pull/525344
[SECURITY] Security release

v4.4.50

Compare Source

Changelog (symfony/symfony@v4.4.49...v4.4.50)

• security #cve-2022-24895 [Security/Http] Remove CSRF tokens from storage on successful login (@​nicolas-grekas)
• security #cve-2022-24894 [HttpKernel] Remove private headers before storing responses with HttpCache (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/491788

v4.4.49

Compare Source

Changelog (symfony/symfony@v4.4.48...v4.4.49)

• bug #​48273 [HttpKernel] Fix message for unresovable arguments of invokable controllers (@​fancyweb)
• bug #​48224 [DependencyInjection] Process bindings in ServiceLocatorTagPass (@​MatTheCat)
• bug #​48198 [Messenger] Fix time-limit check exception (@​alamirault)
• bug #​48122 [PhpUnitBridge] Fix language deprecations incorrectly marked as direct (@​wouterj)
• bug #​48085 [Messenger] Tell about messenger:consume invalid limit options (@​MatTheCat)
• bug #​48120 [Messenger] Do not throw 'no handlers' exception when skipping handlers due to duplicate handling (@​wouterj)
• bug #​48112 [HttpFoundation] Compare cookie with null value as empty string in ResponseCookieValueSame (@​fancyweb)
• bug #​48119 [FrameworkBundle][Lock] Allow to disable lock without defining a resource (@​MatTheCat)
• bug #​48093 [DependencyInjection] don't move locator tag for service subscriber (@​RobertMe)
• bug #​48075 [Mailer] Stream timeout not detected fgets returns false (@​Sezil)
• bug #​48092 Fix the notification email theme for asynchronously dispatched emails (@​krisbuist)
• bug #​48103 [HttpClient] Do not set http_version instead of setting it to null (@​Tetragramat)
• bug #​48050 [HttpFoundation] Check IPv6 is valid before comparing it (@​PhilETaylor)

[PR]https://github.com/symfony/symfony/pull/483677
[EOL] End of life release for branch 4.4

v4.4.48

Compare Source

Changelog (symfony/symfony@v4.4.47...v4.4.48)

• bug #​47907 [Console] Update Application.php (@​aleksandr-shevchenko)
• bug #​47932 Throw LogicException instead of Error when trying to generate logout-… (@​addiks)
• bug #​47857 [HttpKernel] Fix empty request stack when terminating with exception (@​krzyc)
• bug #​47878 [HttpKernel] Remove EOL when using error_log() in HttpKernel Logger (@​cyve)
• bug #​47883 [Console] Fix error output on windows cli (@​Maximilian.Beckers)
• bug #​47884 [Cache] Reserve numeric keys when doing memory leak prevention (@​simoheinonen)
• bug #​47822 [Mailer] fix: use message object from event (@​rogamoore)
• bug #​47858 [DoctrineBridge] Implement EventManager::getAllListeners() (@​derrabus)

[PR]https://github.com/symfony/symfony/pull/480288

v4.4.47

Compare Source

Changelog (symfony/symfony@v4.4.46...v4.4.47)

• bug #​47621 [Serializer] Allow getting discriminated type by class name (@​TamasSzigeti)
• bug #​47808 [HttpClient] Fix seeking in not-yet-initialized requests (@​nicolas-grekas)
• bug #​47702 [Messenger] Fix default serializer not handling DateTime objects properly (@​barton-webwings)
• bug #​47779 [Console] Fix Helper::removeDecoration hyperlink bug (@​greew)
• bug #​47763 [PropertyInfo] a readonly property must not be reported as being writable (@​xabbuh)
• bug #​47731 [WebProfiler] Fix overflow issue in Forms panel (@​zolikonta)
• bug #​47746 [HttpFoundation] Fix BinaryFileResponse content type detection logic (@​X-Coder264)

[PR]https://github.com/symfony/symfony/pull/478399

v4.4.46

Compare Source

Changelog (symfony/symfony@v4.4.45...v4.4.46)

• bug #​47547 [Ldap] Do not run ldap_set_option on failed connection (@​tatankat)
• bug #​47578 [Security] Fix AbstractFormLoginAuthenticator return types (@​AndrolGenhald)
• bug #​47614 [FrameworkBundle] Fix a phpdoc in mailer assertions (@​HeahDude)
• bug #​47516 [HttpFoundation] Prevent BinaryFileResponse::prepare from adding content type if no content is sent (@​naitsirch)
• bug #​47533 [Messenger] decode URL-encoded characters in DSN's usernames/passwords (@​xabbuh)
• bug #​47530 [HttpFoundation] Always return strings from accept headers (@​ausi)
• bug #​47497 [Bridge] Fix mkdir() race condition in ProxyCacheWarmer (@​andrey-tech)
• bug #​47415 [HttpClient] Psr18Client ignore invalid HTTP headers (@​nuryagdym)
• bug #​47435 [HttpKernel] lock when writting profiles (@​nicolas-grekas)
• bug #​47437 [Mime] Fix email rendering when having inlined parts that are not related to the content (@​fabpot)
• bug #​47434 [HttpFoundation] move flushing outside of Response::closeOutputBuffers (@​nicolas-grekas)
• bug #​47351 [FrameworkBundle] Do not throw when describing a factory definition (@​MatTheCat)
• bug #​47403 [Mailer] Fix edge cases in STMP transports (@​fabpot)

[PR]https://github.com/symfony/symfony/pull/477377

v4.4.45

Compare Source

Changelog (symfony/symfony@v4.4.44...v4.4.45)

• bug #​47358 Fix broken request stack state if throwable is thrown. (@​Warxcell)
• bug #​47304 [Serializer] Fix caching context-aware encoders/decoders in ChainEncoder/ChainDecoder (@​Guite)
• bug #​47329 Email image parts: regex for single closing quote (@​rr-it)
• bug #​47200 [Form] ignore missing keys when mapping DateTime objects to uninitialized arrays (@​xabbuh)
• bug #​47189 [Validator] Add additional hint when egulias/email-validator needs to be installed (@​mpdude)
• bug #​47195 [FrameworkBundle] fix writes to static $kernel property (@​xabbuh)
• bug #​47175 [DowCrawler] Fix locale-sensitivity of whitespace normalization (@​nicolas-grekas)
• bug #​47171 [TwigBridge] suggest to install the Twig bundle when the required component is already installed (@​xabbuh)
• bug #​47161 [Mailer] Fix logic (@​fabpot)
• bug #​47157 [Messenger] Fix Doctrine transport on MySQL (@​nicolas-grekas)
• bug #​46190 [Translation] Fix translator overlapse (@​Xavier RENAUDIN)
• bug #​47142 [Mailer] Fix error message in case of an STMP error (@​fabpot)
• bug #​47145 [HttpClient] Fix shared connections not being freed on PHP < 8 (@​nicolas-grekas)
• bug #​47143 [HttpClient] Fix memory leak when using StreamWrapper (@​nicolas-grekas)
• bug #​47130 [HttpFoundation] Fix invalid ID not regenerated with native PHP file sessions (@​BrokenSourceCode)

[PR]https://github.com/symfony/symfony/pull/473977

v4.4.44

Compare Source

Changelog (symfony/symfony@v4.4.43...v4.4.44)

• bug #​47069 [Security] Allow redirect after login to absolute URLs (@​Tim Ward)
• bug #​47073 [HttpKernel] Fix non-scalar check in surrogate fragment renderer (@​aschempp)
• bug #​43329 [Serializer] Respect default context in DateTimeNormalizer::denormalize (@​hultberg)
• bug #​47086 Workaround disabled "var_dump" (@​nicolas-grekas)
• bug #​40828 [BrowserKit] Merge fields and files recursively if they are multidimensional array (@​januszmk)
• bug #​47048 [Serializer] Fix XmlEncoder encoding attribute false (@​alamirault)
• bug #​47000 [ErrorHandler] Fix return type patching for list and class-string pseudo types (@​derrabus)
• bug #​43998 [HttpKernel] [HttpCache] Don't throw on 304 Not Modified (@​aleho)
• bug #​46981 [Mime]  quote address names if they contain parentheses (@​xabbuh)
• bug #​46960 [FrameworkBundle] Fail gracefully when forms use disabled CSRF (@​HeahDude)
• bug #​46973 [DependencyInjection] Fail gracefully when attempting to autowire composite types (@​derrabus)
• bug #​46963 [Mime] Fix inline parts when added via attachPart() (@​fabpot)
• bug #​46968 [PropertyInfo] Make sure nested composite types do not crash ReflectionExtractor (@​derrabus)
• bug #​46931 Flush backend output buffer after closing. (@​bradjones1)
• bug #​46905 [BrowserKit] fix sending request to paths containing multiple slashes (@​xabbuh)
• bug #​42033 [HttpFoundation] Fix deleteFileAfterSend on client abortion (@​nerg4l)
• bug #​46941 [Messenger] Fix calls to deprecated DBAL methods (@​derrabus)
• bug #​46863 [Mime] Fix invalid DKIM signature with multiple parts (@​BrokenSourceCode)
• bug #​46808 [HttpFoundation] Fix TypeError on null $_SESSION in NativeSessionStorage::save() (@​chalasr)
• bug #​46790 [HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters (@​BrokenSourceCode)
• bug #​46800 Spaces in system temp folder path cause deprecation errors in php 8 (@​demeritcowboy)
• bug #​46797 [Messenger] Ceil waiting time when multiplier is a float on retry (@​WissameMekhilef)

[PR]https://github.com/symfony/symfony/pull/471144

v4.4.43

Compare Source

Changelog (symfony/symfony@v4.4.42...v4.4.43)

• bug #​46765 [Serializer] Fix denormalization union types with constructor (@​Gwemox)
• bug #​46769 [HttpKernel] Fix a PHP 8.1 deprecation notice in HttpCache (@​mpdude)
• bug #​46747 Fix global state pollution between tests run with ApplicationTester (@​Seldaek)
• bug #​46730 [Intl] Fix the IntlDateFormatter::formatObject signature (@​damienalexandre)
• bug #​46668 [FrameworkBundle] Lower JsonSerializableNormalizer priority (@​aprat84)
• bug #​46678 [HttpFoundation] Update "[Session] Overwrite invalid session id" to only validate when files session storage is used (@​alexpott)
• bug #​45861 [Serializer] Try all possible denormalization route with union types when ALLOW_EXTRA_ATTRIBUTES=false (@​T-bond)
• bug #​46676 [DoctrineBridge] Extend type guessing on enum fields (@​Gigino Chianese)
• bug #​46699 [Cache] Respect $save option in all adapters (@​jrjohnson)
• bug #​46697 [HttpKernel] Disable session tracking while collecting profiler data (@​nicolas-grekas)
• bug #​46684 [MonologBridge] Fixed support of elasticsearch 7.+ in ElasticsearchLogstashHandler (@​lyrixx)
• bug #​46368 [Mailer] Fix for missing sender name in case with usage of the EnvelopeListener (@​bobahvas)
• bug #​46548 [Mime] Allow url as a path in the DataPart::fromPath (@​wkania)
• bug #​46594 [FrameworkBundle] Fix XML cache config (@​HeahDude)
• bug #​46595 [Console] Escape in command name & description from getDefaultName() (@​ogizanagi)
• bug #​46565 [WebProfilerBundle] Fix dark theme selected line highlight color & reuse css vars (@​ogizanagi)
• bug #​46535 [Mime] Check that the path is a file in the DataPart::fromPath (@​wkania)
• bug #​46543 [Cache] do not pass null to strlen() (@​xabbuh)
• bug #​46478 [Contracts] remove static cache from ServiceSubscriberTrait (@​kbond)

[PR]https://github.com/symfony/symfony/pull/467800

v4.4.42

Compare Source

Changelog (symfony/symfony@v4.4.41...v4.4.42)

• bug #​46448 [DependencyInjection] Fix "proxy" tag: resolve its parameters and pass it to child definitions (@​nicolas-grekas)
• bug #​46442 [FrameworkBundle] Revert "bug #​46125 Always add CacheCollectorPass (fancyweb)" (@​chalasr)
• bug #​46443 [DoctrineBridge] Don't reinit managers when they are proxied as ghost objects (@​nicolas-grekas)
• bug #​46427 [FrameworkBundle] fix wiring of annotations.cached_reader (@​nicolas-grekas)
• bug #​46434 [FrameworkBundle] Fix BC break in abstract config commands (@​yceruto)
• bug #​46424 [Form] do not accept array input when a form is not multiple (@​xabbuh)
• bug #​46367 [Mime] Throw exception when body in Email attach method is not ok (@​alamirault)
• bug #​46421 [VarDumper][VarExporter] Deal with DatePeriod->include_end_date on PHP 8.2 (@​nicolas-grekas)
• bug #​46401 [Cache] Throw when "redis_sentinel" is used with a non-Predis "class" option (@​buffcode)
• bug #​46414 Bootstrap 4 fieldset for row errors (@​konradkozaczenko)
• bug #​46412 [FrameworkBundle] Fix dumping extension config without bundle (@​yceruto)
• bug #​46407 [Filesystem] Safeguard (sym)link calls (@​derrabus)
• bug #​46098 [Form] Fix same choice loader with different choice values (@​HeahDude)
• bug #​46380 [HttpClient] Add missing HttpOptions::setMaxDuration() (@​nicolas-grekas)
• bug #​46249 [HttpFoundation] [Session] Regenerate invalid session id (@​peter17)
• bug #​46366 [Mime] Add null check for EmailHeaderSame (@​magikid)
• bug #​46364 [Config] Fix looking for single files in phars with GlobResource (@​nicolas-grekas)
• bug #​46365 [HttpKernel] Revert "bug #​46327 Allow ErrorHandler ^5.0 to be used" (@​nicolas-grekas)
• bug #​46114 Fixes "Incorrectly nested style tag found" error when using multi-line header content (@​Perturbatio)
• bug #​46325 [Ldap] Fix LDAP connection options (@​buffcode)
• bug #​46317 [Security/Http] Ignore invalid URLs found in failure/success paths (@​nicolas-grekas)
• bug #​46327 [HttpKernel] Allow ErrorHandler ^5.0 to be used in HttpKernel 4.4 (@​mpdude)
• bug #​46297 [Serializer] Fix JsonSerializableNormalizer ignores circular reference handler in $context (@​BreyndotEchse)
• bug #​45981 [Serializer][PropertyInfo] Fix support for "false" built-in type on PHP 8.2 (@​alexandre-daubois)
• bug #​46277 [HttpKernel] Fix SessionListener without session in request (@​edditor)
• bug #​46282 [DoctrineBridge] Treat firstResult === 0 like null (@​derrabus)
• bug #​46278 [Workflow] Fix deprecated syntax for interpolated strings (@​nicolas-grekas)
• bug #​46264 [Console] Better required argument check in InputArgument (@​jnoordsij)
• bug #​46262 [EventDispatcher] Fix removing listeners when using first-class callable syntax (@​javer)
• bug #​46216 [Form] fix populating single widget time view data with different timezones (@​xabbuh)
• bug #​46221 [DomCrawler][VarDumper] Fix html-encoding emojis (@​nicolas-grekas)
• bug #​46167 [VarExporter] Fix exporting DateTime objects on PHP 8.2 (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/464666

v4.4.41

Compare Source

Changelog (symfony/symfony@v4.4.40...v4.4.41)

• bug #​46154 [Mailer] Restore X-Transport after failure (@​zenas1210)
• bug #​46171 [VarDumper] Fix dumping floats on PHP8 (@​nicolas-grekas)
• bug #​46170 Fix dumping enums on PHP 8.2 (@​nicolas-grekas)
• bug #​46143 [Cache] Prevent fatal errors on php 8 when running concurrently with TagAwareAdapter v6.1 (@​sbelyshkin)
• bug #​46149 Modify processing of uploaded files to be compatible with PHP 8.1 (@​p-golovin)
• bug #​46125 [FrameworkBundle] Always add CacheCollectorPass (@​fancyweb)
• bug #​46121 Fix "Notice: Undefined index: headers" in messenger with Oracle (@​rjd22)
• bug #​45980 [Finder] Add support of no-capture regex modifier in MultiplePcreFilterIterator (available from PHP 8.2) (@​alexandre-daubois)
• bug #​46008 [Workflow] Catch error when trying to get an uninitialized marking (@​lyrixx)
• bug #​40998 [Form] Use reference date in reverse transform (@​KDederichs)
• bug #​46012 [HttpKernel] Fix Symfony not working on SMB share (@​qinshuze)
• bug #​45992 [Mailer] Return-Path has higher priority for envelope address than From address (@​tpetry)
• bug #​45998 [HttpClient] Fix sending content-length when streaming the body (@​nicolas-grekas)
• bug #​45565 Fix table header seperator wrapping (@​alamirault)
• bug #​45968 [Intl] Update the ICU data to 71.1 - 4.4 (@​jderusse)
• bug #​45947 [FrameworkBundle] [Command] Fix debug:router --no-interaction error … (@​WilliamBoulle)
• bug #​45931 [Process] Fix Process::getEnv() when setEnv() hasn't been called before (@​asika32764)
• bug #​45928 [ExpressionLanguage] Fix matching null against a regular expression (@​ausi)

[PR]https://github.com/symfony/symfony/pull/461922

v4.4.40

Compare Source

Changelog (symfony/symfony@v4.4.39...v4.4.40)

• bug #​45910 [Messenger] reset connection on worker shutdown (@​SanderHagen)
• bug #​45909 [Form][TwigBundle] reset Twig form theme resources between requests (@​xabbuh)
• bug #​45906 [HttpClient] on redirections don't send content related request headers (@​xabbuh)
• bug #​45714 [Messenger] Fix cannot select FOR UPDATE from view on Oracle (@​rjd22)
• bug #​45888 [Messenger] Add mysql indexes back and work around deadlocks using soft-delete (@​nicolas-grekas)
• bug #​45891 [HttpClient] Fix exporting objects with readonly properties (@​nicolas-grekas)
• bug #​45875 [ExpressionLanguage] Fix matches when the regexp is not valid (@​fabpot)
• bug #​45870 [Validator] Fix File constraint invalid max size exception message (@​fancyweb)
• bug #​45851 [Console] Fix exit status on uncaught exception with negative code (@​acoulton)
• bug #​45838 [Serializer] Fix denormalizing union types (@​T-bond)
• bug #​45816 [Mailer] Preserve case of headers (@​nicolas-grekas)
• bug #​45814 [HttpClient] Let curl handle Content-Length headers (@​nicolas-grekas)
• bug #​45813 [HttpClient] Move Content-Type after Content-Length (@​nicolas-grekas)
• bug #​45737 [Lock] SemaphoreStore catching exception from sem_get (@​Triplkrypl)
• bug #​45690 [Mailer] Use recipients in sendmail transport (@​HypeMC)
• bug #​45720 [PropertyInfo] strip only leading \ when unknown docType (@​EmilMassey)
• bug #​44915 [Console] Fix compact table style to avoid outputting a leading space (@​Seldaek)
• bug #​45676 [Process] Don't return executable directories in PhpExecutableFinder (@​fancyweb)
• bug #​45702 [Form] Fix the usage of the Valid constraints in array-based forms (@​stof)
• bug #​45677 [DependencyInjection] fix ServiceSubscriberTrait bug where parent has __call() (@​kbond)
• bug #​45678 [HttpClient] Fix reading proxy settings from dotenv when curl is used (@​nicolas-grekas)
• bug #​45671 [FrameworkBundle] Ensure container is reset between tests (@​nicolas-grekas)

[PR]https://github.com/symfony/symfony/pull/459144

v4.4.39

Compare Source

Changelog (symfony/symfony@v4.4.38...v4.4.39)

• bug #​45631 [HttpFoundation] Fix PHP 8.1 deprecation in Response::isNotModified (@​HypeMC)
• bug #​45610 [HttpKernel] Guard against bad profile data (@​nicolas-grekas)
• bug #​45532 Fix deprecations on PHP 8.2 (@​nicolas-grekas)
• bug #​45595 [FrameworkBundle] Fix resetting container between tests (@​nicolas-grekas)
• bug #​45585 [HttpClient] fix checking for unset property on PHP <= 7.1.4 (@​nicolas-grekas)
• bug #​45583 [WebProfilerBundle] Fixes HTML syntax regression introduced by #​44570 (@​xavismeh)

[PR]https://github.com/symfony/symfony/pull/456533

v4.4.38

Compare Source

Changelog (symfony/symfony@v4.4.37...v4.4.38)

• bug #​44570 [WebProfilerBundle] add nonces to profiler (@​garak)
• bug #​44839 MailerInterface: failed exception contract when enabling messenger (@​Giorgio Premi)
• bug #​45529 [DependencyInjection] Don't reset env placeholders during compilation (@​nicolas-grekas)
• bug #​45527 [HttpClient] Fix overriding default options with null (@​nicolas-grekas)
• bug #​45531 [Serializer] Fix passing null to str_contains() (@​Erwin Dirks)
• bug #​42458 [Validator][Tests] Fix AssertingContextualValidator not throwing on remaining expectations (@​fancyweb)
• bug #​45496 [VarDumper] Fix dumping mysqli_driver instances (@​nicolas-grekas)
• bug #​45495 [HttpFoundation] Fix missing ReturnTypeWillChange attributes (@​luxemate)
• bug #​45482 [Cache] Add missing log when saving namespace (@​developer-av)
• bug #​45479 [HttpKernel] Reset services between requests performed by KernelBrowser (@​nicolas-grekas)
• bug #​44650 [Serializer] Make document type nodes ignorable (@​boenner)
• bug #​45469 [SecurityBundle] fix autoconfiguring Monolog's ProcessorInterface (@​nicolas-grekas)
• bug #​45414 [FrameworkBundle] KernelTestCase resets internal state on tearDown (@​core23)
• bug #​45460 [Intl] fix wrong offset timezone PHP 8.1 (@​Lenny4)
• bug #​45462 [HttpKernel] Fix extracting controller name from closures (@​nicolas-grekas)
• bug #​45424 [DependencyInjection] Fix type binding (@​sveneld)
• bug #​44259 [Security] AccountStatusException::$user should be nullable (@​Cantepie)
• bug #​45323 [Serializer] Fix ignored callbacks in denormalization (@​benjaminmal)
• bug #​45399 [FrameworkBundle] Fix sorting bug in sorting of tagged services by priority (@​Ahummeling)
• bug #​45338 [Mailer] Fix string-cast of exceptions thrown by authenticator in EsmtpTransport (@​wikando-ck)
• bug #​45339 [Cache] fix error handling when using Redis (@​nicolas-grekas)
• bug #​45281 [Cache] Fix connecting to Redis via a socket file (@​alebedev80)
• bug #​45289 [FrameworkBundle] Fix log channel of TagAwareAdapter (@​fancyweb)
• bug #​45306 [PropertyAccessor] Add missing TypeError catch (@​b1rdex)
• bug #​44868 [DependencyInjection][FrameworkBundle] Fix using PHP 8.1 enum as parameters (@​ogizanagi)
• bug #​45261 [HttpClient] Fix Content-Length header when possible (@​nicolas-grekas)
• bug #​45258 [DependencyInjection] Don't dump polyfilled classes in preload script (@​nicolas-grekas)
• bug #​38534 [Serializer] make XmlEncoder stateless thus reentrant (@​connorhu)
• bug #​42253 [Form] Do not fix URL protocol for relati

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: docker run --rm --name=renovate_sidecar --label=renovate_child -v "/mnt/renovate/gh/Clivern/LWT":"/mnt/renovate/gh/Clivern/LWT" -v "/tmp/renovate-cache":"/tmp/renovate-cache" -v "/tmp/containerbase":"/tmp/containerbase" -e COMPOSER_CACHE_DIR -e COMPOSER_AUTH -e BUILDPACK_CACHE_DIR -e CONTAINERBASE_CACHE_DIR -w "/mnt/renovate/gh/Clivern/LWT" docker.io/containerbase/sidecar bash -l -c "install-tool php 8.2.3 && install-tool composer 1.10.26 && composer update symfony/symfony --with-dependencies --ignore-platform-reqs --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins"
Dependency "symfony/polyfill-apcu" is also a root requirement, but is not explicitly allowed. Ignoring.
Dependency "twig/twig" is also a root requirement, but is not explicitly allowed. Ignoring.
Loading composer repositories with package information
Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/
Info from https://repo.packagist.org: �[37;44m#StandWith�[30;43mUkraine�[0m
Updating dependencies (including require-dev)