[Security] Bump symfony/http-foundation from 3.2.7 to 3.4.22

[dependabot-preview]

Bumps symfony/http-foundation from 3.2.7 to 3.4.22. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

CVE-2018-14773: Remove support for legacy and risky HTTP headers

Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.49; >=2.8.0, <2.8.44; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.18; >=3.4.0, <3.4.14; >=4.0.0, <4.0.14; >=4.1.0, <4.1.3

Sourced from The PHP Security Advisories Database.

CVE-2018-11386: Denial of service when using PDOSessionHandler

Affected versions: >=2.0.0, <2.7.48; >=2.1.0, <2.7.48; >=2.2.0, <2.7.48; >=2.3.0, <2.7.48; >=2.4.0, <2.7.48; >=2.5.0, <2.7.48; >=2.6.0, <2.7.48; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11386: Denial of service when using PDOSessionHandler

Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Changelog

Sourced from symfony/http-foundation's changelog.

CHANGELOG

4.3.0

• deprecated MimeTypeGuesserInterface and ExtensionGuesserInterface in favor of Symfony\Component\Mime\MimeTypesInterface.
• deprecated MimeType and MimeTypeExtensionGuesser in favor of Symfony\Component\Mime\MimeTypes.
• deprecated FileBinaryMimeTypeGuesser in favor of Symfony\Component\Mime\FileBinaryMimeTypeGuesser.
• deprecated FileinfoMimeTypeGuesser in favor of Symfony\Component\Mime\FileinfoMimeTypeGuesser.

4.2.0

• the default value of the "$secure" and "$samesite" arguments of Cookie's constructor
  will respectively change from "false" to "null" and from "null" to "lax" in Symfony
  5.0, you should define their values explicitly or use "Cookie::create()" instead.
• added matchPort() in RequestMatcher

4.1.3

• [BC BREAK] Support for the IIS-only X_ORIGINAL_URL and X_REWRITE_URL
  HTTP headers has been dropped for security reasons.

4.1.0

• Query string normalization uses parse_str() instead of custom parsing logic.
• Passing the file size to the constructor of the UploadedFile class is deprecated.
• The getClientSize() method of the UploadedFile class is deprecated. Use getSize() instead.
• added RedisSessionHandler to use Redis as a session storage
• The get() method of the AcceptHeader class now takes into account the
  * and */* default values (if they are present in the Accept HTTP header)
  when looking for items.
• deprecated Request::getSession() when no session has been set. Use Request::hasSession() instead.
• added CannotWriteFileException, ExtensionFileException, FormSizeFileException,
  IniSizeFileException, NoFileException, NoTmpDirFileException, PartialFileException to
  handle failed UploadedFile.
• added MigratingSessionHandler for migrating between two session handlers without losing sessions
• added HeaderUtils.

4.0.0

• the Request::setTrustedHeaderName() and Request::getTrustedHeaderName()
  methods have been removed
• the Request::HEADER_CLIENT_IP constant has been removed, use
  Request::HEADER_X_FORWARDED_FOR instead
• the Request::HEADER_CLIENT_HOST constant has been removed, use

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[coveralls]

Coverage decreased (-1.0%) to 55.738% when pulling 551558c on dependabot/composer/symfony/http-foundation-3.4.22 into c7796c5 on develop.

[dependabot-preview]

Superseded by #36.