Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yaml).*
> **CVE-2019-10913: Reject invalid HTTP method overrides**
>
> Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7
Changelog
*Sourced from [symfony/http-foundation's changelog](https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md).*
> CHANGELOG
> =========
>
> 4.4.0
> -----
>
> * passing arguments to `Request::isMethodSafe()` is deprecated.
>
> 4.3.0
> -----
>
> * added PHPUnit constraints: `RequestAttributeValueSame`, `ResponseCookieValueSame`, `ResponseHasCookie`,
> `ResponseHasHeader`, `ResponseHeaderSame`, `ResponseIsRedirected`, `ResponseIsSuccessful`, and `ResponseStatusCodeSame`
> * deprecated `MimeTypeGuesserInterface` and `ExtensionGuesserInterface` in favor of `Symfony\Component\Mime\MimeTypesInterface`.
> * deprecated `MimeType` and `MimeTypeExtensionGuesser` in favor of `Symfony\Component\Mime\MimeTypes`.
> * deprecated `FileBinaryMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileBinaryMimeTypeGuesser`.
> * deprecated `FileinfoMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileinfoMimeTypeGuesser`.
> * added `UrlHelper` that allows to get an absolute URL and a relative path for a given path
>
> 4.2.0
> -----
>
> * the default value of the "$secure" and "$samesite" arguments of Cookie's constructor
> will respectively change from "false" to "null" and from "null" to "lax" in Symfony
> 5.0, you should define their values explicitly or use "Cookie::create()" instead.
> * added `matchPort()` in RequestMatcher
>
> 4.1.3
> -----
>
> * [BC BREAK] Support for the IIS-only `X_ORIGINAL_URL` and `X_REWRITE_URL`
> HTTP headers has been dropped for security reasons.
>
> 4.1.0
> -----
>
> * Query string normalization uses `parse_str()` instead of custom parsing logic.
> * Passing the file size to the constructor of the `UploadedFile` class is deprecated.
> * The `getClientSize()` method of the `UploadedFile` class is deprecated. Use `getSize()` instead.
> * added `RedisSessionHandler` to use Redis as a session storage
> * The `get()` method of the `AcceptHeader` class now takes into account the
> `*` and `*/*` default values (if they are present in the Accept HTTP header)
> when looking for items.
> * deprecated `Request::getSession()` when no session has been set. Use `Request::hasSession()` instead.
> * added `CannotWriteFileException`, `ExtensionFileException`, `FormSizeFileException`,
> `IniSizeFileException`, `NoFileException`, `NoTmpDirFileException`, `PartialFileException` to
> handle failed `UploadedFile`.
> * added `MigratingSessionHandler` for migrating between two session handlers without losing sessions
> * added `HeaderUtils`.
>
> ... (truncated)
Commits
- [`b7e4945`](https://github.com/symfony/http-foundation/commit/b7e4945dd9b277cd24e93566e4da0a87956392a9) Merge branch '4.2' into 4.3
- [`11d60d1`](https://github.com/symfony/http-foundation/commit/11d60d14951a513f033c0147fd1efd4979a9b697) Merge branch '3.4' into 4.2
- [`2b2b487`](https://github.com/symfony/http-foundation/commit/2b2b48731c5e8f7f09548408998659ee7e462fa3) Merge branch '4.2' into 4.3
- [`de037fc`](https://github.com/symfony/http-foundation/commit/de037fca6e2702acccb4b261e35c06ff41d39ad1) bug [#31863](https://github-redirect.dependabot.com/symfony/http-foundation/issues/31863) [HttpFoundation] Fixed case-sensitive handling of cache-control he...
- [`ce68600`](https://github.com/symfony/http-foundation/commit/ce686007be36ce997878794ca4e426a9e71680ca) Merge branch '3.4' into 4.2
- [`7c77e01`](https://github.com/symfony/http-foundation/commit/7c77e0198afaf32de3d1ca69daeef578548472ab) Fix json-encoding when JSON_THROW_ON_ERROR is used
- [`66e146e`](https://github.com/symfony/http-foundation/commit/66e146ea791cd8689c1f7a55e2f6d4ea1f00b6f2) [HttpFoundation] Fixed case-sensitive handling of cache-control header in Red...
- [`ac4ad2b`](https://github.com/symfony/http-foundation/commit/ac4ad2bc93ca529b17a0305913e311d99c75f695) [HttpFoundation] work around PHP 7.3 bug related to json_encode()
- [`39030b0`](https://github.com/symfony/http-foundation/commit/39030b0b02c72072082a573e24dbb5fb05a7e0f9) Merge branch '4.2' into 4.3
- [`07fb7c6`](https://github.com/symfony/http-foundation/commit/07fb7c6f8b81a3e4c0330f6ffd6228bfbd8c81c6) Merge branch '3.4' into 4.2
- Additional commits viewable in [compare view](https://github.com/symfony/http-foundation/compare/v4.2.5...v4.3.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps symfony/http-foundation from 4.2.5 to 4.3.1. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yaml).* > **CVE-2019-10913: Reject invalid HTTP method overrides** > > Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7Changelog
*Sourced from [symfony/http-foundation's changelog](https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md).* > CHANGELOG > ========= > > 4.4.0 > ----- > > * passing arguments to `Request::isMethodSafe()` is deprecated. > > 4.3.0 > ----- > > * added PHPUnit constraints: `RequestAttributeValueSame`, `ResponseCookieValueSame`, `ResponseHasCookie`, > `ResponseHasHeader`, `ResponseHeaderSame`, `ResponseIsRedirected`, `ResponseIsSuccessful`, and `ResponseStatusCodeSame` > * deprecated `MimeTypeGuesserInterface` and `ExtensionGuesserInterface` in favor of `Symfony\Component\Mime\MimeTypesInterface`. > * deprecated `MimeType` and `MimeTypeExtensionGuesser` in favor of `Symfony\Component\Mime\MimeTypes`. > * deprecated `FileBinaryMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileBinaryMimeTypeGuesser`. > * deprecated `FileinfoMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileinfoMimeTypeGuesser`. > * added `UrlHelper` that allows to get an absolute URL and a relative path for a given path > > 4.2.0 > ----- > > * the default value of the "$secure" and "$samesite" arguments of Cookie's constructor > will respectively change from "false" to "null" and from "null" to "lax" in Symfony > 5.0, you should define their values explicitly or use "Cookie::create()" instead. > * added `matchPort()` in RequestMatcher > > 4.1.3 > ----- > > * [BC BREAK] Support for the IIS-only `X_ORIGINAL_URL` and `X_REWRITE_URL` > HTTP headers has been dropped for security reasons. > > 4.1.0 > ----- > > * Query string normalization uses `parse_str()` instead of custom parsing logic. > * Passing the file size to the constructor of the `UploadedFile` class is deprecated. > * The `getClientSize()` method of the `UploadedFile` class is deprecated. Use `getSize()` instead. > * added `RedisSessionHandler` to use Redis as a session storage > * The `get()` method of the `AcceptHeader` class now takes into account the > `*` and `*/*` default values (if they are present in the Accept HTTP header) > when looking for items. > * deprecated `Request::getSession()` when no session has been set. Use `Request::hasSession()` instead. > * added `CannotWriteFileException`, `ExtensionFileException`, `FormSizeFileException`, > `IniSizeFileException`, `NoFileException`, `NoTmpDirFileException`, `PartialFileException` to > handle failed `UploadedFile`. > * added `MigratingSessionHandler` for migrating between two session handlers without losing sessions > * added `HeaderUtils`. > > ... (truncated)Commits
- [`b7e4945`](https://github.com/symfony/http-foundation/commit/b7e4945dd9b277cd24e93566e4da0a87956392a9) Merge branch '4.2' into 4.3 - [`11d60d1`](https://github.com/symfony/http-foundation/commit/11d60d14951a513f033c0147fd1efd4979a9b697) Merge branch '3.4' into 4.2 - [`2b2b487`](https://github.com/symfony/http-foundation/commit/2b2b48731c5e8f7f09548408998659ee7e462fa3) Merge branch '4.2' into 4.3 - [`de037fc`](https://github.com/symfony/http-foundation/commit/de037fca6e2702acccb4b261e35c06ff41d39ad1) bug [#31863](https://github-redirect.dependabot.com/symfony/http-foundation/issues/31863) [HttpFoundation] Fixed case-sensitive handling of cache-control he... - [`ce68600`](https://github.com/symfony/http-foundation/commit/ce686007be36ce997878794ca4e426a9e71680ca) Merge branch '3.4' into 4.2 - [`7c77e01`](https://github.com/symfony/http-foundation/commit/7c77e0198afaf32de3d1ca69daeef578548472ab) Fix json-encoding when JSON_THROW_ON_ERROR is used - [`66e146e`](https://github.com/symfony/http-foundation/commit/66e146ea791cd8689c1f7a55e2f6d4ea1f00b6f2) [HttpFoundation] Fixed case-sensitive handling of cache-control header in Red... - [`ac4ad2b`](https://github.com/symfony/http-foundation/commit/ac4ad2bc93ca529b17a0305913e311d99c75f695) [HttpFoundation] work around PHP 7.3 bug related to json_encode() - [`39030b0`](https://github.com/symfony/http-foundation/commit/39030b0b02c72072082a573e24dbb5fb05a7e0f9) Merge branch '4.2' into 4.3 - [`07fb7c6`](https://github.com/symfony/http-foundation/commit/07fb7c6f8b81a3e4c0330f6ffd6228bfbd8c81c6) Merge branch '3.4' into 4.2 - Additional commits viewable in [compare view](https://github.com/symfony/http-foundation/compare/v4.2.5...v4.3.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.