Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml).*
> **CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser**
>
> Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.8.0; >=2.8.0, <2.8.52; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.35; >=4.0.0, <4.1.0; >=4.1.0, <4.2.0; >=4.2.0, <4.2.12; >=4.3.0, <4.3.8
Changelog
*Sourced from [symfony/http-foundation's changelog](https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md).*
> CHANGELOG
> =========
>
> 5.0.0
> -----
>
> * made `Cookie` auto-secure and lax by default
> * removed classes in the `MimeType` namespace, use the Symfony Mime component instead
> * removed method `UploadedFile::getClientSize()` and the related constructor argument
> * made `Request::getSession()` throw if the session has not been set before
> * removed `Response::HTTP_RESERVED_FOR_WEBDAV_ADVANCED_COLLECTIONS_EXPIRED_PROPOSAL`
> * passing a null url when instantiating a `RedirectResponse` is not allowed
>
> 4.4.0
> -----
>
> * passing arguments to `Request::isMethodSafe()` is deprecated.
> * `ApacheRequest` is deprecated, use the `Request` class instead.
> * passing a third argument to `HeaderBag::get()` is deprecated, use method `all()` instead
> * [BC BREAK] `PdoSessionHandler` with MySQL changed the type of the lifetime column,
> make sure to run `ALTER TABLE sessions MODIFY sess_lifetime INTEGER UNSIGNED NOT NULL` to
> update your database.
> * `PdoSessionHandler` now precalculates the expiry timestamp in the lifetime column,
> make sure to run `CREATE INDEX EXPIRY ON sessions (sess_lifetime)` to update your database
> to speed up garbage collection of expired sessions.
> * added `SessionHandlerFactory` to create session handlers with a DSN
> * added `IpUtils::anonymize()` to help with GDPR compliance.
>
> 4.3.0
> -----
>
> * added PHPUnit constraints: `RequestAttributeValueSame`, `ResponseCookieValueSame`, `ResponseHasCookie`,
> `ResponseHasHeader`, `ResponseHeaderSame`, `ResponseIsRedirected`, `ResponseIsSuccessful`, and `ResponseStatusCodeSame`
> * deprecated `MimeTypeGuesserInterface` and `ExtensionGuesserInterface` in favor of `Symfony\Component\Mime\MimeTypesInterface`.
> * deprecated `MimeType` and `MimeTypeExtensionGuesser` in favor of `Symfony\Component\Mime\MimeTypes`.
> * deprecated `FileBinaryMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileBinaryMimeTypeGuesser`.
> * deprecated `FileinfoMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileinfoMimeTypeGuesser`.
> * added `UrlHelper` that allows to get an absolute URL and a relative path for a given path
>
> 4.2.0
> -----
>
> * the default value of the "$secure" and "$samesite" arguments of Cookie's constructor
> will respectively change from "false" to "null" and from "null" to "lax" in Symfony
> 5.0, you should define their values explicitly or use "Cookie::create()" instead.
> * added `matchPort()` in RequestMatcher
>
> 4.1.3
> -----
>
> ... (truncated)
Commits
- [`8bccc59`](https://github.com/symfony/http-foundation/commit/8bccc59e61b41963d14c3dbdb23181e5c932a1d5) Merge branch '4.3' into 4.4
- [`fcafc7c`](https://github.com/symfony/http-foundation/commit/fcafc7c53784919e4bbcb6d5df73cabbb5c39e76) Merge branch '3.4' into 4.3
- [`d2d0cfe`](https://github.com/symfony/http-foundation/commit/d2d0cfe8e319d9df44c4cca570710fcf221d4593) [HttpFoundation] Fixed typo
- [`cc09809`](https://github.com/symfony/http-foundation/commit/cc09809aa4182d5d062cde2c5836c5281f4e96eb) [HttpFoundation] Update CHANGELOG for PdoSessionHandler BC BREAK in 4.4
- [`c2480b7`](https://github.com/symfony/http-foundation/commit/c2480b72a0bbf21cb04cd2ea6ef21b9d6b533a45) Merge branch '3.4' into 4.3
- [`f7efd0b`](https://github.com/symfony/http-foundation/commit/f7efd0b387b7bdbfe0fd1e38fe6b7d4a812b4e39) Simpler example for Apache basic auth workaround
- [`502040d`](https://github.com/symfony/http-foundation/commit/502040dd2b0cf0a292defeb6145f4d7a4753c99c) Merge branch '4.3' into 4.4
- [`0ac9ebf`](https://github.com/symfony/http-foundation/commit/0ac9ebffc17cbff398157c03f2d48b8b59e922da) Merge branch '3.4' into 4.3
- [`a558b18`](https://github.com/symfony/http-foundation/commit/a558b18bafae7c8fdd1d23c4bdc3690210f2f9a6) feature [#34405](https://github-redirect.dependabot.com/symfony/http-foundation/issues/34405) [HttpFoundation] Added possibility to configure expiration tim...
- [`0c5217a`](https://github.com/symfony/http-foundation/commit/0c5217a9050712a1e66f851d04962abf8f2c6fc4) [HttpFoundation] Added possibility to configure expiration time in redis sess...
- Additional commits viewable in [compare view](https://github.com/symfony/http-foundation/compare/v4.3.3...v4.4.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps symfony/http-foundation from 4.3.3 to 4.4.1. This update includes a security fix.
Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml).* > **CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser** > > Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.8.0; >=2.8.0, <2.8.52; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.35; >=4.0.0, <4.1.0; >=4.1.0, <4.2.0; >=4.2.0, <4.2.12; >=4.3.0, <4.3.8Changelog
*Sourced from [symfony/http-foundation's changelog](https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md).* > CHANGELOG > ========= > > 5.0.0 > ----- > > * made `Cookie` auto-secure and lax by default > * removed classes in the `MimeType` namespace, use the Symfony Mime component instead > * removed method `UploadedFile::getClientSize()` and the related constructor argument > * made `Request::getSession()` throw if the session has not been set before > * removed `Response::HTTP_RESERVED_FOR_WEBDAV_ADVANCED_COLLECTIONS_EXPIRED_PROPOSAL` > * passing a null url when instantiating a `RedirectResponse` is not allowed > > 4.4.0 > ----- > > * passing arguments to `Request::isMethodSafe()` is deprecated. > * `ApacheRequest` is deprecated, use the `Request` class instead. > * passing a third argument to `HeaderBag::get()` is deprecated, use method `all()` instead > * [BC BREAK] `PdoSessionHandler` with MySQL changed the type of the lifetime column, > make sure to run `ALTER TABLE sessions MODIFY sess_lifetime INTEGER UNSIGNED NOT NULL` to > update your database. > * `PdoSessionHandler` now precalculates the expiry timestamp in the lifetime column, > make sure to run `CREATE INDEX EXPIRY ON sessions (sess_lifetime)` to update your database > to speed up garbage collection of expired sessions. > * added `SessionHandlerFactory` to create session handlers with a DSN > * added `IpUtils::anonymize()` to help with GDPR compliance. > > 4.3.0 > ----- > > * added PHPUnit constraints: `RequestAttributeValueSame`, `ResponseCookieValueSame`, `ResponseHasCookie`, > `ResponseHasHeader`, `ResponseHeaderSame`, `ResponseIsRedirected`, `ResponseIsSuccessful`, and `ResponseStatusCodeSame` > * deprecated `MimeTypeGuesserInterface` and `ExtensionGuesserInterface` in favor of `Symfony\Component\Mime\MimeTypesInterface`. > * deprecated `MimeType` and `MimeTypeExtensionGuesser` in favor of `Symfony\Component\Mime\MimeTypes`. > * deprecated `FileBinaryMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileBinaryMimeTypeGuesser`. > * deprecated `FileinfoMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileinfoMimeTypeGuesser`. > * added `UrlHelper` that allows to get an absolute URL and a relative path for a given path > > 4.2.0 > ----- > > * the default value of the "$secure" and "$samesite" arguments of Cookie's constructor > will respectively change from "false" to "null" and from "null" to "lax" in Symfony > 5.0, you should define their values explicitly or use "Cookie::create()" instead. > * added `matchPort()` in RequestMatcher > > 4.1.3 > ----- > > ... (truncated)Commits
- [`8bccc59`](https://github.com/symfony/http-foundation/commit/8bccc59e61b41963d14c3dbdb23181e5c932a1d5) Merge branch '4.3' into 4.4 - [`fcafc7c`](https://github.com/symfony/http-foundation/commit/fcafc7c53784919e4bbcb6d5df73cabbb5c39e76) Merge branch '3.4' into 4.3 - [`d2d0cfe`](https://github.com/symfony/http-foundation/commit/d2d0cfe8e319d9df44c4cca570710fcf221d4593) [HttpFoundation] Fixed typo - [`cc09809`](https://github.com/symfony/http-foundation/commit/cc09809aa4182d5d062cde2c5836c5281f4e96eb) [HttpFoundation] Update CHANGELOG for PdoSessionHandler BC BREAK in 4.4 - [`c2480b7`](https://github.com/symfony/http-foundation/commit/c2480b72a0bbf21cb04cd2ea6ef21b9d6b533a45) Merge branch '3.4' into 4.3 - [`f7efd0b`](https://github.com/symfony/http-foundation/commit/f7efd0b387b7bdbfe0fd1e38fe6b7d4a812b4e39) Simpler example for Apache basic auth workaround - [`502040d`](https://github.com/symfony/http-foundation/commit/502040dd2b0cf0a292defeb6145f4d7a4753c99c) Merge branch '4.3' into 4.4 - [`0ac9ebf`](https://github.com/symfony/http-foundation/commit/0ac9ebffc17cbff398157c03f2d48b8b59e922da) Merge branch '3.4' into 4.3 - [`a558b18`](https://github.com/symfony/http-foundation/commit/a558b18bafae7c8fdd1d23c4bdc3690210f2f9a6) feature [#34405](https://github-redirect.dependabot.com/symfony/http-foundation/issues/34405) [HttpFoundation] Added possibility to configure expiration tim... - [`0c5217a`](https://github.com/symfony/http-foundation/commit/0c5217a9050712a1e66f851d04962abf8f2c6fc4) [HttpFoundation] Added possibility to configure expiration time in redis sess... - Additional commits viewable in [compare view](https://github.com/symfony/http-foundation/compare/v4.3.3...v4.4.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)