[Security] Bump symfony/http-foundation from 3.2.3 to 3.4.33

[dependabot-preview[bot]]

Bumps symfony/http-foundation from 3.2.3 to 3.4.33. This update includes security fixes.

Vulnerabilities fixed

*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml).* > **CVE-2018-14773: Remove support for legacy and risky HTTP headers** > > Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.49; >=2.8.0, <2.8.44; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.18; >=3.4.0, <3.4.14; >=4.0.0, <4.0.14; >=4.1.0, <4.1.3 *Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml).* > **CVE-2018-11386: Denial of service when using PDOSessionHandler** > > Affected versions: >=2.0.0, <2.7.48; >=2.1.0, <2.7.48; >=2.2.0, <2.7.48; >=2.3.0, <2.7.48; >=2.4.0, <2.7.48; >=2.5.0, <2.7.48; >=2.6.0, <2.7.48; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11 *Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml).* > **CVE-2018-11386: Denial of service when using PDOSessionHandler** > > Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11 *Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yaml).* > **CVE-2019-10913: Reject invalid HTTP method overrides** > > Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Changelog

*Sourced from [symfony/http-foundation's changelog](https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md).* > CHANGELOG > ========= > > 5.0.0 > ----- > > * made `Cookie` auto-secure and lax by default > * removed classes in the `MimeType` namespace, use the Symfony Mime component instead > * removed method `UploadedFile::getClientSize()` and the related constructor argument > * made `Request::getSession()` throw if the session has not been set before > * removed `Response::HTTP_RESERVED_FOR_WEBDAV_ADVANCED_COLLECTIONS_EXPIRED_PROPOSAL` > * passing a null url when instantiating a `RedirectResponse` is not allowed > > 4.4.0 > ----- > > * passing arguments to `Request::isMethodSafe()` is deprecated. > * `ApacheRequest` is deprecated, use the `Request` class instead. > * passing a third argument to `HeaderBag::get()` is deprecated, use method `all()` instead > * `PdoSessionHandler` now precalculates the expiry timestamp in the lifetime column, > make sure to run `CREATE INDEX EXPIRY ON sessions (sess_lifetime)` to update your database > to speed up garbage collection of expired sessions. > * added `SessionHandlerFactory` to create session handlers with a DSN > > 4.3.0 > ----- > > * added PHPUnit constraints: `RequestAttributeValueSame`, `ResponseCookieValueSame`, `ResponseHasCookie`, > `ResponseHasHeader`, `ResponseHeaderSame`, `ResponseIsRedirected`, `ResponseIsSuccessful`, and `ResponseStatusCodeSame` > * deprecated `MimeTypeGuesserInterface` and `ExtensionGuesserInterface` in favor of `Symfony\Component\Mime\MimeTypesInterface`. > * deprecated `MimeType` and `MimeTypeExtensionGuesser` in favor of `Symfony\Component\Mime\MimeTypes`. > * deprecated `FileBinaryMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileBinaryMimeTypeGuesser`. > * deprecated `FileinfoMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileinfoMimeTypeGuesser`. > * added `UrlHelper` that allows to get an absolute URL and a relative path for a given path > > 4.2.0 > ----- > > * the default value of the "$secure" and "$samesite" arguments of Cookie's constructor > will respectively change from "false" to "null" and from "null" to "lax" in Symfony > 5.0, you should define their values explicitly or use "Cookie::create()" instead. > * added `matchPort()` in RequestMatcher > > 4.1.3 > ----- > > * [BC BREAK] Support for the IIS-only `X_ORIGINAL_URL` and `X_REWRITE_URL` > HTTP headers has been dropped for security reasons. > > 4.1.0 > ... (truncated)

Commits

- [`7b4626a`](https://github.com/symfony/http-foundation/commit/7b4626ab40d8562707e6d1c9a6fab977a86c2037) Remove unused local variables in tests - [`4db558c`](https://github.com/symfony/http-foundation/commit/4db558c7c6777aac02293efbfe7c7c5d4c1385c3) Add plus character `+` to legal mime subtype - [`233f40c`](https://github.com/symfony/http-foundation/commit/233f40cbebd595ffd91ddf291355f8a930a13777) [HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array - [`35ffbbf`](https://github.com/symfony/http-foundation/commit/35ffbbfa73e46e28a9433692cd6c404de70e6c4c) [HttpFoundation] allow additinal characters in not raw cookies - [`ec2a74a`](https://github.com/symfony/http-foundation/commit/ec2a74a7c858640acaebd11a9ebc2a8f6662f7aa) Call AssertEquals with proper parameters - [`089da40`](https://github.com/symfony/http-foundation/commit/089da40dfa1e5f0a89f29619a1337a64d88e08f9) Return null as Expire header if it was set to null - [`b3d57a1`](https://github.com/symfony/http-foundation/commit/b3d57a1c325f39f703b249bed7998ce8c64236b4) [HttpFoundation] fix return type declarations - [`9781d8d`](https://github.com/symfony/http-foundation/commit/9781d8d29ee7279f53720f7c0281e6fb442e96e4) Fix inconsistent return points. - [`dacdad8`](https://github.com/symfony/http-foundation/commit/dacdad8436eab21a518d041dd954813b634ae932) Remove superfluous phpdoc tags - [`adc2687`](https://github.com/symfony/http-foundation/commit/adc268778aab47e1465fd7ebf90ecfdd9ca6080c) Fix getMaxFilesize() returning zero - Additional commits viewable in [compare view](https://github.com/symfony/http-foundation/compare/v3.2.3...v3.4.33)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[dependabot-preview[bot]]

Superseded by #20.