Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml).*
> **CVE-2018-14773: Remove support for legacy and risky HTTP headers**
>
> Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.49; >=2.8.0, <2.8.44; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.18; >=3.4.0, <3.4.14; >=4.0.0, <4.0.14; >=4.1.0, <4.1.3
Changelog
*Sourced from [symfony/http-foundation's changelog](https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md).*
> 4.1.3
> -----
>
> * [BC BREAK] Support for the IIS-only `X_ORIGINAL_URL` and `X_REWRITE_URL`
> HTTP headers has been dropped for security reasons.
>
> 4.1.0
> -----
>
> * Query string normalization uses `parse_str()` instead of custom parsing logic.
> * Passing the file size to the constructor of the `UploadedFile` class is deprecated.
> * The `getClientSize()` method of the `UploadedFile` class is deprecated. Use `getSize()` instead.
> * added `RedisSessionHandler` to use Redis as a session storage
> * The `get()` method of the `AcceptHeader` class now takes into account the
> `*` and `*/*` default values (if they are present in the Accept HTTP header)
> when looking for items.
> * deprecated `Request::getSession()` when no session has been set. Use `Request::hasSession()` instead.
> * added `CannotWriteFileException`, `ExtensionFileException`, `FormSizeFileException`,
> `IniSizeFileException`, `NoFileException`, `NoTmpDirFileException`, `PartialFileException` to
> handle failed `UploadedFile`.
> * added `MigratingSessionHandler` for migrating between two session handlers without losing sessions
> * added `HeaderUtils`.
>
> 4.0.0
> -----
>
> * the `Request::setTrustedHeaderName()` and `Request::getTrustedHeaderName()`
> methods have been removed
> * the `Request::HEADER_CLIENT_IP` constant has been removed, use
> `Request::HEADER_X_FORWARDED_FOR` instead
> * the `Request::HEADER_CLIENT_HOST` constant has been removed, use
> `Request::HEADER_X_FORWARDED_HOST` instead
> * the `Request::HEADER_CLIENT_PROTO` constant has been removed, use
> `Request::HEADER_X_FORWARDED_PROTO` instead
> * the `Request::HEADER_CLIENT_PORT` constant has been removed, use
> `Request::HEADER_X_FORWARDED_PORT` instead
> * checking for cacheable HTTP methods using the `Request::isMethodSafe()`
> method (by not passing `false` as its argument) is not supported anymore and
> throws a `\BadMethodCallException`
> * the `WriteCheckSessionHandler`, `NativeSessionHandler` and `NativeProxy` classes have been removed
> * setting session save handlers that do not implement `\SessionHandlerInterface` in
> `NativeSessionStorage::setSaveHandler()` is not supported anymore and throws a
> `\TypeError`
>
> 3.4.0
> -----
>
> * implemented PHP 7.0's `SessionUpdateTimestampHandlerInterface` with a new
> `AbstractSessionHandler` base class and a new `StrictSessionHandler` wrapper
> * deprecated the `WriteCheckSessionHandler`, `NativeSessionHandler` and `NativeProxy` classes
> ... (truncated)
Commits
- [`7d93e35`](https://github.com/symfony/http-foundation/commit/7d93e3547660ec7ee3dad1428ba42e8076a0e5f1) Merge branch '4.0' into 4.1
- [`7dc9f88`](https://github.com/symfony/http-foundation/commit/7dc9f886f01ab825fd23176799ab9459e104a125) Merge branch '3.4' into 4.0
- [`19a3267`](https://github.com/symfony/http-foundation/commit/19a3267828046a2a4a05e3dc2954bbd2e0ad9fa6) Merge branch '2.8' into 3.4
- [`10f660d`](https://github.com/symfony/http-foundation/commit/10f660d43087b2198c3789bebbd587d20ec6e956) [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRe...
- [`5f10119`](https://github.com/symfony/http-foundation/commit/5f101190871649304cd02bf648bad2935a580a4d) Merge branch '4.0' into 4.1
- [`e5a8475`](https://github.com/symfony/http-foundation/commit/e5a8475f061b9e81987105a90c28f1b03b1df286) Merge branch '3.4' into 4.0
- [`b00b9ce`](https://github.com/symfony/http-foundation/commit/b00b9ce9f27153136f288c8ced3f2f6c23eb0a02) Merge branch '2.8' into 3.4
- [`5034dad`](https://github.com/symfony/http-foundation/commit/5034dad837fee21b96b88e765e5df73181e1fc3e) security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky...
- [`da12951`](https://github.com/symfony/http-foundation/commit/da1295109ce0a5f6b7f2506da8aabd5e4a92e426) Merge branch '4.0' into 4.1
- [`e0e05e9`](https://github.com/symfony/http-foundation/commit/e0e05e93b9a5e775746cd96f10d86ef6240efec7) Merge branch '3.4' into 4.0
- Additional commits viewable in [compare view](https://github.com/symfony/http-foundation/compare/v4.1.2...v4.1.3)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
If all status checks pass Dependabot will automatically merge this pull request.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps symfony/http-foundation from 4.1.2 to 4.1.3. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml).* > **CVE-2018-14773: Remove support for legacy and risky HTTP headers** > > Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.49; >=2.8.0, <2.8.44; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.18; >=3.4.0, <3.4.14; >=4.0.0, <4.0.14; >=4.1.0, <4.1.3Changelog
*Sourced from [symfony/http-foundation's changelog](https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md).* > 4.1.3 > ----- > > * [BC BREAK] Support for the IIS-only `X_ORIGINAL_URL` and `X_REWRITE_URL` > HTTP headers has been dropped for security reasons. > > 4.1.0 > ----- > > * Query string normalization uses `parse_str()` instead of custom parsing logic. > * Passing the file size to the constructor of the `UploadedFile` class is deprecated. > * The `getClientSize()` method of the `UploadedFile` class is deprecated. Use `getSize()` instead. > * added `RedisSessionHandler` to use Redis as a session storage > * The `get()` method of the `AcceptHeader` class now takes into account the > `*` and `*/*` default values (if they are present in the Accept HTTP header) > when looking for items. > * deprecated `Request::getSession()` when no session has been set. Use `Request::hasSession()` instead. > * added `CannotWriteFileException`, `ExtensionFileException`, `FormSizeFileException`, > `IniSizeFileException`, `NoFileException`, `NoTmpDirFileException`, `PartialFileException` to > handle failed `UploadedFile`. > * added `MigratingSessionHandler` for migrating between two session handlers without losing sessions > * added `HeaderUtils`. > > 4.0.0 > ----- > > * the `Request::setTrustedHeaderName()` and `Request::getTrustedHeaderName()` > methods have been removed > * the `Request::HEADER_CLIENT_IP` constant has been removed, use > `Request::HEADER_X_FORWARDED_FOR` instead > * the `Request::HEADER_CLIENT_HOST` constant has been removed, use > `Request::HEADER_X_FORWARDED_HOST` instead > * the `Request::HEADER_CLIENT_PROTO` constant has been removed, use > `Request::HEADER_X_FORWARDED_PROTO` instead > * the `Request::HEADER_CLIENT_PORT` constant has been removed, use > `Request::HEADER_X_FORWARDED_PORT` instead > * checking for cacheable HTTP methods using the `Request::isMethodSafe()` > method (by not passing `false` as its argument) is not supported anymore and > throws a `\BadMethodCallException` > * the `WriteCheckSessionHandler`, `NativeSessionHandler` and `NativeProxy` classes have been removed > * setting session save handlers that do not implement `\SessionHandlerInterface` in > `NativeSessionStorage::setSaveHandler()` is not supported anymore and throws a > `\TypeError` > > 3.4.0 > ----- > > * implemented PHP 7.0's `SessionUpdateTimestampHandlerInterface` with a new > `AbstractSessionHandler` base class and a new `StrictSessionHandler` wrapper > * deprecated the `WriteCheckSessionHandler`, `NativeSessionHandler` and `NativeProxy` classes > ... (truncated)Commits
- [`7d93e35`](https://github.com/symfony/http-foundation/commit/7d93e3547660ec7ee3dad1428ba42e8076a0e5f1) Merge branch '4.0' into 4.1 - [`7dc9f88`](https://github.com/symfony/http-foundation/commit/7dc9f886f01ab825fd23176799ab9459e104a125) Merge branch '3.4' into 4.0 - [`19a3267`](https://github.com/symfony/http-foundation/commit/19a3267828046a2a4a05e3dc2954bbd2e0ad9fa6) Merge branch '2.8' into 3.4 - [`10f660d`](https://github.com/symfony/http-foundation/commit/10f660d43087b2198c3789bebbd587d20ec6e956) [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRe... - [`5f10119`](https://github.com/symfony/http-foundation/commit/5f101190871649304cd02bf648bad2935a580a4d) Merge branch '4.0' into 4.1 - [`e5a8475`](https://github.com/symfony/http-foundation/commit/e5a8475f061b9e81987105a90c28f1b03b1df286) Merge branch '3.4' into 4.0 - [`b00b9ce`](https://github.com/symfony/http-foundation/commit/b00b9ce9f27153136f288c8ced3f2f6c23eb0a02) Merge branch '2.8' into 3.4 - [`5034dad`](https://github.com/symfony/http-foundation/commit/5034dad837fee21b96b88e765e5df73181e1fc3e) security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky... - [`da12951`](https://github.com/symfony/http-foundation/commit/da1295109ce0a5f6b7f2506da8aabd5e4a92e426) Merge branch '4.0' into 4.1 - [`e0e05e9`](https://github.com/symfony/http-foundation/commit/e0e05e93b9a5e775746cd96f10d86ef6240efec7) Merge branch '3.4' into 4.0 - Additional commits viewable in [compare view](https://github.com/symfony/http-foundation/compare/v4.1.2...v4.1.3)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.If all status checks pass Dependabot will automatically merge this pull request.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.