N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Upgrade all Symfony components to last security fix (~6.4.0)
2026-04-24 19:18:44 +02:00 · 2025-08-06 08:54:56 +02:00
parent 603340b852
commit cdbcd14767
608 changed files with 5020 additions and 3793 deletions
--- a/lib/symfony/dependency-injection/Attribute/AutoconfigureTag.php
+++ b/lib/symfony/dependency-injection/Attribute/AutoconfigureTag.php
@@ -19,7 +19,7 @@ namespace Symfony\Component\DependencyInjection\Attribute;
 #[\Attribute(\Attribute::TARGET_CLASS | \Attribute::IS_REPEATABLE)]
 class AutoconfigureTag extends Autoconfigure
 {
-    public function __construct(string $name = null, array $attributes = [])
+    public function __construct(?string $name = null, array $attributes = [])
    {
        parent::__construct(
            tags: [
--- a/lib/symfony/dependency-injection/Attribute/Autowire.php
+++ b/lib/symfony/dependency-injection/Attribute/Autowire.php
@@ -38,11 +38,11 @@ class Autowire
     * @param bool|class-string|class-string[]    $lazy       Whether to use lazy-loading for this argument
     */
    public function __construct(
-        string|array|ArgumentInterface $value = null,
-        string $service = null,
-        string $expression = null,
-        string $env = null,
-        string $param = null,
+        string|array|ArgumentInterface|null $value = null,
+        ?string $service = null,
+        ?string $expression = null,
+        ?string $env = null,
+        ?string $param = null,
        bool|string|array $lazy = false,
    ) {
        if ($this->lazy = \is_string($lazy) ? [$lazy] : $lazy) {
--- a/lib/symfony/dependency-injection/Attribute/AutowireCallable.php
+++ b/lib/symfony/dependency-injection/Attribute/AutowireCallable.php
@@ -25,9 +25,9 @@ class AutowireCallable extends Autowire
     * @param bool|class-string $lazy Whether to use lazy-loading for this argument
     */
    public function __construct(
-        string|array $callable = null,
-        string $service = null,
-        string $method = null,
+        string|array|null $callable = null,
+        ?string $service = null,
+        ?string $method = null,
        bool|string $lazy = false,
    ) {
        if (!(null !== $callable xor null !== $service)) {
@@ -42,7 +42,7 @@ class AutowireCallable extends Autowire

    public function buildDefinition(mixed $value, ?string $type, \ReflectionParameter $parameter): Definition
    {
-        return (new Definition($type = \is_string($this->lazy) ? $this->lazy : ($type ?: 'Closure')))
+        return (new Definition($type = \is_array($this->lazy) ? current($this->lazy) : ($type ?: 'Closure')))
            ->setFactory(['Closure', 'fromCallable'])
            ->setArguments([\is_array($value) ? $value + [1 => '__invoke'] : $value])
            ->setLazy($this->lazy || 'Closure' !== $type && 'callable' !== (string) $parameter->getType());
--- a/lib/symfony/dependency-injection/Attribute/AutowireIterator.php
+++ b/lib/symfony/dependency-injection/Attribute/AutowireIterator.php
@@ -24,9 +24,9 @@ class AutowireIterator extends Autowire
     */
    public function __construct(
        string $tag,
-        string $indexAttribute = null,
-        string $defaultIndexMethod = null,
-        string $defaultPriorityMethod = null,
+        ?string $indexAttribute = null,
+        ?string $defaultIndexMethod = null,
+        ?string $defaultPriorityMethod = null,
        string|array $exclude = [],
        bool $excludeSelf = true,
    ) {
--- a/lib/symfony/dependency-injection/Attribute/AutowireLocator.php
+++ b/lib/symfony/dependency-injection/Attribute/AutowireLocator.php
@@ -28,14 +28,14 @@ class AutowireLocator extends Autowire
    /**
     * @see ServiceSubscriberInterface::getSubscribedServices()
     *
-     * @param string|array<string|SubscribedService> $services An explicit list of services or a tag name
-     * @param string|string[]                        $exclude  A service or a list of services to exclude
+     * @param string|array<string|Autowire|SubscribedService> $services An explicit list of services or a tag name
+     * @param string|string[]                                 $exclude  A service or a list of services to exclude
     */
    public function __construct(
        string|array $services,
-        string $indexAttribute = null,
-        string $defaultIndexMethod = null,
-        string $defaultPriorityMethod = null,
+        ?string $indexAttribute = null,
+        ?string $defaultIndexMethod = null,
+        ?string $defaultPriorityMethod = null,
        string|array $exclude = [],
        bool $excludeSelf = true,
    ) {
--- a/lib/symfony/dependency-injection/Attribute/Target.php
+++ b/lib/symfony/dependency-injection/Attribute/Target.php
@@ -36,7 +36,7 @@ final class Target
        return lcfirst(str_replace(' ', '', ucwords(preg_replace('/[^a-zA-Z0-9\x7f-\xff]++/', ' ', $this->name))));
    }

-    public static function parseName(\ReflectionParameter $parameter, self &$attribute = null, string &$parsedName = null): string
+    public static function parseName(\ReflectionParameter $parameter, ?self &$attribute = null, ?string &$parsedName = null): string
    {
        $attribute = null;
        if (!$target = $parameter->getAttributes(self::class)[0] ?? null) {