N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Upgrade all Symfony components to last security fix (~6.4.0)
2026-04-24 11:08:45 +02:00 · 2025-08-06 08:54:56 +02:00
parent 603340b852
commit cdbcd14767
608 changed files with 5020 additions and 3793 deletions
--- a/lib/symfony/dependency-injection/Compiler/ValidateEnvPlaceholdersPass.php
+++ b/lib/symfony/dependency-injection/Compiler/ValidateEnvPlaceholdersPass.php
@@ -49,17 +49,8 @@ class ValidateEnvPlaceholdersPass implements CompilerPassInterface
        $defaultBag = new ParameterBag($resolvingBag->all());
        $envTypes = $resolvingBag->getProvidedTypes();
        foreach ($resolvingBag->getEnvPlaceholders() + $resolvingBag->getUnusedEnvPlaceholders() as $env => $placeholders) {
-            $values = [];
-            if (false === $i = strpos($env, ':')) {
-                $default = $defaultBag->has("env($env)") ? $defaultBag->get("env($env)") : self::TYPE_FIXTURES['string'];
-                $defaultType = null !== $default ? get_debug_type($default) : 'string';
-                $values[$defaultType] = $default;
-            } else {
-                $prefix = substr($env, 0, $i);
-                foreach ($envTypes[$prefix] ?? ['string'] as $type) {
-                    $values[$type] = self::TYPE_FIXTURES[$type] ?? null;
-                }
-            }
+            $values = $this->getPlaceholderValues($env, $defaultBag, $envTypes);
+
            foreach ($placeholders as $placeholder) {
                BaseNode::setPlaceholder($placeholder, $values);
            }
@@ -100,4 +91,50 @@ class ValidateEnvPlaceholdersPass implements CompilerPassInterface
            $this->extensionConfig = [];
        }
    }
+
+    /**
+     * @param array<string, list<string>> $envTypes
+     *
+     * @return array<string, mixed>
+     */
+    private function getPlaceholderValues(string $env, ParameterBag $defaultBag, array $envTypes): array
+    {
+        if (false === $i = strpos($env, ':')) {
+            [$default, $defaultType] = $this->getParameterDefaultAndDefaultType("env($env)", $defaultBag);
+
+            return [$defaultType => $default];
+        }
+
+        $prefix = substr($env, 0, $i);
+        if ('default' === $prefix) {
+            $parts = explode(':', $env);
+            array_shift($parts); // Remove 'default' prefix
+            $parameter = array_shift($parts); // Retrieve and remove parameter
+
+            [$defaultParameter, $defaultParameterType] = $this->getParameterDefaultAndDefaultType($parameter, $defaultBag);
+
+            return [
+                $defaultParameterType => $defaultParameter,
+                ...$this->getPlaceholderValues(implode(':', $parts), $defaultBag, $envTypes),
+            ];
+        }
+
+        $values = [];
+        foreach ($envTypes[$prefix] ?? ['string'] as $type) {
+            $values[$type] = self::TYPE_FIXTURES[$type] ?? null;
+        }
+
+        return $values;
+    }
+
+    /**
+     * @return array{0: string, 1: string}
+     */
+    private function getParameterDefaultAndDefaultType(string $name, ParameterBag $defaultBag): array
+    {
+        $default = $defaultBag->has($name) ? $defaultBag->get($name) : self::TYPE_FIXTURES['string'];
+        $defaultType = null !== $default ? get_debug_type($default) : 'string';
+
+        return [$default, $defaultType];
+    }
 }