N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Upgrade all Symfony components to last security fix (~6.4.0)

lib/symfony/twig-bridge/TokenParser/DumpTokenParser.php

@@ -12,7 +12,9 @@
 namespace Symfony\Bridge\Twig\TokenParser;
 
 use Symfony\Bridge\Twig\Node\DumpNode;
+use Twig\Node\Expression\Variable\LocalVariable;
 use Twig\Node\Node;
+use Twig\Node\Nodes;
 use Twig\Token;
 use Twig\TokenParser\AbstractTokenParser;
 
@@ -33,11 +35,26 @@ final class DumpTokenParser extends AbstractTokenParser
     {
         $values = null;
         if (!$this->parser->getStream()->test(Token::BLOCK_END_TYPE)) {
-            $values = $this->parser->getExpressionParser()->parseMultitargetExpression();
+            $values = method_exists($this->parser, 'parseExpression') ?
+                $this->parseMultitargetExpression() :
+                $this->parser->getExpressionParser()->parseMultitargetExpression();
         }
         $this->parser->getStream()->expect(Token::BLOCK_END_TYPE);
 
-        return new DumpNode($this->parser->getVarName(), $values, $token->getLine(), $this->getTag());
+        return new DumpNode(class_exists(LocalVariable::class) ? new LocalVariable(null, $token->getLine()) : $this->parser->getVarName(), $values, $token->getLine(), $this->getTag());
+    }
+
+    private function parseMultitargetExpression(): Node
+    {
+        $targets = [];
+        while (true) {
+            $targets[] = $this->parser->parseExpression();
+            if (!$this->parser->getStream()->nextIf(Token::PUNCTUATION_TYPE, ',')) {
+                break;
+            }
+        }
+
+        return new Nodes($targets);
     }
 
     public function getTag(): string