N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Upgrade all Symfony components to last security fix (~6.4.0)
2026-05-20 15:52:24 +02:00 · 2025-08-06 08:54:56 +02:00
parent 603340b852
commit cdbcd14767
608 changed files with 5020 additions and 3793 deletions
--- a/lib/symfony/var-dumper/Cloner/AbstractCloner.php
+++ b/lib/symfony/var-dumper/Cloner/AbstractCloner.php
@@ -219,7 +219,7 @@ abstract class AbstractCloner implements ClonerInterface
     *
     * @see addCasters
     */
-    public function __construct(array $casters = null)
+    public function __construct(?array $casters = null)
    {
        $this->addCasters($casters ?? static::$defaultCasters);
    }
--- a/lib/symfony/var-dumper/Cloner/Internal/NoDefault.php
+++ b/lib/symfony/var-dumper/Cloner/Internal/NoDefault.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\VarDumper\Cloner\Internal;
+
+/**
+ * Flags a typed property that has no default value.
+ *
+ * This dummy object is used to distinguish a property with a default value of null
+ * from a property that is uninitialized by default.
+ *
+ * @internal
+ */
+enum NoDefault
+{
+    case NoDefault;
+}
--- a/lib/symfony/var-dumper/Cloner/Stub.php
+++ b/lib/symfony/var-dumper/Cloner/Stub.php
@@ -11,6 +11,8 @@

 namespace Symfony\Component\VarDumper\Cloner;

+use Symfony\Component\VarDumper\Cloner\Internal\NoDefault;
+
 /**
 * Represents the main properties of a PHP variable.
 *
@@ -50,15 +52,20 @@ class Stub
        $properties = [];

        if (!isset(self::$defaultProperties[$c = static::class])) {
-            self::$defaultProperties[$c] = get_class_vars($c);
+            $reflection = new \ReflectionClass($c);
+            self::$defaultProperties[$c] = [];

-            foreach ((new \ReflectionClass($c))->getStaticProperties() as $k => $v) {
-                unset(self::$defaultProperties[$c][$k]);
+            foreach ($reflection->getProperties() as $p) {
+                if ($p->isStatic()) {
+                    continue;
+                }
+
+                self::$defaultProperties[$c][$p->name] = $p->hasDefaultValue() ? $p->getDefaultValue() : ($p->hasType() ? NoDefault::NoDefault : null);
            }
        }

        foreach (self::$defaultProperties[$c] as $k => $v) {
-            if ($this->$k !== $v) {
+            if (NoDefault::NoDefault === $v || $this->$k !== $v) {
                $properties[] = $k;
            }
        }