Merge branch '4.4' into 5.2

nicolas-grekas · nicolas-grekas · commit 84d3b1a43e60 · 2021-03-23T13:45:44.000+01:00
* 4.4:
  [Console] minor fix
  [Validator] Avoid triggering the autoloader for user-input values
  Hardening Security - Unserialize DumpDataCollector
  [HttpClient] remove using $http_response_header
  [Security] Handle properly 'auto' option for remember me cookie security
diff --git a/DataCollector/DumpDataCollector.php b/DataCollector/DumpDataCollector.php
@@ -178,6 +178,11 @@ public function __wakeup()
         $charset = array_pop($this->data);
         $fileLinkFormat = array_pop($this->data);
         $this->dataCount = \count($this->data);
+        foreach ($this->data as $dump) {
+            if (!\is_string($dump['name']) || !\is_string($dump['file']) || !\is_int($dump['line'])) {
+                throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+            }
+        }
 
         self::__construct($this->stopwatch, \is_string($fileLinkFormat) || $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);
     }
@@ -252,7 +257,7 @@ public function __destruct()
         }
     }
 
-    private function doDump(DataDumperInterface $dumper, $data, string $name, string $file, int $line)
+    private function doDump(DataDumperInterface $dumper, Data $data, string $name, string $file, int $line)
     {
         if ($dumper instanceof CliDumper) {
             $contextDumper = function ($name, $file, $line, $fmt) {

Original file line number	Diff line number	Diff line change
`@@ -178,6 +178,11 @@ public function __wakeup()`
`178`	`178`	`$charset = array_pop($this->data);`
`179`	`179`	`$fileLinkFormat = array_pop($this->data);`
`180`	`180`	`$this->dataCount = \count($this->data);`
	`181`	`+ foreach ($this->data as $dump) {`
	`182`	`+ if (!\is_string($dump['name']) \|\| !\is_string($dump['file']) \|\| !\is_int($dump['line'])) {`
	`183`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`184`	`+ }`
	`185`	`+ }`
`181`	`186`
`182`	`187`	`self::__construct($this->stopwatch, \is_string($fileLinkFormat) \|\| $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);`
`183`	`188`	`}`
`@@ -252,7 +257,7 @@ public function __destruct()`
`252`	`257`	`}`
`253`	`258`	`}`
`254`	`259`
`255`		`- private function doDump(DataDumperInterface $dumper, $data, string $name, string $file, int $line)`
	`260`	`+ private function doDump(DataDumperInterface $dumper, Data $data, string $name, string $file, int $line)`
`256`	`261`	`{`
`257`	`262`	`if ($dumper instanceof CliDumper) {`
`258`	`263`	`$contextDumper = function ($name, $file, $line, $fmt) {`