Merge branch '7.2' into 7.3

* 7.2:
  reject URLs containing whitespaces
  Update validators.fa.xlf
  the "max" option can be zero
  [TypeInfo] Fix PHPDoc resolving of union with mixed
  [Security/Csrf] Trust "Referer" at the same level as "Origin"
  [HttpClient] Fix a typo in NoPrivateNetworkHttpClient

Author: fabpot

src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php

@@ -358,10 +358,10 @@ public static function provideParse(): iterable
             'non-special://:@untrusted.com/x' => ['scheme' => 'non-special', 'host' => 'untrusted.com'],
             'http:foo.com' => ['scheme' => 'http', 'host' => null],
             "	   :foo.com   \n" => null,
-            ' foo.com  ' => ['scheme' => null, 'host' => null],
+            ' foo.com  ' => null,
             'a:	 foo.com' => null,
-            'http://f:21/ b ? d # e ' => ['scheme' => 'http', 'host' => 'f'],
-            'lolscheme:x x#x x' => ['scheme' => 'lolscheme', 'host' => null],
+            'http://f:21/ b ? d # e ' => null,
+            'lolscheme:x x#x x' => null,
             'http://f:/c' => ['scheme' => 'http', 'host' => 'f'],
             'http://f:0/c' => ['scheme' => 'http', 'host' => 'f'],
             'http://f:00000000000000/c' => ['scheme' => 'http', 'host' => 'f'],
@@ -434,7 +434,7 @@ public static function provideParse(): iterable
             'javascript:example.com/' => ['scheme' => 'javascript', 'host' => null],
             'mailto:example.com/' => ['scheme' => 'mailto', 'host' => null],
             '/a/b/c' => ['scheme' => null, 'host' => null],
-            '/a/ /c' => ['scheme' => null, 'host' => null],
+            '/a/ /c' => null,
             '/a%2fc' => ['scheme' => null, 'host' => null],
             '/a/%2f/c' => ['scheme' => null, 'host' => null],
             '#β' => ['scheme' => null, 'host' => null],
@@ -495,10 +495,10 @@ public static function provideParse(): iterable
             'http://example.com/你好你好' => ['scheme' => 'http', 'host' => 'example.com'],
             'http://example.com/‥/foo' => ['scheme' => 'http', 'host' => 'example.com'],
             "http://example.com/\u{feff}/foo" => ['scheme' => 'http', 'host' => 'example.com'],
-            "http://example.com\u{002f}\u{202e}\u{002f}\u{0066}\u{006f}\u{006f}\u{002f}\u{202d}\u{002f}\u{0062}\u{0061}\u{0072}\u{0027}\u{0020}" => ['scheme' => 'http', 'host' => 'example.com'],
+            "http://example.com\u{002f}\u{202e}\u{002f}\u{0066}\u{006f}\u{006f}\u{002f}\u{202d}\u{002f}\u{0062}\u{0061}\u{0072}\u{0027}\u{0020}" => null,
             'http://www.google.com/foo?bar=baz#' => ['scheme' => 'http', 'host' => 'www.google.com'],
-            'http://www.google.com/foo?bar=baz# »' => ['scheme' => 'http', 'host' => 'www.google.com'],
-            'data:test# »' => ['scheme' => 'data', 'host' => null],
+            'http://www.google.com/foo?bar=baz# »' => null,
+            'data:test# »' => null,
             'http://www.google.com' => ['scheme' => 'http', 'host' => 'www.google.com'],
             'http://192.0x00A80001' => ['scheme' => 'http', 'host' => '192.0x00A80001'],
             'http://www/foo%2Ehtml' => ['scheme' => 'http', 'host' => 'www'],
@@ -706,11 +706,11 @@ public static function provideParse(): iterable
             'test-a-colon-slash-slash-b.html' => ['scheme' => null, 'host' => null],
             'http://example.org/test?a#bc' => ['scheme' => 'http', 'host' => 'example.org'],
             'http:\\/\\/f:b\\/c' => ['scheme' => 'http', 'host' => null],
-            'http:\\/\\/f: \\/c' => ['scheme' => 'http', 'host' => null],
+            'http:\\/\\/f: \\/c' => null,
             'http:\\/\\/f:fifty-two\\/c' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/f:999999\\/c' => ['scheme' => 'http', 'host' => null],
             'non-special:\\/\\/f:999999\\/c' => ['scheme' => 'non-special', 'host' => null],
-            'http:\\/\\/f: 21 \\/ b ? d # e ' => ['scheme' => 'http', 'host' => null],
+            'http:\\/\\/f: 21 \\/ b ? d # e ' => null,
             'http:\\/\\/[1::2]:3:4' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/2001::1' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/2001::1]' => ['scheme' => 'http', 'host' => null],
@@ -734,8 +734,8 @@ public static function provideParse(): iterable
             'http:@:www.example.com' => ['scheme' => 'http', 'host' => null],
             'http:\\/@:www.example.com' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/@:www.example.com' => ['scheme' => 'http', 'host' => null],
-            'http:\\/\\/example example.com' => ['scheme' => 'http', 'host' => null],
-            'http:\\/\\/Goo%20 goo%7C|.com' => ['scheme' => 'http', 'host' => null],
+            'http:\\/\\/example example.com' => null,
+            'http:\\/\\/Goo%20 goo%7C|.com' => null,
             'http:\\/\\/[]' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/[:]' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/GOO\\u00a0\\u3000goo.com' => ['scheme' => 'http', 'host' => null],
@@ -752,8 +752,8 @@ public static function provideParse(): iterable
             'http:\\/\\/hello%00' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/192.168.0.257' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/%3g%78%63%30%2e%30%32%35%30%2E.01' => ['scheme' => 'http', 'host' => null],
-            'http:\\/\\/192.168.0.1 hello' => ['scheme' => 'http', 'host' => null],
-            'https:\\/\\/x x:12' => ['scheme' => 'https', 'host' => null],
+            'http:\\/\\/192.168.0.1 hello' => null,
+            'https:\\/\\/x x:12' => null,
             'http:\\/\\/[www.google.com]\\/' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/[google.com]' => ['scheme' => 'http', 'host' => null],
             'http:\\/\\/[::1.2.3.4x]' => ['scheme' => 'http', 'host' => null],
@@ -763,7 +763,7 @@ public static function provideParse(): iterable
             '..\\/i' => ['scheme' => null, 'host' => null],
             '\\/i' => ['scheme' => null, 'host' => null],
             'sc:\\/\\/\\u0000\\/' => ['scheme' => 'sc', 'host' => null],
-            'sc:\\/\\/ \\/' => ['scheme' => 'sc', 'host' => null],
+            'sc:\\/\\/ \\/' => null,
             'sc:\\/\\/@\\/' => ['scheme' => 'sc', 'host' => null],
             'sc:\\/\\/te@s:t@\\/' => ['scheme' => 'sc', 'host' => null],
             'sc:\\/\\/:\\/' => ['scheme' => 'sc', 'host' => null],

src/Symfony/Component/HtmlSanitizer/TextSanitizer/UrlSanitizer.php

@@ -94,7 +94,13 @@ public static function parse(string $url): ?array
         }
 
         try {
-            return UriString::parse($url);
+            $parsedUrl = UriString::parse($url);
+
+            if (preg_match('/\s/', $url)) {
+                return null;
+            }
+
+            return $parsedUrl;
         } catch (SyntaxError) {
             return null;
         }

src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php

@@ -138,7 +138,7 @@ public function request(string $method, string $url, array $options = []): Respo
                     $filterContentHeaders = static function ($h) {
                         return 0 !== stripos($h, 'Content-Length:') && 0 !== stripos($h, 'Content-Type:') && 0 !== stripos($h, 'Transfer-Encoding:');
                     };
-                    $options['header'] = array_filter($options['header'], $filterContentHeaders);
+                    $options['headers'] = array_filter($options['headers'], $filterContentHeaders);
                     $redirectHeaders['no_auth'] = array_filter($redirectHeaders['no_auth'], $filterContentHeaders);
                     $redirectHeaders['with_auth'] = array_filter($redirectHeaders['with_auth'], $filterContentHeaders);
                 }

src/Symfony/Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php

@@ -175,6 +175,27 @@ public function testNonCallableOnProgressCallback()
         $client->request('GET', $url, ['on_progress' => $customCallback]);
     }
 
+    public function testHeadersArePassedOnRedirect()
+    {
+        $ipAddr = '104.26.14.6';
+        $url = sprintf('http://%s/', $ipAddr);
+        $content = 'foo';
+
+        $callback = function ($method, $url, $options) use ($content): MockResponse {
+            $this->assertArrayHasKey('headers', $options);
+            $this->assertNotContains('content-type: application/json', $options['headers']);
+            $this->assertContains('foo: bar', $options['headers']);
+            return new MockResponse($content);
+        };
+        $responses = [
+            new MockResponse('', ['http_code' => 302, 'redirect_url' => 'http://104.26.14.7']),
+            $callback,
+        ];
+        $client = new NoPrivateNetworkHttpClient(new MockHttpClient($responses));
+        $response = $client->request('POST', $url, ['headers' => ['foo' => 'bar', 'content-type' => 'application/json']]);
+        $this->assertEquals($content, $response->getContent());
+    }
+
     private function getMockHttpClient(string $ipAddr, string $content)
     {
         return new MockHttpClient(new MockResponse($content, ['primary_ip' => $ipAddr]));

src/Symfony/Component/Security/Csrf/SameOriginCsrfTokenManager.php

@@ -227,9 +227,21 @@ public function onKernelResponse(ResponseEvent $event): void
      */
     private function isValidOrigin(Request $request): ?bool
     {
-        $source = $request->headers->get('Origin') ?? $request->headers->get('Referer') ?? 'null';
+        $target = $request->getSchemeAndHttpHost().'/';
+        $source = 'null';
 
-        return 'null' === $source ? null : str_starts_with($source.'/', $request->getSchemeAndHttpHost().'/');
+        foreach (['Origin', 'Referer'] as $header) {
+            if (!$request->headers->has($header)) {
+                continue;
+            }
+            $source = $request->headers->get($header);
+
+            if (str_starts_with($source.'/', $target)) {
+                return true;
+            }
+        }
+
+        return 'null' === $source ? null : false;
     }
 
     /**

src/Symfony/Component/Security/Csrf/Tests/SameOriginCsrfTokenManagerTest.php

@@ -100,6 +100,20 @@ public function testValidOrigin()
         $this->assertSame(1 << 8, $request->attributes->get('csrf-token'));
     }
 
+    public function testValidRefererInvalidOrigin()
+    {
+        $request = new Request();
+        $request->headers->set('Origin', 'http://localhost:1234');
+        $request->headers->set('Referer', $request->getSchemeAndHttpHost());
+        $this->requestStack->push($request);
+
+        $token = new CsrfToken('test_token', str_repeat('a', 24));
+
+        $this->logger->expects($this->once())->method('debug')->with('CSRF validation accepted using origin info.');
+        $this->assertTrue($this->csrfTokenManager->isTokenValid($token));
+        $this->assertSame(1 << 8, $request->attributes->get('csrf-token'));
+    }
+
     public function testValidOriginAfterDoubleSubmit()
     {
         $session = $this->createMock(Session::class);

src/Symfony/Component/TypeInfo/Tests/TypeResolver/StringTypeResolverTest.php

@@ -155,6 +155,8 @@ public static function resolveDataProvider(): iterable
 
         // union
         yield [Type::union(Type::int(), Type::string()), 'int|string'];
+        yield [Type::mixed(), 'int|mixed'];
+        yield [Type::mixed(), 'mixed|int'];
 
         // intersection
         yield [Type::intersection(Type::object(\DateTime::class), Type::object(\Stringable::class)), \DateTime::class.'&'.\Stringable::class];

src/Symfony/Component/TypeInfo/TypeResolver/StringTypeResolver.php

@@ -223,7 +223,19 @@ private function getTypeFromNode(TypeNode $node, ?TypeContext $typeContext): Typ
         }
 
         if ($node instanceof UnionTypeNode) {
-            return Type::union(...array_map(fn (TypeNode $t): Type => $this->getTypeFromNode($t, $typeContext), $node->types));
+            $types = [];
+
+            foreach ($node->types as $nodeType) {
+                $type = $this->getTypeFromNode($nodeType, $typeContext);
+
+                if ($type instanceof BuiltinType && TypeIdentifier::MIXED === $type->getTypeIdentifier()) {
+                    return Type::mixed();
+                }
+
+                $types[] = $type;
+            }
+
+            return Type::union(...$types);
         }
 
         if ($node instanceof IntersectionTypeNode) {

src/Symfony/Component/Validator/Constraints/Count.php

@@ -45,7 +45,7 @@ class Count extends Constraint
     /**
      * @param int<0, max>|array<string,mixed>|null $exactly     The exact expected number of elements
      * @param int<0, max>|null                     $min         Minimum expected number of elements
-     * @param positive-int|null                    $max         Maximum expected number of elements
+     * @param int<0, max>|null                     $max         Maximum expected number of elements
      * @param positive-int|null                    $divisibleBy The number the collection count should be divisible by
      * @param string[]|null                        $groups
      * @param array<mixed,string>                  $options

src/Symfony/Component/Validator/Resources/translations/validators.fa.xlf

@@ -444,27 +444,27 @@
             </trans-unit>
             <trans-unit id="114">
                 <source>This value is too short. It should contain at least one word.|This value is too short. It should contain at least {{ min }} words.</source>
-                <target state="needs-translation">This value is too short. It should contain at least one word.|This value is too short. It should contain at least {{ min }} words.</target>
+                <target>این مقدار بسیار کوتاه است. باید حداقل یک کلمه داشته باشد.|این مقدار بسیار کوتاه است. باید حداقل {{ min }} کلمه داشته باشد.</target>
             </trans-unit>
             <trans-unit id="115">
                 <source>This value is too long. It should contain one word.|This value is too long. It should contain {{ max }} words or less.</source>
-                <target state="needs-translation">This value is too long. It should contain one word.|This value is too long. It should contain {{ max }} words or less.</target>
+                <target>این مقدار بیش از حد طولانی است. باید فقط یک کلمه باشد.|این مقدار بیش از حد طولانی است. باید حداکثر {{ max }} کلمه داشته باشد.</target>
             </trans-unit>
             <trans-unit id="116">
                 <source>This value does not represent a valid week in the ISO 8601 format.</source>
-                <target state="needs-translation">This value does not represent a valid week in the ISO 8601 format.</target>
+                <target>این مقدار یک هفته معتبر در قالب ISO 8601 را نشان نمی‌دهد.</target>
             </trans-unit>
             <trans-unit id="117">
                 <source>This value is not a valid week.</source>
-                <target state="needs-translation">This value is not a valid week.</target>
+                <target>این مقدار یک هفته معتبر نیست.</target>
             </trans-unit>
             <trans-unit id="118">
                 <source>This value should not be before week "{{ min }}".</source>
-                <target state="needs-translation">This value should not be before week "{{ min }}".</target>
+                <target>این مقدار نباید قبل از هفته "{{ min }}" باشد.</target>
             </trans-unit>
             <trans-unit id="119">
                 <source>This value should not be after week "{{ max }}".</source>
-                <target state="needs-translation">This value should not be after week "{{ max }}".</target>
+                <target>این مقدار نباید بعد از هفته "{{ max }}" باشد.</target>
             </trans-unit>
         </body>
     </file>