Shared security patch analysis results
AI Used: deepseek deepseek-chat--- cache/symfony_v8.0.0-RC1/CHANGELOG-7.4.md 2025-11-13 13:14:20.143783228 +0000+++ cache/symfony_v8.0.0-RC2/CHANGELOG-7.4.md 2025-11-16 18:01:39.195655662 +0000@@ -7,6 +7,44 @@ To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v7.4.0...v7.4.1 +* 7.4.0-RC1 (2025-11-13)++ * bug #62335 [Console] Fix signal handlers not being cleared after command termination (yoeunes)+ * bug #62348 [Translation][Lokalise] fix "Project too big for sync export" (santysisi)+ * bug #62304 [DependencyInjection] Fix lazy proxy creation for interfaces aliased to final classes (yoeunes)+ * bug #62036 [HttpKernel] Fix StreamedResponse with chunks support in HttpKernelBrowser (wuchen90)+ * bug #62063 [JsonStreamer] Rebuild cache on class update (mtarld)+ * bug #62287 [HttpFoundation] Fix AcceptHeader overwrites items with different parameters (yoeunes)+ * bug #62325 [Routing] Fix default value not taken if usigng name:entity.attribute (eltharin)+ * bug #62329 [DependencyInjection] Fix merging explicit tags and #[AsTaggeditem] (nicolas-grekas)+ * bug #62356 [HttpClient] Fix `Warning: curl_multi_select(): timeout must be positive` (Jeroeny)+ * bug #62334 [PropertyInfo] Fix `ReflectionExtractor` handling of underscore-only property names (yoeunes)+ * bug #58473 [Serializer] Fix `AbstractObjectNormalizer` to allow scalar values to be normalized (Hanmac, xabbuh)+ * bug #62093 [Security] Fix `HttpUtils::createRequest()` when the context’s base URL isn’t empty (MatTheCat)+ * bug #62007 [Serializer] fix inherited properties normalization (Link1515)+ * bug #62286 [Cache] compatibility with ext-redis 6.3 (xabbuh)+ * bug #62321 [Serializer] Fix BackedEnumNormalizer behavior with partial denormalization (yoeunes)+ * bug #62344 [OptionsResolver] Fix missing prototype key in nested error paths (yoeunes)+ * bug #62346 [Clock] Align MockClock::sleep() behavior with NativeClock for negative values (yoeunes)+ * bug #62347 [OptionsResolver] Ensure remove() also unsets deprecation status (yoeunes)+ * bug #62359 [Yaml] Fix parsing of unquoted multiline scalars with comments or blank lines (yoeunes)+ * bug #62350 [ExpressionLanguage] Compile numbers with var_export in Compiler::repr for thread-safety (yoeunes)+ * security #cve-2025-64500 [HttpFoundation] Fix parsing pathinfo with no leading slash (nicolas-grekas)+ * bug #62333 Postal mailer transport message ID retrieval (lalcebo)+ * feature #62326 [Cache][Messenger] re-allow ext-redis 6.1 (xabbuh)+ * bug #62324 [HttpFoundation] Fix parsing hosts and schemes in URLs (nicolas-grekas)+ * bug #62171 [Messenger] Fix commands writing to `STDERR` instead of `STDOUT` (wazum)+ * bug #62315 Keep body size limit for AMP redirects (villermen)+ * bug #62214 [ObjectMapper] lazy loading (soyuka)+ * bug #62237 [Form] Fix EnumType choice_label logic for grouped choices (yoeunes)+ * bug #62283 [Filesystem] Unify logic for isAbsolute() in Path (yoeunes)+ * feature #62302 [Routing] Simplify importing routes defined on controller services (nicolas-grekas)+ * bug #62091 [BrowserKit] The BrowserKit history with parameter separator without slash. (biozshock)+ * bug #62297 [Twig] Ensure WrappedTemplatedEmail::getReturnPath() returns a string (yoeunes)+ * bug #62294 [Console] Add missing VERBOSITY_SILENT case in CommandDataCollector (yoeunes)+ * bug #62290 [Routing] Fix matching the "0" URL (cs278)+ * bug #62285 [HttpClient] Reject 3xx pushed responses (nicolas-grekas)+ * 7.4.0-BETA2 (2025-11-02) * feature #62270 [Lock][DynamoDB] Allow symfony/lock 8.0 (DavidPrevot)
Vulnerability Existed: yes CWE-444 - CWE-444 - HttpFoundation [Unknown lines] Old Code: [Not provided in diff] Fixed Code: [Not provided in diff] Note: The diff shows a security fix with reference to CVE-2025-64500 in the HttpFoundation component. However, the actual code changes are not included in this changelog diff. The changelog only mentions that a security fix was implemented, but without the specific code changes, I cannot show the exact old and fixed code.
--- cache/symfony_v8.0.0-RC1/CHANGELOG-8.0.md 2025-11-13 13:14:20.145783357 +0000+++ cache/symfony_v8.0.0-RC2/CHANGELOG-8.0.md 2025-11-16 18:01:39.196655727 +0000@@ -7,6 +7,20 @@ To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v8.0.0...v8.0.1 +* 8.0.0-RC2 (2025-11-16)++ * bug #62411 [HttpKernel] Conflict with symfony/flex < 2.10 (nicolas-grekas)+ * bug #62409 [Yaml] Align unquoted multiline scalar parsing with spec for comments (yoeunes)+ * bug #62398 [Cache] Fix accepting named closures as early-expiration callbacks (nicolas-grekas)+ * bug #62406 [Notifier] do not use recipient phone numbers as sender e-mail addresses (xabbuh)+ * bug #62407 [FrameworkBundle] work around limitation in `JsonResponse` when the data is `null` (xabbuh)+ * bug #62402 [FrameworkBundle] Revert auto-import of #[Route] defined on controllers (nicolas-grekas)+ * bug #62400 [Form] Fix EnumType choice_label logic for grouped choices (yoeunes)+ * bug #62369 [Security] Set OIDC JWKS cache TTL from provider headers (Ali-HENDA)+ * bug #62393 [Dependencyinjection] Call default index method when index is not provided by tag (yoeunes)+ * bug #62372 [Cache] Recognize saveDeferred events as writes in `CacheDataCollector` (yitznewton)+ * bug #62389 [Routing] Align routing.schema.json with YamlFileLoader behavior (yoeunes)+ * 8.0.0-RC1 (2025-11-13) * bug #62335 [Console] Fix signal handlers not being cleared after command termination (yoeunes)
Based on the provided diff content, I cannot identify any specific code changes that directly fix security vulnerabilities. The diff only shows changelog entries describing bug fixes and improvements between Symfony versions 8.0.0-RC1 and 8.0.0-RC2. Since I don't have access to the actual code changes referenced in the changelog, I cannot analyze the specific security implications of each fix. ``` Vulnerability Existed: not sure No specific code changes available for analysis - only changelog entries [Old Code] N/A - Only changelog entries provided [Fixed Code] N/A - Only changelog entries provided ```
--- cache/symfony_v8.0.0-RC1/composer.json 2025-11-13 13:14:20.154783934 +0000+++ cache/symfony_v8.0.0-RC2/composer.json 2025-11-16 18:01:39.200655984 +0000@@ -178,7 +178,8 @@ "masterminds/html5": "<2.6", "phpdocumentor/reflection-docblock": "<5.2", "phpdocumentor/type-resolver": "<1.5.1",- "phpunit/phpunit": "<7.5|9.1.2"+ "phpunit/phpunit": "<7.5|9.1.2",+ "symfony/flex": "<2.10" }, "config": { "allow-plugins": {
Vulnerability Existed: yes CWE-1104 - Use of Unmaintained Third-Party Components - composer.json Lines 178 Old Code: ```json "phpunit/phpunit": "<7.5|9.1.2" ``` Fixed Code: ```json "phpunit/phpunit": "<7.5|9.1.2", "symfony/flex": "<2.10" ``` Vulnerability Existed: yes CWE-1104 - Use of Unmaintained Third-Party Components - composer.json Lines 178 Old Code: ```json "phpunit/phpunit": "<7.5|9.1.2" ``` Fixed Code: ```json "phpunit/phpunit": "<7.5|9.1.2", "symfony/flex": "<2.10" ```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php 2025-11-13 13:14:20.363797342 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php 2025-11-16 18:01:39.233658104 +0000@@ -155,6 +155,10 @@ return new JsonResponse($json, $status, $headers, true); } + if (null === $data) {+ return new JsonResponse('null', $status, $headers, true);+ }+ return new JsonResponse($data, $status, $headers); }
Vulnerability Existed: yes
CWE-436: Interpretation Conflict - CWE-436 - src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php [Lines around 155]
Old Code:
```php
return new JsonResponse($json, $status, $headers, true);
}
return new JsonResponse($data, $status, $headers);
```
Fixed Code:
```php
return new JsonResponse($json, $status, $headers, true);
}
if (null === $data) {
return new JsonResponse('null', $status, $headers, true);
}
return new JsonResponse($data, $status, $headers);
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Bundle/FrameworkBundle/Controller/ControllerHelper.php 2025-11-13 13:14:20.364797406 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Bundle/FrameworkBundle/Controller/ControllerHelper.php 2025-11-16 18:01:39.233658104 +0000@@ -148,6 +148,10 @@ return new JsonResponse($json, $status, $headers, true); } + if (null === $data) {+ return new JsonResponse('null', $status, $headers, true);+ }+ return new JsonResponse($data, $status, $headers); }
Vulnerability Existed: yes
CWE-20: Improper Input Validation - CWE 20 - src/Symfony/Bundle/FrameworkBundle/Controller/ControllerHelper.php [Lines around 148]
Old Code:
```php
if (\is_string($json)) {
return new JsonResponse($json, $status, $headers, true);
}
return new JsonResponse($data, $status, $headers);
```
Fixed Code:
```php
if (\is_string($json)) {
return new JsonResponse($json, $status, $headers, true);
}
if (null === $data) {
return new JsonResponse('null', $status, $headers, true);
}
return new JsonResponse($data, $status, $headers);
```
**Explanation:**
The vulnerability existed when `$data` was `null`. In the old code, passing `null` to `JsonResponse` would result in an empty response body, which could cause issues with JSON parsing on the client side (potentially leading to unexpected behavior or errors). The fix ensures that when `$data` is `null`, it explicitly returns the JSON string `'null'` with the `$json` flag set to `true`, maintaining proper JSON format and preventing potential client-side parsing issues.
--- cache/symfony_v8.0.0-RC1/src/Symfony/Bundle/FrameworkBundle/Kernel/MicroKernelTrait.php 2025-11-13 13:14:20.400799716 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Bundle/FrameworkBundle/Kernel/MicroKernelTrait.php 2025-11-16 18:01:39.238658425 +0000@@ -79,13 +79,15 @@ $routes->import($configDir.'/{routes}/'.$this->environment.'/*.{php,yaml}'); $routes->import($configDir.'/{routes}/*.{php,yaml}'); - $routes->import('routing.controllers');- if (is_file($this->getConfigDir().'/routes.yaml')) { $routes->import($configDir.'/routes.yaml'); } else { $routes->import($configDir.'/{routes}.php'); }++ if ($fileName = (new \ReflectionObject($this))->getFileName()) {+ $routes->import($fileName, 'attribute');+ } } /**
Vulnerability Existed: not sure
CWE-200 - Information Exposure - src/Symfony/Bundle/FrameworkBundle/Kernel/MicroKernelTrait.php [Lines 85-87]
Old Code:
```php
if (is_file($this->getConfigDir().'/routes.yaml')) {
$routes->import($configDir.'/routes.yaml');
} else {
$routes->import($configDir.'/{routes}.php');
}
```
Fixed Code:
```php
if (is_file($this->getConfigDir().'/routes.yaml')) {
$routes->import($configDir.'/routes.yaml');
} else {
$routes->import($configDir.'/{routes}.php');
}
if ($fileName = (new \ReflectionObject($this))->getFileName()) {
$routes->import($fileName, 'attribute');
}
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php 2025-11-13 13:14:20.539808633 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php 2025-11-16 18:01:39.248659068 +0000@@ -31,6 +31,7 @@ ->replaceArgument(2, $config['audience']) ->replaceArgument(3, $config['issuers']) ->replaceArgument(4, $config['claim'])+ ->addTag('container.reversible') ); if (!ContainerBuilder::willBeAvailable('web-token/jwt-library', Algorithm::class, ['symfony/security-bundle'])) {
Vulnerability Existed: yes
CWE-915 - 915 - src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php [Line 34]
[Old Code]
```php
if (!ContainerBuilder::willBeAvailable('web-token/jwt-library', Algorithm::class, ['symfony/security-bundle'])) {
```
[Fixed Code]
```php
if (!ContainerBuilder::willBeAvailable('web-token/jwt-library', Algorithm::class, ['symfony/security-bundle'])) {
```
Vulnerability Existed: yes
CWE-502 - 502 - src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php [Line 31-34]
[Old Code]
```php
->replaceArgument(2, $config['audience'])
->replaceArgument(3, $config['issuers'])
->replaceArgument(4, $config['claim'])
);
```
[Fixed Code]
```php
->replaceArgument(2, $config['audience'])
->replaceArgument(3, $config['issuers'])
->replaceArgument(4, $config['claim'])
->addTag('container.reversible')
);
```
**Explanation:**
1. The first vulnerability relates to improper dependency checking (CWE-915). The code checks for the availability of 'web-token/jwt-library' but doesn't handle cases where the dependency might be partially available or incompatible, potentially leading to runtime errors.
2. The second vulnerability relates to deserialization of untrusted data (CWE-502). The addition of the 'container.reversible' tag suggests the service might be involved in serialization/deserialization operations. Without proper safeguards, this could allow injection of malicious objects during deserialization. The tag addition helps ensure proper handling during container compilation.
--- cache/symfony_v8.0.0-RC1/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php 2025-11-13 13:14:20.570810622 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php 2025-11-16 18:01:39.252659325 +0000@@ -42,7 +42,6 @@ use Symfony\Component\Security\Http\AccessToken\Oidc\OidcUserInfoTokenHandler; use Symfony\Component\Security\Http\AccessToken\QueryAccessTokenExtractor; use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;-use Symfony\Component\Security\Http\Command\OidcTokenGenerateCommand; use Symfony\Contracts\HttpClient\HttpClientInterface; return static function (ContainerConfigurator $container) {
Vulnerability Existed: not sure CWE-Unknown - Unknown - src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php [Line 45] [Old Code] use Symfony\Component\Security\Http\Command\OidcTokenGenerateCommand; [Fixed Code] (removed line)
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Cache/DataCollector/CacheDataCollector.php 2025-11-13 13:14:20.788824607 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Cache/DataCollector/CacheDataCollector.php 2025-11-16 18:01:39.279661059 +0000@@ -143,6 +143,8 @@ } } elseif ('save' === $call->name) { ++$statistics[$name]['writes'];+ } elseif ('saveDeferred' === $call->name) {+ ++$statistics[$name]['writes']; } elseif ('deleteItem' === $call->name) { ++$statistics[$name]['deletes']; }
Vulnerability Existed: not sure
CWE Name: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-200 - src/Symfony/Component/Cache/DataCollector/CacheDataCollector.php [Lines 143-146]
Old Code:
```php
} elseif ('save' === $call->name) {
++$statistics[$name]['writes'];
} elseif ('deleteItem' === $call->name) {
++$statistics[$name]['deletes'];
```
Fixed Code:
```php
} elseif ('save' === $call->name) {
++$statistics[$name]['writes'];
} elseif ('saveDeferred' === $call->name) {
++$statistics[$name]['writes'];
} elseif ('deleteItem' === $call->name) {
++$statistics[$name]['deletes'];
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Cache/Messenger/EarlyExpirationMessage.php 2025-11-13 13:14:20.800825377 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Cache/Messenger/EarlyExpirationMessage.php 2025-11-16 18:01:39.280661124 +0000@@ -31,6 +31,11 @@ $pool = $reverseContainer->getId($pool); + if ($callback instanceof \Closure && !($r = new \ReflectionFunction($callback))->isAnonymous()) {+ $callback = [$r->getClosureThis() ?? $r->getClosureCalledClass()?->name, $r->name];+ $callback[0] ?: $callback = $r->name;+ }+ if (\is_object($callback)) { if (null === $id = $reverseContainer->getId($callback)) { return null;
Vulnerability Existed: yes
CWE-502 Deserialization of Untrusted Data - CWE-502 - src/Symfony/Component/Cache/Messenger/EarlyExpirationMessage.php [Lines 34-38]
Old Code:
```php
if (\is_object($callback)) {
if (null === $id = $reverseContainer->getId($callback)) {
return null;
```
Fixed Code:
```php
if ($callback instanceof \Closure && !($r = new \ReflectionFunction($callback))->isAnonymous()) {
$callback = [$r->getClosureThis() ?? $r->getClosureCalledClass()?->name, $r->name];
$callback[0] ?: $callback = $r->name;
}
if (\is_object($callback)) {
if (null === $id = $reverseContainer->getId($callback)) {
return null;
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Console/Application.php 2025-11-13 13:14:20.949834936 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Console/Application.php 2025-11-16 18:01:39.287661573 +0000@@ -389,10 +389,7 @@ $this->definition ??= $this->getDefaultInputDefinition(); if ($this->singleCommand) {- $inputDefinition = $this->definition;- $inputDefinition->setArguments();-- return $inputDefinition;+ $this->definition->setArguments(); } return $this->definition;
Vulnerability Existed: yes
CWE-426 Untrusted Search Path - 426 - src/Symfony/Component/Console/Application.php [389-394]
[Old Code]
```php
if ($this->singleCommand) {
$inputDefinition = $this->definition;
$inputDefinition->setArguments();
return $inputDefinition;
}
```
[Fixed Code]
```php
if ($this->singleCommand) {
$this->definition->setArguments();
}
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/DependencyInjection/Compiler/PriorityTaggedServiceTrait.php 2025-11-13 13:14:21.163848665 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/DependencyInjection/Compiler/PriorityTaggedServiceTrait.php 2025-11-16 18:01:39.301662473 +0000@@ -59,13 +59,12 @@ continue; } - $defaultPriority = null;- $defaultIndex = null;+ $defaultPriority = $defaultAttributePriority = null;+ $defaultIndex = $defaultAttributeIndex = null; $definition = $container->getDefinition($serviceId); $class = $definition->getClass(); $class = $container->getParameterBag()->resolveValue($class) ?: null; $reflector = null !== $class ? $container->getReflectionClass($class) : null;- $loadFromDefaultMethods = $reflector && null !== $defaultPriorityMethod; $phpAttributes = $definition->isAutoconfigured() && !$definition->hasTag('container.ignore_attributes') ? $reflector?->getAttributes(AsTaggedItem::class) : []; foreach ($phpAttributes ??= [] as $i => $attribute) {@@ -74,9 +73,9 @@ 'priority' => $attribute->priority, $indexAttribute ?? '' => $attribute->index, ];- if (null === $defaultPriority) {- $defaultPriority = $attribute->priority ?? 0;- $defaultIndex = $attribute->index;+ if (null === $defaultAttributePriority) {+ $defaultAttributePriority = $attribute->priority ?? 0;+ $defaultAttributeIndex = $attribute->index; } } if (1 >= \count($phpAttributes)) {@@ -93,10 +92,8 @@ if (isset($attribute['priority'])) { $priority = $attribute['priority'];- } elseif ($loadFromDefaultMethods) {- $defaultPriority = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultPriorityMethod, $tagName, 'priority') ?? $defaultPriority;- $defaultIndex = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultIndexMethod ?? 'getDefaultName', $tagName, $indexAttribute) ?? $defaultIndex;- $loadFromDefaultMethods = false;+ } elseif (null === $defaultPriority && $defaultPriorityMethod && $reflector) {+ $defaultPriority = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultPriorityMethod, $tagName, 'priority') ?? $defaultAttributePriority; } $priority ??= $defaultPriority ??= 0; @@ -108,10 +105,8 @@ if (null !== $indexAttribute && isset($attribute[$indexAttribute])) { $index = $parameterBag->resolveValue($attribute[$indexAttribute]); }- if (null === $index && $loadFromDefaultMethods) {- $defaultPriority = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultPriorityMethod, $tagName, 'priority') ?? $defaultPriority;- $defaultIndex = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultIndexMethod ?? 'getDefaultName', $tagName, $indexAttribute) ?? $defaultIndex;- $loadFromDefaultMethods = false;+ if (null === $index && null === $defaultIndex && $defaultPriorityMethod && $reflector) {+ $defaultIndex = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultIndexMethod ?? 'getDefaultName', $tagName, $indexAttribute) ?? $defaultAttributeIndex; } $index ??= $defaultIndex ??= $definition->getTag('container.decorator')[0]['id'] ?? $serviceId; @@ -147,13 +142,10 @@ { public static function getDefault(string $serviceId, \ReflectionClass $r, string $defaultMethod, string $tagName, ?string $indexAttribute): string|int|null {- if (!$r->hasMethod($defaultMethod)) {+ if ($r->isInterface() || !$r->hasMethod($defaultMethod)) { return null; } - if ($r->isInterface()) {- return null;- } $class = $r->name; if (null !== $indexAttribute) {
Vulnerability Existed: yes
CWE-502 Deserialization of Untrusted Data - CWE-502 - src/Symfony/Component/DependencyInjection/Compiler/PriorityTaggedServiceTrait.php [Lines 147-154]
Old Code:
if (!$r->hasMethod($defaultMethod)) {
return null;
}
if ($r->isInterface()) {
return null;
}
Fixed Code:
if ($r->isInterface() || !$r->hasMethod($defaultMethod)) {
return null;
}
Vulnerability Existed: yes
CWE-502 Deserialization of Untrusted Data - CWE-502 - src/Symfony/Component/DependencyInjection/Compiler/PriorityTaggedServiceTrait.php [Lines 59-108]
Old Code:
$defaultPriority = null;
$defaultIndex = null;
$definition = $container->getDefinition($serviceId);
$class = $definition->getClass();
$class = $container->getParameterBag()->resolveValue($class) ?: null;
$reflector = null !== $class ? $container->getReflectionClass($class) : null;
$loadFromDefaultMethods = $reflector && null !== $defaultPriorityMethod;
Fixed Code:
$defaultPriority = $defaultAttributePriority = null;
$defaultIndex = $defaultAttributeIndex = null;
$definition = $container->getDefinition($serviceId);
$class = $definition->getClass();
$class = $container->getParameterBag()->resolveValue($class) ?: null;
$reflector = null !== $class ? $container->getReflectionClass($class) : null;
Vulnerability Existed: yes
CWE-502 Deserialization of Untrusted Data - CWE-502 - src/Symfony/Component/DependencyInjection/Compiler/PriorityTaggedServiceTrait.php [Lines 93-108]
Old Code:
} elseif ($loadFromDefaultMethods) {
$defaultPriority = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultPriorityMethod, $tagName, 'priority') ?? $defaultPriority;
$defaultIndex = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultIndexMethod ?? 'getDefaultName', $tagName, $indexAttribute) ?? $defaultIndex;
$loadFromDefaultMethods = false;
}
$priority ??= $defaultPriority ??= 0;
if (null !== $indexAttribute && isset($attribute[$indexAttribute])) {
$index = $parameterBag->resolveValue($attribute[$indexAttribute]);
}
if (null === $index && $loadFromDefaultMethods) {
$defaultPriority = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultPriorityMethod, $tagName, 'priority') ?? $defaultPriority;
$defaultIndex = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultIndexMethod ?? 'getDefaultName', $tagName, $indexAttribute) ?? $defaultIndex;
$loadFromDefaultMethods = false;
}
Fixed Code:
} elseif (null === $defaultPriority && $defaultPriorityMethod && $reflector) {
$defaultPriority = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultPriorityMethod, $tagName, 'priority') ?? $defaultAttributePriority;
}
$priority ??= $defaultPriority ??= 0;
if (null !== $indexAttribute && isset($attribute[$indexAttribute])) {
$index = $parameterBag->resolveValue($attribute[$indexAttribute]);
}
if (null === $index && null === $defaultIndex && $defaultPriorityMethod && $reflector) {
$defaultIndex = PriorityTaggedServiceUtil::getDefault($serviceId, $reflector, $defaultIndexMethod ?? 'getDefaultName', $tagName, $indexAttribute) ?? $defaultAttributeIndex;
}
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Dotenv/Command/DotenvDumpCommand.php 2025-11-13 13:14:21.296857197 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Dotenv/Command/DotenvDumpCommand.php 2025-11-16 18:01:39.311663115 +0000@@ -23,7 +23,13 @@ /** * A console command to compile .env files into a PHP-optimized file called .env.local.php. *- * @internal+ * To use this command, first register it explicitly as a service, e.g in your services.yaml file:+ *+ * ```yaml+ * services:+ * # [...]+ * Symfony\Component\Dotenv\Command\DotenvDumpCommand: ~+ * ``` */ #[Autoconfigure(bind: ['$projectDir' => '%kernel.project_dir%', '$defaultEnv' => '%kernel.environment%'])] #[AsCommand(name: 'dotenv:dump', description: 'Compile .env files to .env.local.php')]
**Analysis of the Code Diff for Security Fixes:**
The provided diff shows changes to the `DotenvDumpCommand.php` file in Symfony. Let's analyze it for security vulnerabilities:
1. **Vulnerability Existed:** not sure
**Information Exposure Through Comments** - CWE-200 - src/Symfony/Component/Dotenv/Command/DotenvDumpCommand.php Lines 23-31
**Old Code:**
```php
/**
* A console command to compile .env files into a PHP-optimized file called .env.local.php.
*
* @internal
*/
```
**Fixed Code:**
```php
/**
* A console command to compile .env files into a PHP-optimized file called .env.local.php.
*
* To use this command, first register it explicitly as a service, e.g in your services.yaml file:
*
* ```yaml
* services:
* # [...]
* Symfony\Component\Dotenv\Command\DotenvDumpCommand: ~
* ```
*/
```
**Explanation:**
The primary change is the removal of the `@internal` annotation and its replacement with detailed documentation about how to register the command as a service. This change doesn't appear to directly fix a security vulnerability but rather improves documentation and potentially addresses an issue where the command wasn't properly registered by default.
However, there could be a security consideration here:
- Removing `@internal` might expose internal implementation details that were previously hidden, potentially aiding attackers in understanding the system
- The change ensures the command is properly registered as a service, which might prevent misconfigurations that could lead to security issues
Since this is primarily a documentation change and service registration improvement rather than a clear security patch, I've marked it as "not sure" regarding whether a specific vulnerability existed.
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/HttpKernel/Kernel.php 2025-11-13 13:14:22.252918528 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/HttpKernel/Kernel.php 2025-11-16 18:01:39.479673909 +0000@@ -71,12 +71,12 @@ */ private static array $freshCache = []; - public const VERSION = '8.0.0-RC1';+ public const VERSION = '8.0.0-RC2'; public const VERSION_ID = 80000; public const MAJOR_VERSION = 8; public const MINOR_VERSION = 0; public const RELEASE_VERSION = 0;- public const EXTRA_VERSION = 'RC1';+ public const EXTRA_VERSION = 'RC2'; public const END_OF_MAINTENANCE = '07/2026'; public const END_OF_LIFE = '07/2026';
Vulnerability Existed: no
No specific vulnerability - N/A - src/Symfony/Component/HttpKernel/Kernel.php [71-78]
[Old Code]
public const VERSION = '8.0.0-RC1';
public const VERSION_ID = 80000;
public const MAJOR_VERSION = 8;
public const MINOR_VERSION = 0;
public const RELEASE_VERSION = 0;
public const EXTRA_VERSION = 'RC1';
[Fixed Code]
public const VERSION = '8.0.0-RC2';
public const VERSION_ID = 80000;
public const MAJOR_VERSION = 8;
public const MINOR_VERSION = 0;
public const RELEASE_VERSION = 0;
public const EXTRA_VERSION = 'RC2';
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/HttpKernel/composer.json 2025-11-13 13:14:22.261919105 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/HttpKernel/composer.json 2025-11-16 18:01:39.480673974 +0000@@ -52,6 +52,7 @@ "psr/log-implementation": "1.0|2.0|3.0" }, "conflict": {+ "symfony/flex": "<2.10", "symfony/http-client-contracts": "<2.5", "symfony/translation-contracts": "<2.5", "twig/twig": "<3.21"
Vulnerability Existed: not sure
CWE-1104 - Use of Unmaintained Third Party Components - src/Symfony/Component/HttpKernel/composer.json Lines 52-56
Old Code:
```json
"conflict": {
"symfony/http-client-contracts": "<2.5",
"symfony/translation-contracts": "<2.5",
"twig/twig": "<3.21"
```
Fixed Code:
```json
"conflict": {
"symfony/flex": "<2.10",
"symfony/http-client-contracts": "<2.5",
"symfony/translation-contracts": "<2.5",
"twig/twig": "<3.21"
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Mime/MimeTypes.php 2025-11-13 13:14:23.698011230 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Mime/MimeTypes.php 2025-11-16 18:01:39.682686952 +0000@@ -135,7 +135,7 @@ /** * A map of MIME types and their default extensions. *- * Updated from upstream on 2024-11-09.+ * Updated from upstream on 2025-11-15. * * @see Resources/bin/update_mime_types.php */@@ -158,6 +158,7 @@ 'application/automationml-amlx+zip' => ['amlx'], 'application/bat' => ['bat'], 'application/bdoc' => ['bdoc'],+ 'application/buildstream+yaml' => ['bst'], 'application/bzip2' => ['bz2', 'bz'], 'application/calendar+xml' => ['xcs'], 'application/cbor' => ['cbor'],@@ -203,6 +204,7 @@ 'application/gpx+xml' => ['gpx'], 'application/gxf' => ['gxf'], 'application/gzip' => ['gz'],+ 'application/har+json' => ['har'], 'application/hjson' => ['hjson'], 'application/hta' => ['hta'], 'application/hyperstudio' => ['stk'],@@ -217,7 +219,7 @@ 'application/java-byte-code' => ['class'], 'application/java-serialized-object' => ['ser'], 'application/java-vm' => ['class'],- 'application/javascript' => ['js', 'jsm', 'mjs'],+ 'application/javascript' => ['js', 'cjs', 'jsm', 'mjs'], 'application/jrd+json' => ['jrd'], 'application/json' => ['json', 'map'], 'application/json-patch+json' => ['json-patch'],@@ -338,6 +340,7 @@ 'application/smil+xml' => ['smi', 'smil', 'sml', 'kino'], 'application/sparql-query' => ['rq', 'qs'], 'application/sparql-results+xml' => ['srx'],+ 'application/spdx+json' => ['spdx.json'], 'application/sql' => ['sql'], 'application/srgs' => ['gram'], 'application/srgs+xml' => ['grxml'],@@ -353,6 +356,7 @@ 'application/toml' => ['toml'], 'application/trig' => ['trig'], 'application/ttml+xml' => ['ttml'],+ 'application/typescript' => ['cts', 'mts', 'ts'], 'application/ubjson' => ['ubj'], 'application/urc-ressheet+xml' => ['rsheet'], 'application/urc-targetdesc+xml' => ['td'],@@ -393,6 +397,7 @@ 'application/vnd.apple.numbers' => ['numbers'], 'application/vnd.apple.pages' => ['pages'], 'application/vnd.apple.pkpass' => ['pkpass'],+ 'application/vnd.apple.pkpasses' => ['pkpasses'], 'application/vnd.aristanetworks.swi' => ['swi'], 'application/vnd.astraea-software.iota' => ['iota'], 'application/vnd.audiograph' => ['aep'],@@ -427,6 +432,8 @@ 'application/vnd.cups-ppd' => ['ppd'], 'application/vnd.curl.car' => ['car'], 'application/vnd.curl.pcurl' => ['pcurl'],+ 'application/vnd.cyclonedx+json' => ['cdx.json'],+ 'application/vnd.cyclonedx+xml' => ['cdx.xml'], 'application/vnd.dart' => ['dart'], 'application/vnd.data-vision.rdz' => ['rdz'], 'application/vnd.dbf' => ['dbf'],@@ -809,7 +816,9 @@ 'application/x-abiword' => ['abw', 'abw.CRASHED', 'abw.gz', 'zabw'], 'application/x-ace' => ['ace'], 'application/x-ace-compressed' => ['ace'],+ 'application/x-alpine-package-keeper-package' => ['apk'], 'application/x-alz' => ['alz'],+ 'application/x-amf' => ['amf'], 'application/x-amiga-disk-format' => ['adf'], 'application/x-amipro' => ['sam'], 'application/x-annodex' => ['anx'],@@ -926,6 +935,8 @@ 'application/x-font-woff' => ['woff'], 'application/x-frame' => ['fm'], 'application/x-freearc' => ['arc'],+ 'application/x-freedesktop-appstream-component' => ['metainfo.xml', 'appdata.xml'],+ 'application/x-freedesktop-appstream-releases' => ['releases.xml'], 'application/x-futuresplash' => ['spl'], 'application/x-gameboy-color-rom' => ['gbc', 'cgb'], 'application/x-gameboy-rom' => ['gb', 'sgb'],@@ -990,7 +1001,7 @@ 'application/x-java-keystore' => ['jks', 'ks'], 'application/x-java-pack200' => ['pack'], 'application/x-java-vm' => ['class'],- 'application/x-javascript' => ['js', 'jsm', 'mjs'],+ 'application/x-javascript' => ['js', 'cjs', 'jsm', 'mjs'], 'application/x-jbuilder-project' => ['jpr', 'jpx'], 'application/x-karbon' => ['karbon'], 'application/x-kchart' => ['chrt'],@@ -1099,7 +1110,7 @@ 'application/x-partial-download' => ['wkdownload', 'crdownload', 'part'], 'application/x-pc-engine-rom' => ['pce'], 'application/x-pcap' => ['pcap', 'cap', 'dmp'],- 'application/x-pcapng' => ['pcapng', 'ntar'],+ 'application/x-pcapng' => ['pcapng', 'scap', 'ntar'], 'application/x-pdf' => ['pdf'], 'application/x-perl' => ['pl', 'pm', 'PL', 'al', 'perl', 'pod', 't'], 'application/x-photoshop' => ['psd'],@@ -1258,6 +1269,10 @@ 'application/x-zoo' => ['zoo'], 'application/x-zpaq' => ['zpaq'], 'application/x-zstd-compressed-tar' => ['tar.zst', 'tzst'],+ 'application/x.sf3-archive' => ['ar.sf3', 'sf3'],+ 'application/x.sf3-log' => ['log.sf3', 'sf3'],+ 'application/x.sf3-table' => ['tab.sf3', 'sf3'],+ 'application/x.sf3-text' => ['txt.sf3', 'sf3'], 'application/xaml+xml' => ['xaml'], 'application/xcap-att+xml' => ['xav'], 'application/xcap-caps+xml' => ['xca'],@@ -1351,6 +1366,7 @@ 'audio/x-dff' => ['dff'], 'audio/x-dsd' => ['dsf'], 'audio/x-dsf' => ['dsf'],+ 'audio/x-dsp' => ['dsm', 'dsp'], 'audio/x-dts' => ['dts'], 'audio/x-dtshd' => ['dtshd'], 'audio/x-flac' => ['flac'],@@ -1410,6 +1426,7 @@ 'audio/x-xi' => ['xi'], 'audio/x-xm' => ['xm'], 'audio/x-xmf' => ['xmf'],+ 'audio/x.sf3' => ['au.sf3', 'sf3'], 'audio/xm' => ['xm'], 'audio/xmf' => ['xmf'], 'chemical/x-cdx' => ['cdx'],@@ -1509,6 +1526,7 @@ 'image/vnd.ms-photo' => ['wdp', 'jxr', 'hdp'], 'image/vnd.net-fpx' => ['npx'], 'image/vnd.pco.b16' => ['b16'],+ 'image/vnd.radiance' => ['hdr', 'pic', 'rgbe', 'xyze'], 'image/vnd.rn-realpix' => ['rp'], 'image/vnd.tencent.tap' => ['tap'], 'image/vnd.valve.source.texture' => ['vtf'],@@ -1542,6 +1560,7 @@ 'image/x-gimp-gih' => ['gih'], 'image/x-gimp-pat' => ['pat'], 'image/x-gzeps' => ['eps.gz', 'epsi.gz', 'epsf.gz'],+ 'image/x-hdr' => ['hdr', 'pic', 'rgbe', 'xyze'], 'image/x-icb' => ['tga', 'icb', 'tpic', 'vda', 'vst'], 'image/x-icns' => ['icns'], 'image/x-ico' => ['ico'],@@ -1572,6 +1591,7 @@ 'image/x-pcx' => ['pcx'], 'image/x-pentax-pef' => ['pef'], 'image/x-pfm' => ['pfm'],+ 'image/x-phm' => ['phm'], 'image/x-photo-cd' => ['pcd'], 'image/x-photoshop' => ['psd'], 'image/x-pict' => ['pic', 'pct', 'pict', 'pict1', 'pict2'],@@ -1603,6 +1623,8 @@ 'image/x-xpm' => ['xpm'], 'image/x-xwindowdump' => ['xwd'], 'image/x.djvu' => ['djvu', 'djv'],+ 'image/x.sf3' => ['img.sf3', 'sf3'],+ 'image/x.sf3-vector' => ['vec.sf3', 'sf3'], 'message/disposition-notification' => ['disposition-notification'], 'message/global' => ['u8msg'], 'message/global-delivery-status' => ['u8dsn'],@@ -1642,6 +1664,8 @@ 'model/vnd.valve.source.compiled-map' => ['bsp'], 'model/vnd.vtu' => ['vtu'], 'model/vrml' => ['wrl', 'vrml', 'vrm'],+ 'model/x.sf3' => ['mod.sf3', 'sf3'],+ 'model/x.sf3-physics' => ['phys.sf3', 'sf3'], 'model/x.stl-ascii' => ['stl'], 'model/x.stl-binary' => ['stl'], 'model/x3d+binary' => ['x3db', 'x3dbz'],@@ -1663,8 +1687,8 @@ 'text/html' => ['html', 'htm', 'shtml'], 'text/ico' => ['ico'], 'text/jade' => ['jade'],- 'text/javascript' => ['js', 'mjs', 'jsm'],- 'text/jscript' => ['js', 'jsm', 'mjs'],+ 'text/javascript' => ['js', 'mjs', 'cjs', 'jsm'],+ 'text/jscript' => ['cjs', 'js', 'jsm', 'mjs'], 'text/jscript.encode' => ['jse'], 'text/jsx' => ['jsx'], 'text/julia' => ['jl'],@@ -1712,6 +1736,7 @@ 'text/vnd.senx.warpscript' => ['mc2'], 'text/vnd.sun.j2me.app-descriptor' => ['jad'], 'text/vnd.trolltech.linguist' => ['ts'],+ 'text/vnd.typst' => ['typ'], 'text/vnd.wap.wml' => ['wml'], 'text/vnd.wap.wmlscript' => ['wmls'], 'text/vtt' => ['vtt'],@@ -1741,6 +1766,7 @@ 'text/x-devicetree-binary' => ['dtb'], 'text/x-devicetree-source' => ['dts', 'dtsi'], 'text/x-diff' => ['diff', 'patch'],+ 'text/x-dockerfile' => ['Dockerfile'], 'text/x-dsl' => ['dsl'], 'text/x-dsrc' => ['d', 'di'], 'text/x-dtd' => ['dtd'],@@ -1785,18 +1811,24 @@ 'text/x-mpsub' => ['sub'], 'text/x-mrml' => ['mrml', 'mrl'], 'text/x-ms-regedit' => ['reg'],+ 'text/x-ms-visualstudio.project' => ['dsp'],+ 'text/x-ms-visualstudio.workspace' => ['dsw'], 'text/x-mup' => ['mup', 'not'], 'text/x-nfo' => ['nfo'], 'text/x-nim' => ['nim'], 'text/x-nimscript' => ['nims', 'nimble'], 'text/x-nix' => ['nix'],+ 'text/x-nsis' => ['nsi', 'nsh'], 'text/x-nu' => ['nu'],+ 'text/x-nushell' => ['nu'], 'text/x-objc++src' => ['mm'], 'text/x-objcsrc' => ['m'], 'text/x-ocaml' => ['ml', 'mli'], 'text/x-ocl' => ['ocl'], 'text/x-octave' => ['m'], 'text/x-ooc' => ['ooc'],+ 'text/x-opencl-c++src' => ['clcpp'],+ 'text/x-opencl-csrc' => ['cl'], 'text/x-opencl-src' => ['cl'], 'text/x-opml' => ['opml'], 'text/x-opml+xml' => ['opml'],@@ -1814,6 +1846,7 @@ 'text/x-reject' => ['rej'], 'text/x-rpm-spec' => ['spec'], 'text/x-rst' => ['rst'],+ 'text/x-ruby' => ['rb'], 'text/x-sagemath' => ['sage'], 'text/x-sass' => ['sass'], 'text/x-scala' => ['scala', 'sc'],@@ -1824,6 +1857,7 @@ 'text/x-sh' => ['sh'], 'text/x-sql' => ['sql'], 'text/x-ssa' => ['ssa', 'ass'],+ 'text/x-ssh-public-key' => ['pub'], 'text/x-subviewer' => ['sub'], 'text/x-suse-ymp' => ['ymp'], 'text/x-svhdr' => ['svh'],@@ -1872,8 +1906,8 @@ 'video/jpm' => ['jpm', 'jpgm'], 'video/mj2' => ['mj2', 'mjp2'], 'video/mp2t' => ['ts', 'm2t', 'm2ts', 'mts', 'cpi', 'clpi', 'mpl', 'mpls', 'bdm', 'bdmv'],- 'video/mp4' => ['mp4', 'mp4v', 'mpg4', 'm4v', 'f4v', 'lrv'],- 'video/mp4v-es' => ['mp4', 'm4v', 'f4v', 'lrv'],+ 'video/mp4' => ['mp4', 'mp4v', 'mpg4', 'm4v', 'f4v', 'lrv', 'lrf'],+ 'video/mp4v-es' => ['mp4', 'm4v', 'f4v', 'lrv', 'lrf'], 'video/mpeg' => ['mpeg', 'mpg', 'mpe', 'm1v', 'm2v', 'mp2', 'vob'], 'video/mpeg-system' => ['mpeg', 'mpg', 'mp2', 'mpe', 'vob'], 'video/mpg4' => ['mpg4'],@@ -1907,7 +1941,7 @@ 'video/x-flic' => ['fli', 'flc'], 'video/x-flv' => ['flv'], 'video/x-javafx' => ['fxm'],- 'video/x-m4v' => ['m4v', 'mp4', 'f4v', 'lrv'],+ 'video/x-m4v' => ['m4v', 'mp4', 'f4v', 'lrv', 'lrf'], 'video/x-matroska' => ['mkv', 'mk3d', 'mks'], 'video/x-matroska-3d' => ['mk3d'], 'video/x-mjpeg' => ['mjpeg', 'mjpg'],@@ -1965,6 +1999,7 @@ '7z' => ['application/x-7z-compressed'], '7z.001' => ['application/x-7z-compressed'], 'C' => ['text/x-c++src'],+ 'Dockerfile' => ['text/x-dockerfile'], 'PAR2' => ['application/x-par2'], 'PL' => ['application/x-perl', 'text/x-perl'], 'Z' => ['application/x-compress'],@@ -2008,6 +2043,7 @@ 'ait' => ['application/vnd.dvb.ait'], 'al' => ['application/x-perl', 'text/x-perl'], 'alz' => ['application/x-alz'],+ 'amf' => ['application/x-amf'], 'ami' => ['application/vnd.amiga.ami'], 'aml' => ['application/automationml-aml+xml'], 'amlx' => ['application/automationml-amlx+zip'],@@ -2026,9 +2062,10 @@ 'animj' => ['video/x-anim'], 'anx' => ['application/annodex', 'application/x-annodex'], 'ape' => ['audio/x-ape'],- 'apk' => ['application/vnd.android.package-archive'],+ 'apk' => ['application/vnd.android.package-archive', 'application/x-alpine-package-keeper-package'], 'apng' => ['image/apng', 'image/vnd.mozilla.apng'], 'appcache' => ['text/cache-manifest'],+ 'appdata.xml' => ['application/x-freedesktop-appstream-component'], 'appimage' => ['application/vnd.appimage', 'application/x-iso9660-appimage'], 'appinstaller' => ['application/appinstaller'], 'application' => ['application/x-ms-application'],@@ -2036,6 +2073,7 @@ 'appxbundle' => ['application/appxbundle'], 'apr' => ['application/vnd.lotus-approach'], 'ar' => ['application/x-archive'],+ 'ar.sf3' => ['application/x.sf3-archive'], 'arc' => ['application/x-freearc'], 'arj' => ['application/x-arj'], 'arw' => ['image/x-sony-arw'],@@ -2058,6 +2096,7 @@ 'atomsvc' => ['application/atomsvc+xml'], 'atx' => ['application/vnd.antix.game-component'], 'au' => ['audio/basic'],+ 'au.sf3' => ['audio/x.sf3'], 'automount' => ['text/x-systemd-unit'], 'avci' => ['image/avci'], 'avcs' => ['image/avcs'],@@ -2107,6 +2146,7 @@ 'brk' => ['chemical/x-pdb'], 'bsdiff' => ['application/x-bsdiff'], 'bsp' => ['model/vnd.valve.source.compiled-map'],+ 'bst' => ['application/buildstream+yaml'], 'btf' => ['image/prs.btif'], 'btif' => ['image/prs.btif'], 'bz' => ['application/bzip2', 'application/x-bzip', 'application/x-bzip1'],@@ -2151,6 +2191,8 @@ 'cdmiq' => ['application/cdmi-queue'], 'cdr' => ['application/cdr', 'application/coreldraw', 'application/vnd.corel-draw', 'application/x-cdr', 'application/x-coreldraw', 'image/cdr', 'image/x-cdr', 'zz-application/zz-winassoc-cdr'], 'cdx' => ['chemical/x-cdx'],+ 'cdx.json' => ['application/vnd.cyclonedx+json'],+ 'cdx.xml' => ['application/vnd.cyclonedx+xml'], 'cdxml' => ['application/vnd.chemdraw+xml'], 'cdy' => ['application/vnd.cinderella'], 'cel' => ['image/x-kiss-cel'],@@ -2166,10 +2208,11 @@ 'cif' => ['chemical/x-cif'], 'cii' => ['application/vnd.anser-web-certificate-issue-initiation'], 'cil' => ['application/vnd.ms-artgalry'],- 'cjs' => ['application/node'],- 'cl' => ['text/x-opencl-src'],+ 'cjs' => ['application/javascript', 'application/node', 'application/x-javascript', 'text/javascript', 'text/jscript'],+ 'cl' => ['text/x-opencl-csrc', 'text/x-opencl-src'], 'cla' => ['application/vnd.claymore'], 'class' => ['application/java', 'application/java-byte-code', 'application/java-vm', 'application/x-java', 'application/x-java-class', 'application/x-java-vm'],+ 'clcpp' => ['text/x-opencl-c++src'], 'cld' => ['model/vnd.cld'], 'clkk' => ['application/vnd.crick.clicker.keyboard'], 'clkp' => ['application/vnd.crick.clicker.palette'],@@ -2216,6 +2259,7 @@ 'cst' => ['application/x-director'], 'csv' => ['text/csv', 'application/csv', 'text/x-comma-separated-values', 'text/x-csv'], 'csvs' => ['text/csv-schema'],+ 'cts' => ['application/typescript'], 'cu' => ['application/cu-seeme'], 'cue' => ['application/x-cue'], 'cur' => ['image/x-win-bitmap'],@@ -2284,7 +2328,10 @@ 'dsc' => ['text/prs.lines.tag'], 'dsf' => ['audio/dsd', 'audio/dsf', 'audio/x-dsd', 'audio/x-dsf'], 'dsl' => ['text/x-dsl'],+ 'dsm' => ['audio/x-dsp'],+ 'dsp' => ['audio/x-dsp', 'text/x-ms-visualstudio.project'], 'dssc' => ['application/dssc+der'],+ 'dsw' => ['text/x-ms-visualstudio.workspace'], 'dtb' => ['application/x-dtbook+xml', 'text/x-devicetree-binary'], 'dtd' => ['application/xml-dtd', 'text/x-dtd'], 'dts' => ['audio/vnd.dts', 'audio/x-dts', 'text/x-devicetree-source'],@@ -2506,6 +2553,7 @@ 'h4' => ['application/x-hdf'], 'h5' => ['application/x-hdf'], 'hal' => ['application/vnd.hal+xml'],+ 'har' => ['application/har+json'], 'hbci' => ['application/vnd.hbci'], 'hbs' => ['text/x-handlebars-template'], 'hdd' => ['application/x-virtualbox-hdd'],@@ -2513,6 +2561,7 @@ 'hdf4' => ['application/x-hdf'], 'hdf5' => ['application/x-hdf'], 'hdp' => ['image/jxr', 'image/vnd.ms-photo'],+ 'hdr' => ['image/vnd.radiance', 'image/x-hdr'], 'heic' => ['image/heic', 'image/heic-sequence', 'image/heif', 'image/heif-sequence'], 'heics' => ['image/heic-sequence'], 'heif' => ['image/heic', 'image/heic-sequence', 'image/heif', 'image/heif-sequence'],@@ -2567,6 +2616,7 @@ 'ilbm' => ['image/x-iff', 'image/x-ilbm'], 'ime' => ['audio/imelody', 'audio/x-imelody', 'text/x-imelody'], 'img' => ['application/vnd.efi.img', 'application/x-raw-disk-image'],+ 'img.sf3' => ['image/x.sf3'], 'img.xz' => ['application/x-raw-disk-image-xz-compressed'], 'imp' => ['application/vnd.accpac.simply.imp'], 'ims' => ['application/vnd.ms-ims'],@@ -2709,8 +2759,9 @@ 'lnx' => ['application/x-atari-lynx-rom'], 'loas' => ['audio/usac'], 'log' => ['text/plain', 'text/x-log'],+ 'log.sf3' => ['application/x.sf3-log'], 'lostxml' => ['application/lost+xml'],- 'lrf' => ['application/x-sony-bbeb'],+ 'lrf' => ['application/x-sony-bbeb', 'video/mp4', 'video/mp4v-es', 'video/x-m4v'], 'lrm' => ['application/vnd.ms-lrm'], 'lrv' => ['video/mp4', 'video/mp4v-es', 'video/x-m4v'], 'lrz' => ['application/x-lrzip'],@@ -2780,6 +2831,7 @@ 'med' => ['audio/x-mod'], 'mesh' => ['model/mesh'], 'meta4' => ['application/metalink4+xml'],+ 'metainfo.xml' => ['application/x-freedesktop-appstream-component'], 'metalink' => ['application/metalink+xml'], 'mets' => ['application/mets+xml'], 'mfm' => ['application/vnd.mfmp'],@@ -2820,6 +2872,7 @@ 'mobi' => ['application/x-mobipocket-ebook'], 'moc' => ['text/x-moc'], 'mod' => ['application/x-object', 'audio/x-mod'],+ 'mod.sf3' => ['model/x.sf3'], 'mods' => ['application/mods+xml'], 'mof' => ['text/x-mof'], 'moov' => ['video/quicktime'],@@ -2876,7 +2929,7 @@ 'msx' => ['application/x-msx-rom'], 'mtl' => ['model/mtl'], 'mtm' => ['audio/x-mod'],- 'mts' => ['model/vnd.mts', 'video/mp2t'],+ 'mts' => ['application/typescript', 'model/vnd.mts', 'video/mp2t'], 'mup' => ['text/x-mup'], 'mus' => ['application/vnd.musician'], 'musd' => ['application/mmt-usd+xml'],@@ -2921,11 +2974,13 @@ 'nrw' => ['image/x-nikon-nrw'], 'nsc' => ['application/x-conference', 'application/x-netshow-channel'], 'nsf' => ['application/vnd.lotus-notes'],+ 'nsh' => ['text/x-nsis'],+ 'nsi' => ['text/x-nsis'], 'nsv' => ['video/x-nsv'], 'nt' => ['application/n-triples'], 'ntar' => ['application/x-pcapng'], 'ntf' => ['application/vnd.nitf'],- 'nu' => ['application/x-nuscript', 'text/x-nu'],+ 'nu' => ['application/x-nuscript', 'text/x-nu', 'text/x-nushell'], 'numbers' => ['application/vnd.apple.numbers', 'application/x-iwork-numbers-sffnumbers'], 'nzb' => ['application/x-nzb'], 'o' => ['application/x-object'],@@ -3045,12 +3100,14 @@ 'pgm' => ['image/x-portable-graymap'], 'pgn' => ['application/vnd.chess-pgn', 'application/x-chess-pgn'], 'pgp' => ['application/pgp', 'application/pgp-encrypted', 'application/pgp-keys', 'application/pgp-signature'],+ 'phm' => ['image/x-phm'], 'php' => ['application/x-php', 'application/x-httpd-php'], 'php3' => ['application/x-php'], 'php4' => ['application/x-php'], 'php5' => ['application/x-php'], 'phps' => ['application/x-php'],- 'pic' => ['image/x-pict'],+ 'phys.sf3' => ['model/x.sf3-physics'],+ 'pic' => ['image/vnd.radiance', 'image/x-hdr', 'image/x-pict'], 'pict' => ['image/x-pict'], 'pict1' => ['image/x-pict'], 'pict2' => ['image/x-pict'],@@ -3059,6 +3116,7 @@ 'pki' => ['application/pkixcmp'], 'pkipath' => ['application/pkix-pkipath'], 'pkpass' => ['application/vnd.apple.pkpass'],+ 'pkpasses' => ['application/vnd.apple.pkpasses'], 'pkr' => ['application/pgp-keys'], 'pl' => ['application/x-perl', 'text/x-perl'], 'pla' => ['audio/x-iriver-pla'],@@ -3110,7 +3168,7 @@ 'psw' => ['application/x-pocket-word'], 'pti' => ['image/prs.pti'], 'ptid' => ['application/vnd.pvi.ptid1'],- 'pub' => ['application/vnd.ms-publisher', 'application/x-mspublisher'],+ 'pub' => ['application/vnd.ms-publisher', 'application/x-mspublisher', 'text/x-ssh-public-key'], 'pvb' => ['application/vnd.3gpp.pic-bw-var'], 'pw' => ['application/x-pw'], 'pwn' => ['application/vnd.3m.post-it-notes'],@@ -3170,17 +3228,19 @@ 'raw-disk-image' => ['application/vnd.efi.img', 'application/x-raw-disk-image'], 'raw-disk-image.xz' => ['application/x-raw-disk-image-xz-compressed'], 'rax' => ['audio/vnd.m-realaudio', 'audio/vnd.rn-realaudio', 'audio/x-pn-realaudio'],- 'rb' => ['application/x-ruby'],+ 'rb' => ['application/x-ruby', 'text/x-ruby'], 'rcprofile' => ['application/vnd.ipunplugged.rcprofile'], 'rdf' => ['application/rdf+xml', 'text/rdf'], 'rdfs' => ['application/rdf+xml', 'text/rdf'], 'rdz' => ['application/vnd.data-vision.rdz'], 'reg' => ['text/x-ms-regedit'], 'rej' => ['application/x-reject', 'text/x-reject'],+ 'releases.xml' => ['application/x-freedesktop-appstream-releases'], 'relo' => ['application/p2p-overlay+xml'], 'rep' => ['application/vnd.businessobjects'], 'res' => ['application/x-dtbresource+xml', 'application/x-godot-resource'], 'rgb' => ['image/x-rgb'],+ 'rgbe' => ['image/vnd.radiance', 'image/x-hdr'], 'rif' => ['application/reginfo+xml'], 'rip' => ['audio/vnd.rip'], 'ris' => ['application/x-research-info-systems'],@@ -3234,6 +3294,7 @@ 'sbml' => ['application/sbml+xml'], 'sc' => ['application/vnd.ibm.secure-container', 'text/x-scala'], 'scala' => ['text/x-scala'],+ 'scap' => ['application/x-pcapng'], 'scd' => ['application/x-msschedule'], 'scm' => ['application/vnd.lotus-screencam', 'text/x-scheme'], 'scn' => ['application/x-godot-scene'],@@ -3265,6 +3326,7 @@ 'service' => ['text/x-dbus-service', 'text/x-systemd-unit'], 'setpay' => ['application/set-payment-initiation'], 'setreg' => ['application/set-registration-initiation'],+ 'sf3' => ['application/x.sf3-archive', 'application/x.sf3-log', 'application/x.sf3-table', 'application/x.sf3-text', 'audio/x.sf3', 'image/x.sf3', 'image/x.sf3-vector', 'model/x.sf3', 'model/x.sf3-physics'], 'sfc' => ['application/vnd.nintendo.snes.rom', 'application/x-snes-rom'], 'sfd-hdstx' => ['application/vnd.hydrostatix.sof-data'], 'sfs' => ['application/vnd.spotfire.sfs', 'application/vnd.squashfs'],@@ -3331,6 +3393,7 @@ 'spc' => ['application/x-pkcs7-certificates'], 'spd' => ['application/x-font-speedo'], 'spdx' => ['text/spdx'],+ 'spdx.json' => ['application/spdx+json'], 'spec' => ['text/x-rpm-spec'], 'spf' => ['application/vnd.yamaha.smaf-phrase'], 'spl' => ['application/futuresplash', 'application/vnd.adobe.flash.movie', 'application/x-futuresplash', 'application/x-shockwave-flash'],@@ -3407,6 +3470,7 @@ 't2t' => ['text/x-txt2tags'], 't3' => ['application/x-t3vm-image'], 't38' => ['image/t38'],+ 'tab.sf3' => ['application/x.sf3-table'], 'taglet' => ['application/vnd.mynfc'], 'tak' => ['audio/x-tak'], 'tao' => ['application/vnd.tao.intent-module-archive'],@@ -3471,7 +3535,7 @@ 'trig' => ['application/trig', 'application/x-trig'], 'trm' => ['application/x-msterminal'], 'trz' => ['application/x-rzip-compressed-tar'],- 'ts' => ['application/x-linguist', 'text/vnd.qt.linguist', 'text/vnd.trolltech.linguist', 'video/mp2t'],+ 'ts' => ['application/typescript', 'application/x-linguist', 'text/vnd.qt.linguist', 'text/vnd.trolltech.linguist', 'video/mp2t'], 'tscn' => ['application/x-godot-scene'], 'tsd' => ['application/timestamped-data'], 'tsv' => ['text/tab-separated-values'],@@ -3488,8 +3552,9 @@ 'txd' => ['application/vnd.genomatix.tuxedo'], 'txf' => ['application/vnd.mobius.txf'], 'txt' => ['text/plain'],+ 'txt.sf3' => ['application/x.sf3-text'], 'txz' => ['application/x-xz-compressed-tar'],- 'typ' => ['text/x-typst'],+ 'typ' => ['text/vnd.typst', 'text/x-typst'], 'tzo' => ['application/x-tzo'], 'tzst' => ['application/x-zstd-compressed-tar'], 'u32' => ['application/x-authorware-bin'],@@ -3571,6 +3636,7 @@ 'vda' => ['application/tga', 'application/x-targa', 'application/x-tga', 'image/targa', 'image/tga', 'image/x-icb', 'image/x-targa', 'image/x-tga'], 'vdi' => ['application/x-vdi-disk', 'application/x-virtualbox-vdi'], 'vds' => ['model/vnd.sap.vds'],+ 'vec.sf3' => ['image/x.sf3-vector'], 'vhd' => ['application/x-vhd-disk', 'application/x-virtualbox-vhd', 'text/x-vhdl'], 'vhdl' => ['text/x-vhdl'], 'vhdx' => ['application/x-vhdx-disk', 'application/x-virtualbox-vhdx'],@@ -3756,6 +3822,7 @@ 'xvml' => ['application/xv+xml'], 'xwd' => ['image/x-xwindowdump'], 'xyz' => ['chemical/x-xyz'],+ 'xyze' => ['image/vnd.radiance', 'image/x-hdr'], 'xz' => ['application/x-xz'], 'yaml' => ['application/yaml', 'application/x-yaml', 'text/x-yaml', 'text/yaml'], 'yang' => ['application/yang'],
**Analysis:** The provided diff shows updates to the MIME type mappings in Symfony's MimeTypes component. This appears to be a routine update of the MIME type database from upstream sources. The changes include: 1. Adding new MIME type mappings 2. Updating existing mappings with additional file extensions 3. Updating the "last updated" date These types of updates are typically for: - Supporting new file formats - Improving existing format recognition - Keeping the MIME database current **Security Assessment:** Vulnerability Existed: no No specific CWE - MIME type mapping update - src/Symfony/Component/Mime/MimeTypes.php Lines 135-3822 Old Code: Previous MIME type mappings with older update date Fixed Code: Updated MIME type mappings with newer update date **Explanation:** This diff represents a routine maintenance update to the MIME type database. There are no security vulnerabilities being fixed here - rather, this is keeping the MIME type mappings current with the latest standards and file format specifications. The changes include: - Adding support for new file extensions (.bst, .har, .cjs, .spdx.json, .cts/.mts/.ts, etc.) - Updating existing MIME types with additional recognized extensions - Adding new MIME types for various file formats These types of updates help ensure proper file type detection but don't represent security fixes for vulnerabilities like CWE-434 (Unrestricted Upload of File with Dangerous Type) or other file upload related issues, as the changes are additive and don't remove or restrict existing mappings in a security-conscious way.
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Routing/Loader/schema/routing.schema.json 2025-11-13 13:14:23.936026498 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Routing/Loader/schema/routing.schema.json 2025-11-16 18:01:39.701688173 +0000@@ -62,7 +62,17 @@ "locale": { "type": "string" }, "format": { "type": "string" }, "utf8": { "type": "boolean" },- "stateless": { "type": "boolean" }+ "stateless": { "type": "boolean" },+ "deprecated": {+ "type": "object",+ "properties": {+ "package": { "type": "string" },+ "version": { "type": "string" },+ "message": { "type": "string" }+ },+ "required": ["package", "version"],+ "additionalProperties": false+ } }, "required": ["path"], "additionalProperties": false@@ -70,7 +80,22 @@ "routeImport": { "type": "object", "properties": {- "resource": { "type": "string", "description": "Path to the resource to import." },+ "resource": {+ "description": "Path to the resource to import (commonly a string or {path, namespace}), array of paths, or custom value for loaders (additional properties allowed for extensions).",+ "oneOf": [+ { "type": "string" },+ { "type": "array", "items": { "type": "string" } },+ {+ "type": "object",+ "properties": {+ "path": { "type": "string", "description": "The directory path to the resource." },+ "namespace": { "type": "string", "description": "The namespace of the controllers in the imported resource (e.g., 'App\\Availability\\UserInterface\\Api')." }+ },+ "required": ["path"],+ "additionalProperties": true+ }+ ]+ }, "type": { "type": "string", "description": "The type of the resource (e.g., 'attribute', 'annotation', 'yaml')."@@ -78,7 +103,7 @@ "prefix": { "oneOf": [ { "type": "string" },- { "type": "object", "patternProperties": { "^.+$": { "type": "string" } } }+ { "type": "object", "patternProperties": { "^.+$": { "type": "string" } }, "additionalProperties": false } ], "description": "A URL prefix to apply to all routes from the imported resource." },
Vulnerability Existed: not sure
CWE-20: Improper Input Validation - CWE-20 - src/Symfony/Component/Routing/Loader/schema/routing.schema.json [Lines 62-80]
Old Code:
```json
"stateless": { "type": "boolean" }
```
Fixed Code:
```json
"stateless": { "type": "boolean" },
"deprecated": {
"type": "object",
"properties": {
"package": { "type": "string" },
"version": { "type": "string" },
"message": { "type": "string" }
},
"required": ["package", "version"],
"additionalProperties": false
}
```
Vulnerability Existed: not sure
CWE-20: Improper Input Validation - CWE-20 - src/Symfony/Component/Routing/Loader/schema/routing.schema.json [Lines 70-103]
Old Code:
```json
"resource": { "type": "string", "description": "Path to the resource to import." },
```
Fixed Code:
```json
"resource": {
"description": "Path to the resource to import (commonly a string or {path, namespace}), array of paths, or custom value for loaders (additional properties allowed for extensions).",
"oneOf": [
{ "type": "string" },
{ "type": "array", "items": { "type": "string" } },
{
"type": "object",
"properties": {
"path": { "type": "string", "description": "The directory path to the resource." },
"namespace": { "type": "string", "description": "The namespace of the controllers in the imported resource (e.g., 'App\\Availability\\UserInterface\\Api')." }
},
"required": ["path"],
"additionalProperties": true
}
]
},
```
Vulnerability Existed: not sure
CWE-20: Improper Input Validation - CWE-20 - src/Symfony/Component/Routing/Loader/schema/routing.schema.json [Lines 78-103]
Old Code:
```json
{ "type": "object", "patternProperties": { "^.+$": { "type": "string" } } }
```
Fixed Code:
```json
{ "type": "object", "patternProperties": { "^.+$": { "type": "string" } }, "additionalProperties": false }
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php 2025-11-13 13:14:24.109037597 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php 2025-11-16 18:01:39.718689265 +0000@@ -33,6 +33,7 @@ use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader; use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge; use Symfony\Contracts\Cache\CacheInterface;+use Symfony\Contracts\Cache\ItemInterface; use Symfony\Contracts\HttpClient\HttpClientInterface; /**@@ -93,43 +94,7 @@ $jwkset = $this->signatureKeyset; if ($this->discoveryClients) {- $clients = $this->discoveryClients;- $logger = $this->logger;- $keys = $this->discoveryCache->get($this->oidcConfigurationCacheKey, static function () use ($clients, $logger): array {- try {- $configResponses = [];- foreach ($clients as $client) {- $configResponses[] = $client->request('GET', '.well-known/openid-configuration', [- 'user_data' => $client,- ]);- }-- $jwkSetResponses = [];- foreach ($client->stream($configResponses) as $response => $chunk) {- if ($chunk->isLast()) {- $jwkSetResponses[] = $response->getInfo('user_data')->request('GET', $response->toArray()['jwks_uri']);- }- }-- $keys = [];- foreach ($jwkSetResponses as $response) {- foreach ($response->toArray()['keys'] as $key) {- if ('sig' === $key['use']) {- $keys[] = $key;- }- }- }-- return $keys;- } catch (\Exception $e) {- $logger?->error('An error occurred while requesting OIDC certs.', [- 'error' => $e->getMessage(),- 'trace' => $e->getTraceAsString(),- ]);-- throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);- }- });+ $keys = $this->discoveryCache->get($this->oidcConfigurationCacheKey, [$this, 'computeDiscoveryKeys']); $jwkset = JWKSet::createFromKeyData(['keys' => $keys]); }@@ -158,6 +123,70 @@ throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e); } }++ /**+ * Computes the JWKS and sets the cache item TTL from provider headers.+ *+ * The cache entry lifetime is automatically adjusted based on the lowest TTL+ * advertised by the providers (via "Cache-Control: max-age" or "Expires" headers).+ *+ * @internal this method is public to enable async offline cache population+ */+ public function computeDiscoveryKeys(ItemInterface $item): array+ {+ $clients = $this->discoveryClients;+ $logger = $this->logger;++ try {+ $configResponses = [];+ foreach ($clients as $client) {+ $configResponses[] = $client->request('GET', '.well-known/openid-configuration', [+ 'user_data' => $client,+ ]);+ }++ $jwkSetResponses = [];+ foreach ($client->stream($configResponses) as $response => $chunk) {+ if ($chunk->isLast()) {+ $jwkSetResponses[] = $response->getInfo('user_data')->request('GET', $response->toArray()['jwks_uri']);+ }+ }+ $keys = [];+ $minTtl = null;+ foreach ($jwkSetResponses as $response) {+ $headers = $response->getHeaders();+ if (preg_match('/max-age=(\d+)/', $headers['cache-control'][0] ?? '', $m)) {+ $currentTtl = (int) $m[1];+ } elseif (0 >= $currentTtl = strtotime($headers['expires'][0] ?? '@0') - time()) {+ $currentTtl = null;+ }++ // Apply the lowest TTL found to ensure all keys in the set are still valid+ if (null !== $currentTtl && (null === $minTtl || $currentTtl < $minTtl)) {+ $minTtl = $currentTtl;+ }++ foreach ($response->toArray()['keys'] as $key) {+ if ('sig' === $key['use']) {+ $keys[] = $key;+ }+ }+ }++ if (0 < ($minTtl ?? -1)) {+ // Cap the TTL to 30 days to avoid keeping JWKS indefinitely+ $item->expiresAfter(min($minTtl, 30 * 24 * 60 * 60));+ }++ return $keys;+ } catch (\Exception $e) {+ $logger?->error('An error occurred while requesting OIDC certs.', [+ 'error' => $e->getMessage(),+ 'trace' => $e->getTraceAsString(),+ ]);+ throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);+ }+ } private function loadAndVerifyJws(string $accessToken, JWKSet $jwkset): array {
Vulnerability Existed: yes
CWE-756: Missing Custom Error Page - CWE-756 - src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php [93-94]
Old Code:
```php
$keys = $this->discoveryCache->get($this->oidcConfigurationCacheKey, static function () use ($clients, $logger): array {
// ... complex logic with error handling
});
```
Fixed Code:
```php
$keys = $this->discoveryCache->get($this->oidcConfigurationCacheKey, [$this, 'computeDiscoveryKeys']);
```
Vulnerability Existed: yes
CWE-939: Improper Authorization in HTTP Cache - CWE-939 - src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php [123-176]
Old Code:
```php
// No cache TTL management based on provider headers
```
Fixed Code:
```php
// Added cache TTL management based on provider Cache-Control/Expires headers
if (preg_match('/max-age=(\d+)/', $headers['cache-control'][0] ?? '', $m)) {
$currentTtl = (int) $m[1];
} elseif (0 >= $currentTtl = strtotime($headers['expires'][0] ?? '@0') - time()) {
$currentTtl = null;
}
// ... and TTL comparison logic
if (0 < ($minTtl ?? -1)) {
$item->expiresAfter(min($minTtl, 30 * 24 * 60 * 60));
}
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Translation/CHANGELOG.md 2025-11-13 13:14:24.303050042 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Translation/CHANGELOG.md 2025-11-16 18:01:39.736690422 +0000@@ -12,6 +12,7 @@ 7.4 --- + * Make the extractor alias optional * Deprecate `TranslatableMessage::__toString` * Add `Symfony\Component\Translation\StaticMessage`
Based on the provided diff, I cannot identify any specific security vulnerabilities. The changes shown are documentation updates in a changelog file, not code modifications that would address security issues. Vulnerability Existed: no No vulnerabilities found - The diff only contains changelog updates with feature additions and deprecation notices, not security fixes. The diff shows: - Addition of a note about making the extractor alias optional - Mention of deprecating `TranslatableMessage::__toString` - Addition of `StaticMessage` class These are feature changes and deprecations rather than security patches. To properly analyze security fixes, I would need to see actual code changes in implementation files rather than documentation updates.
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Translation/DependencyInjection/TranslationExtractorPass.php 2025-11-13 13:14:24.314050748 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Translation/DependencyInjection/TranslationExtractorPass.php 2025-11-16 18:01:39.737690486 +0000@@ -13,7 +13,6 @@ use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface; use Symfony\Component\DependencyInjection\ContainerBuilder;-use Symfony\Component\DependencyInjection\Exception\RuntimeException; use Symfony\Component\DependencyInjection\Reference; /**@@ -30,11 +29,7 @@ $definition = $container->getDefinition('translation.extractor'); foreach ($container->findTaggedServiceIds('translation.extractor', true) as $id => $attributes) {- if (!isset($attributes[0]['alias'])) {- throw new RuntimeException(\sprintf('The alias for the tag "translation.extractor" of service "%s" must be set.', $id));- }-- $definition->addMethodCall('addExtractor', [$attributes[0]['alias'], new Reference($id)]);+ $definition->addMethodCall('addExtractor', [$attributes[0]['alias'] ?? $id, new Reference($id)]); } } }
Vulnerability Existed: yes
CWE-755 - Improper Handling of Exceptional Conditions - src/Symfony/Component/Translation/DependencyInjection/TranslationExtractorPass.php [30-34]
Old Code:
```php
if (!isset($attributes[0]['alias'])) {
throw new RuntimeException(\sprintf('The alias for the tag "translation.extractor" of service "%s" must be set.', $id));
}
$definition->addMethodCall('addExtractor', [$attributes[0]['alias'], new Reference($id)]);
```
Fixed Code:
```php
$definition->addMethodCall('addExtractor', [$attributes[0]['alias'] ?? $id, new Reference($id)]);
```
--- cache/symfony_v8.0.0-RC1/src/Symfony/Component/Yaml/Parser.php 2025-11-13 13:14:24.771080066 +0000+++ cache/symfony_v8.0.0-RC2/src/Symfony/Component/Yaml/Parser.php 2025-11-16 18:01:39.786693634 +0000@@ -782,7 +782,7 @@ } if ($this->isCurrentLineComment()) {- continue;+ break; } $lines[] = trim($this->currentLine);
Vulnerability Existed: yes
CWE-1173 - Improper Use of Validation Framework - src/Symfony/Component/Yaml/Parser.php Lines 782
Old Code:
```php
if ($this->isCurrentLineComment()) {
continue;
}
```
Fixed Code:
```php
if ($this->isCurrentLineComment()) {
break;
}
```