Merge branch '8.0' into 8.1

* 8.0:
  [WebProfilerBundle] Cleanup whitespace
  [Validator] Regex bypass when match is false with too big input
  gracefully handle the kernel.runtime_mode.web parameter missing
  [JsonStreamer] Fix missing generator for shared types in self-referencing objects
  [Mailer] Rewrite "rebanded" to "re-branded"
  [Validator] Remove constant existence check in `ExpressionSyntaxValidator`
  [DependencyInjection] Handle Stringable for string-typed arguments in CheckTypeDeclarationsPass
  [DependencyInjection] Fix TypeError when using a custom container base class with typed $parameterBag
  [Dotenv] Defer variable and command expansion to account for overrides from subsequent .env files
  Bump Symfony version to 8.0.7
  Update VERSION for 8.0.6
  Update CHANGELOG for 8.0.6
  Bump Symfony version to 7.4.7
  Update VERSION for 7.4.6
  Update CHANGELOG for 7.4.6
  Bump Symfony version to 6.4.35
  Update VERSION for 6.4.34
  Update CONTRIBUTORS for 6.4.34
  Update CHANGELOG for 6.4.34

Constraints/ExpressionSyntaxValidator.php

@@ -46,7 +46,7 @@ class ExpressionSyntaxValidator extends ConstraintValidator
         $this->expressionLanguage ??= new ExpressionLanguage();
 
         try {
-            if (null === $constraint->allowedVariables && \defined(Parser::class.'::IGNORE_UNKNOWN_VARIABLES')) {
+            if (null === $constraint->allowedVariables) {
                 $this->expressionLanguage->lint($expression, [], Parser::IGNORE_UNKNOWN_VARIABLES);
             } else {
                 $this->expressionLanguage->lint($expression, $constraint->allowedVariables);

Constraints/RegexValidator.php

@@ -44,7 +44,9 @@ class RegexValidator extends ConstraintValidator
             $value = ($constraint->normalizer)($value);
         }
 
-        if ($constraint->match xor preg_match($constraint->pattern, $value)) {
+        $expectedResult = $constraint->match ? 1 : 0;
+
+        if (preg_match($constraint->pattern, $value) !== $expectedResult) {
             $this->context->buildViolation($constraint->message)
                 ->setParameter('{{ value }}', $this->formatValue($value))
                 ->setParameter('{{ pattern }}', $constraint->pattern)

Tests/Constraints/RegexValidatorTest.php

@@ -117,4 +117,19 @@ class RegexValidatorTest extends ConstraintValidatorTestCase
             }],
         ];
     }
+
+    public function testMatchFalseWithTooManyBacktrackingShouldNotPass()
+    {
+        $value = '<'.str_repeat('a', 1000000).'<a href="javascript:alert(1)">test</a>';
+        $pattern = '/<script|([^>]*?)(on\w+\s*=\s*(["\']).*?\3|href\s*=\s*(["\'])javascript:.*?\4)[^>]*?>/is';
+        $constraint = new Regex(pattern: $pattern, message: 'myMessage', match: false);
+
+        $this->validator->validate($value, $constraint);
+
+        $this->buildViolation('myMessage')
+            ->setParameter('{{ value }}', '"'.$value.'"')
+            ->setParameter('{{ pattern }}', $pattern)
+            ->setCode(Regex::REGEX_FAILED_ERROR)
+            ->assertRaised();
+    }
 }

composer.json

@@ -45,7 +45,8 @@
     },
     "conflict": {
         "doctrine/lexer": "<1.1",
-        "symfony/doctrine-bridge": "<7.4"
+        "symfony/doctrine-bridge": "<7.4",
+        "symfony/expression-language": "<7.4"
     },
     "autoload": {
         "psr-4": { "Symfony\\Component\\Validator\\": "" },