Apply Symfony pathinfo vulnerability patch

https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

symfony/symfony@9962b91

https://nvd.nist.gov/vuln/detail/cve-2025-64500

Author: johanib

composer.json

@@ -50,6 +50,7 @@
         "behat/mink-goutte-driver": "~1.0",
         "behat/mink-selenium2-driver": "^1.3",
         "behat/symfony2-extension": "~2.0",
+        "cweagans/composer-patches": "^1.7",
         "ingenerator/behat-tableassert": "^1.1",
         "league/flysystem": "^2.5",
         "liip/functional-test-bundle": "^4.3",
@@ -110,7 +111,10 @@
         "platform": {
             "php": "7.2"
         },
-        "sort-packages": true
+        "sort-packages": true,
+        "allow-plugins": {
+            "cweagans/composer-patches": true
+        }
     },
     "extra": {
         "symfony-app-dir": "app",
@@ -124,7 +128,12 @@
             {
                 "file": "app/config/functional_testing.yml"
             }
-        ]
+        ],
+        "patches": {
+            "symfony/http-foundation": {
+                "CVE fix for PATH_INFO vulnerability": "patches/symfony-http-foundation-path-info-cve.patch"
+            }
+        }
     },
     "archive": {
         "exclude": [

composer.lock

@@ -0,0 +1,15 @@
+--- a/vendor/symfony/http-foundation/Request.php
++++ b/vendor/symfony/http-foundation/Request.php
+@@ -1984,9 +1984,9 @@ class Request
+         }
+
+         $pathInfo = substr($requestUri, \strlen($baseUrl));
+-        if (false === $pathInfo || '' === $pathInfo) {
++        if (false === $pathInfo || '' === $pathInfo || '/' !== $pathInfo[0]) {
+             // If substr() returns false then PATH_INFO is set to an empty string
+-            return '/';
++            return '/'.$pathInfo;
+         }
+
+         return $pathInfo;
+