Symfony Profiler - Remote Access via Injected Arguments (CVE-2024-50340)

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes.

symfony/runtime 是 Symphony PHP 框架的一个模块，它使得 PHP 应用程序能够与全局状态解耦。当将 `register_argv_argc` php 指令设置为 `on` 时，若用户调用带有特殊构造的查询字符串的任何 URL，则能够改变内核在处理请求时使用的环境或调试模式。截至版本 5.4.46、6.4.14 和 7.1.7，`SymfonyRuntime` 现在将忽略非 SAPI PHP 运行时的 `argv` 值。