The hardened `#\.\.\.[ \t]*+$#` regex introduced in 9749cd4 only
accepts horizontal whitespace after `...`, so a YAML document ending
with the marker followed by a blank line is no longer stripped and the
parser errors on the leftover `...`. Restore the previous tolerance for
any trailing whitespace by using `\s*+$`; the possessive quantifier
keeps the pattern safe from catastrophic backtracking.

…arker (nicolas-grekas)

This PR was merged into the 5.4 branch.

Discussion
----------

[Yaml] Allow trailing newlines after the end-of-document marker

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #64313
| License       | MIT

The hardened `#\.\.\.[ \t]*+$#` regex introduced in 9749cd4 only accepts horizontal whitespace after the `...` end-of-document marker, so a document ending with a blank line after `...` is no longer stripped and the parser errors on the leftover marker. Restore the previous tolerance using `\s*+$`; the possessive quantifier keeps the pattern safe from catastrophic backtracking since nothing follows it.

Commits
-------

1ace950 [Yaml] Allow trailing newlines after the end-of-document marker

Extends PRIVATE_SUBNETS with IPv4-compatible (::/96), 6to4 (2002::/16),
Teredo (2001::/32) and NAT64 (64:ff9b::/96, 64:ff9b:1::/48) prefixes,
so that requests to e.g. http://[2002:7f00:1::]/ are blocked when they
embed a private IPv4 address.

…rated URLs

$_SERVER['QUERY_STRING'] can leak into CLI subprocesses (notably when
spawned from PHP-FPM, where the SAPI exposes FastCGI request-context
vars through getenv() and $_ENV that then propagate via Process). The
QUERY_STRING gate added for CVE-2024-50340 was therefore tripped in CLI
subprocesses, dropping argv processing and stripping command names and
options.

Trust argv when PHP_SAPI is cli/phpdbg/embed: in CLI SAPIs argv is the
real OS argv, never derived from QUERY_STRING (that's a web-SAPI-only
behavior of register_argc_argv), so the gate is unnecessary there. The
gate still applies on actual web SAPIs.

The two phpt tests that simulated the CVE attack from cli SAPI by
mocking $_SERVER no longer represent a real attack vector under this
model and are removed; the protection on real web SAPIs is unchanged.

…pter::clear() (nicolas-grekas)

This PR was merged into the 5.4 branch.

Discussion
----------

[Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear()

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #64328
| License       | MIT

The prefix-validation regex added to `AbstractAdapter::clear()` rejected `_`, which broke Doctrine ORM second-level cache region invalidation (regions are passed as `DC2_REGION_<name>`). It also rejected `:`, which is the conventional Redis namespace separator.

This PR extends the allowed character class to include `_` and `:`. To keep SQL-backed adapters safe, `_` (a SQL LIKE single-character wildcard) is now escaped via `ESCAPE '!'` in `PdoAdapter::doClear()` and `DoctrineDbalAdapter::doClear()`. The `!` escape character is itself rejected by the validation regex, so collisions are not possible.

Commits
-------

33a48d0 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear()

…rgs (nicolas-grekas)

This PR was merged into the 5.4 branch.

Discussion
----------

[Runtime] Trust argv on CLI-like SAPIs to fix subprocess args

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #64327
| License       | MIT

`$_SERVER['QUERY_STRING']` can leak into CLI subprocesses (notably when spawned from PHP-FPM, where the SAPI exposes FastCGI request-context vars through `getenv()` and `$_ENV` that then propagate via `Process`). The `QUERY_STRING` gate added for CVE-2024-50340 was therefore tripped in CLI subprocesses, dropping argv processing and stripping command names and options.

This PR trusts argv when `PHP_SAPI` is `cli`/`phpdbg`/`embed`: in CLI SAPIs argv is the real OS argv, never derived from `QUERY_STRING` (that's a web-SAPI-only behavior of `register_argc_argv`), so the gate is unnecessary there. The gate still applies on actual web SAPIs.

The two phpt tests that simulated the CVE attack from cli SAPI by mocking `$_SERVER` no longer represent a real attack vector under this model and are removed; the protection on real web SAPIs is unchanged.

A companion PR for `Process` against 6.4 (#64347) plugs the actual env leak as defense in depth.

Commits
-------

b2a338e [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args

…fix (nicolas-grekas)

This PR was merged into the 5.4 branch.

Discussion
----------

[Cache] skip tests for adapters that cannot clear by prefix

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Issues        | -
| License       | MIT

Something I forgot in #64336

Commits
-------

ac5bba2 [Cache] skip tests for adapters that cannot clear by prefix

…ed "../" and "./" in generated URLs (nicolas-grekas)

This PR was merged into the 5.4 branch.

…e_path on failure_forward (nicolas-grekas)

This PR was merged into the 5.4 branch.

…NoPrivateNetworkHttpClient (nicolas-grekas)

This PR was merged into the 5.4 branch.

Backports from 6.4 to make the 5.4 unit-tests CI green:

- [PropertyInfo] Treat `mixed[]` as `array` in PhpDocTypeHelper
- [Finder] Use `-19 years` instead of fixed `2005-10-15` for relative-date tests
- [Form] Normalize ICU 72+ whitespace in DateTimeToLocalizedStringTransformer
- [Intl] Normalize ICU 72+ whitespace in AbstractIntlDateFormatterTestCase
- [ProxyManager] Accept both ` : bool` and `: bool` in dumper fixture
- [Translation][Lokalise/Loco/Crowdin] Use createMock(LoaderInterface) where ->expects() is needed (fixes high-deps with translation 6.4)
- [HttpKernel] Accept BadRequestException too in testRequestWithBadHost
- [FrameworkBundle] Drop CachePoolsTest assertions that depended on system_clearer being tagged as kernel.cache_clearer

 Release v5.4.53