Merge branch '6.4' into 7.4

* 6.4:
  [FrameworkBundle] Allow to pass `doctrine_open_transaction_logger`’s entity manager name positionally
  [Scheduler] Recover pending RecurringMessages after consumer stops midway
  [SecurityBundle] Fix Security::login() across firewalls
  [Routing][RateLimiter][Mime][Security] Harden __unserialize against __toString trampolines
  [Security] Initialize lazy users before serializing them in the session
  [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses
  [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args
  [Mailer] Harden default IP allowlist for Postmark and Brevo webhook parsers
  [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear()
  [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats
  [Translation] Don’t check the error message to know if Lokalise keys are missing
  [AssetMapper] Rewrite relative paths in `export ... from` statements
  [Yaml] Allow trailing newlines after the end-of-document marker
  [HttpKernel][WebProfilerBundle] Check logs priority name for both `WARNING` and `warning`
  Update VERSION for 5.4.52
  Update CHANGELOG for 5.4.52
  Add additional exclude paths for tests

# Conflicts:
#	src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
#	src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/PhpFrameworkExtensionTest.php
#	src/Symfony/Bundle/SecurityBundle/Security.php
#	src/Symfony/Component/Cache/Tests/Adapter/AdapterTestCase.php
#	src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php
#	src/Symfony/Component/RateLimiter/Tests/Policy/SlidingWindowTest.php
#	src/Symfony/Component/Routing/Tests/RouteTest.php
#	src/Symfony/Component/Runtime/SymfonyRuntime.php
#	src/Symfony/Component/Scheduler/Tests/Generator/MessageGeneratorTest.php
#	src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php
#	src/Symfony/Component/Translation/Bridge/Lokalise/Tests/LokaliseProviderTest.php

Author: nicolas-grekas

Process.php

@@ -1689,8 +1689,36 @@ private function getDefaultEnv(): array
     {
         $env = getenv();
         $env = ('\\' === \DIRECTORY_SEPARATOR ? array_intersect_ukey($env, $_SERVER, 'strcasecmp') : array_intersect_key($env, $_SERVER)) ?: $env;
+        $env = $_ENV + ('\\' === \DIRECTORY_SEPARATOR ? array_diff_ukey($env, $_ENV, 'strcasecmp') : $env);
 
-        return $_ENV + ('\\' === \DIRECTORY_SEPARATOR ? array_diff_ukey($env, $_ENV, 'strcasecmp') : $env);
+        if (\in_array(\PHP_SAPI, ['cli', 'phpdbg', 'embed'], true)) {
+            return $env;
+        }
+
+        // On non-CLI SAPIs (notably PHP-FPM and CGI), CGI/FastCGI request-context
+        // vars are exposed through $_SERVER, $_ENV and getenv(), and must not
+        // propagate to subprocesses.
+        foreach ($env as $k => $v) {
+            if (str_starts_with($k, 'HTTP_')
+                || str_starts_with($k, 'ORIG_')
+                || str_starts_with($k, 'REDIRECT_')
+                || \in_array($k, [
+                    'AUTH_TYPE', 'CONTENT_LENGTH', 'CONTENT_TYPE', 'DOCUMENT_ROOT',
+                    'DOCUMENT_URI', 'GATEWAY_INTERFACE', 'HTTPS', 'PATH_INFO',
+                    'PATH_TRANSLATED', 'PHP_AUTH_DIGEST', 'PHP_AUTH_PW', 'PHP_AUTH_USER',
+                    'PHP_SELF', 'QUERY_STRING', 'REMOTE_ADDR', 'REMOTE_HOST',
+                    'REMOTE_IDENT', 'REMOTE_PORT', 'REMOTE_USER', 'REQUEST_METHOD',
+                    'REQUEST_SCHEME', 'REQUEST_TIME', 'REQUEST_TIME_FLOAT', 'REQUEST_URI',
+                    'SCRIPT_FILENAME', 'SCRIPT_NAME', 'SCRIPT_URI', 'SCRIPT_URL',
+                    'SERVER_ADDR', 'SERVER_ADMIN', 'SERVER_NAME', 'SERVER_PORT',
+                    'SERVER_PROTOCOL', 'SERVER_SIGNATURE', 'SERVER_SOFTWARE',
+                ], true)
+            ) {
+                unset($env[$k]);
+            }
+        }
+
+        return $env;
     }
 
     private function validateWindowsEnvBlockSize(array $envPairs): void