Merge branch '5.4' into 6.0

* 5.4:
  Fix merge
  [Mime] Throw exception when body in Email attach method is not ok
  [VarDumper][VarExporter] Deal with DatePeriod->include_end_date on PHP 8.2
  [Cache] Throw when "redis_sentinel" is used with a non-Predis "class" option
  fix merge
  Bootstrap 4 fieldset for row errors
  [Form] Fix same choice loader with different choice values
  [Filesystem] Safeguard (sym)link calls
  Fix dumping extension config without bundle
  [HttpClient] Honor "max_duration" when replacing requests with async decorators
  [HttpClient] Add missing HttpOptions::setMaxDuration()
  [HttpFoundation] [Session] Overwrite invalid session id

Author: nicolas-grekas

Session/Storage/NativeSessionStorage.php

@@ -135,6 +135,12 @@ public function start(): bool
             throw new \RuntimeException(sprintf('Failed to start the session because headers have already been sent by "%s" at line %d.', $file, $line));
         }
 
+        $sessionId = $_COOKIE[session_name()] ?? null;
+        if ($sessionId && !preg_match('/^[a-zA-Z0-9,-]{22,}$/', $sessionId)) {
+            // the session ID in the header is invalid, create a new one
+            session_id(session_create_id());
+        }
+
         // ok to try and start the session
         if (!session_start()) {
             throw new \RuntimeException('Failed to start the session.');

Tests/Session/Storage/NativeSessionStorageTest.php

@@ -283,4 +283,13 @@ public function testGetBagsOnceSessionStartedIsIgnored()
 
         $this->assertEquals($storage->getBag('flashes'), $bag);
     }
+
+    public function testRegenerateInvalidSessionId()
+    {
+        $_COOKIE[session_name()] = '&~[';
+        $started = (new NativeSessionStorage())->start();
+
+        $this->assertTrue($started);
+        $this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());
+    }
 }