symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI

The original fix for CVE-2024-50340 gated argv reading on empty($_GET). parse_str() and the web SAPI can disagree on input, allowing crafted queries that leave $_GET empty while $_SERVER['argv'] carries attacker flags. The new fix gates argv reading on isset($_SERVER['QUERY_STRING']) instead.

Applications using symfony/runtime with web SAPI, register_argc_argv=On, and booted through symfony/runtime. An unauthenticated GET can flip APP_ENV and toggle APP_DEBUG.

Update symfony/runtime to version 5.4.46, 6.4.14, or 7.1.7 or later, or apply the patch from commit 3228c3806ee511008bea19a95084d460b17e5d25.