Issue #1999448 by chertzog, aaronott, chrisjlee, daffodil_naveen, kim.pepper: Use Symfony Request for user module.

core/modules/user/lib/Drupal/user/AccountFormController.php

@@ -70,7 +70,8 @@ abstract class AccountFormController extends EntityFormControllerNG {
 
       // To skip the current password field, the user must have logged in via a
       // one-time link and have the token in the URL.
-      $pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && isset($_GET['pass-reset-token']) && ($_GET['pass-reset-token'] == $_SESSION['pass_reset_' . $account->id()]);
+      $pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && (\Drupal::request()->query->get('pass-reset-token') == $_SESSION['pass_reset_' . $account->id()]);
+
       $protected_values = array();
       $current_pass_description = '';
 

core/modules/user/user.pages.inc

@@ -123,9 +123,10 @@ function template_preprocess_user(&$variables) {
  */
 function user_edit_cancel_submit($form, &$form_state) {
   $destination = array();
-  if (isset($_GET['destination'])) {
+  $query = Drupal::request()->query;
+  if ($query->has('destination')) {
     $destination = drupal_get_destination();
-    unset($_GET['destination']);
+    $query->remove('destination');
   }
   // Note: We redirect from user/uid/edit to user/uid/cancel to make the tabs disappear.
   $account = $form_state['controller']->getEntity();