Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add advisory for Laravel cookie serialization vulnerability #315

Merged
merged 1 commit into from
Aug 10, 2018
Merged

Add advisory for Laravel cookie serialization vulnerability #315

merged 1 commit into from
Aug 10, 2018

Conversation

byCedric
Copy link
Contributor

@byCedric byCedric commented Aug 9, 2018
edited
Loading

As mentioned in the official docs and Laravel News. The merged pull request containing the fix for 5.6.x branch is over here. And the commit for the 5.5.x branch is either this one, the parent of that one or the parent-of-the-parent.

@byCedric byCedric force-pushed the fix/laravel-cookie-issue branch from 7a7a768 to ab04108 Compare August 9, 2018 11:40
@BackEndTea
Copy link
Contributor

I think this should also include the illuminate/cookie repo.

@byCedric byCedric force-pushed the fix/laravel-cookie-issue branch from ab04108 to b2c36d0 Compare August 9, 2018 13:01
@byCedric
Copy link
Contributor Author

byCedric commented Aug 9, 2018

@BackEndTea You are right, added it to illuminate/cookie too! Thanks, almost missed that one.

@ottowayne
Copy link

I think this affects Laravel 4 too: https://github.com/laravel/framework/blob/4.2/src/Illuminate/Encryption/Encrypter.php#L98

Back then you weren't even able to tell the Encrypter not to use serialization. The switch wasn't introduced until 2 years ago: laravel/framework@9725a8e

@byCedric byCedric force-pushed the fix/laravel-cookie-issue branch from b2c36d0 to 7c0a807 Compare August 10, 2018 07:43
@byCedric
Copy link
Contributor Author

@ottowayne Ah, yeah, I was thinking "its a middleware in which the vulnerability exists, and that wasn't introduced before 5.x".

I think you are right here too, I will add the whole 4.x.x range to illuminate/cookie too. It's using illuminate/encryption in the insecure way. I don't think we have to add this library too right? Because the issue is only scoped to deserializing cookies, or am I missing something?

@Ocramius
Copy link
Contributor

Ocramius commented Aug 10, 2018 via email

@byCedric
Copy link
Contributor Author

Ok, thanks, I guess this is it then! 😀

@ottowayne
Copy link

Yes, I thought about illuminate/encryption, too. In my opinion it was unfortunately designed, but it doesn't have a security issue by itself.

I guess that developers might not have known that stuff that got thrown in there will be serialized and are using it to encrypt user input.

@fabpot fabpot merged commit c9f8eb0 into FriendsOfPHP:master Aug 10, 2018
@byCedric byCedric deleted the fix/laravel-cookie-issue branch August 17, 2018 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BackEndTea BackEndTea BackEndTea approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@byCedric @BackEndTea @ottowayne @Ocramius @fabpot