[5.6] Dont serialize csrf cookie / header

[taylorotwell]

No description provided.

[ottowayne]

Is this the reason for the security update? Was a remote code execution possible when you know the app key and can generate encrypted cookies with manipulated serialized objects?

[ngyikp]

@ottowayne Definitely seems so: https://www.owasp.org/index.php/PHP_Object_Injection

[ottowayne]

Yeah, looks like you can do some nasty stuff with this. Like running "migrate:fresh --force" using a PendingDispatch which runs Artisan commands on __destruct():

O:41:"Illuminate\Foundation\Bus\PendingDispatch":1:{s:6:"*\job";O:43:"Illuminate\Foundation\Console\QueuedCommand":7:{s:7:"*\data";a:2:{i:0;s:13:"migrate:fresh";i:1;a:1:{s:7:"--force";b:1;}}s:10:"connection";N;s:5:"queue";N;s:15:"chainConnection";N;s:10:"chainQueue";N;s:5:"delay";N;s:7:"chained";a:0:{}}}

But then again your application is probably already compromised if the attacker has the app key.

Also the serialization is disabled for all cookies as of commits
7c90d41
97467e3
d1fc8eb
240d904

[kozmic]

For reference, this issue is CVE-2018-15133.

[ottowayne]

@kozmic It doesn't mention the not yet fixed vulnerability of Laravel 4.x though.

[Miguel-Serejo]

@ottowayne Yes it does.

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29,

That means all versions up to 5.5.40, and all versions from 5.6.0 to 5.6.29.

[ottowayne]

Ok, than it was just a translation issue on my side. Thanks for clearing it up 👍