Laravel Risk of mass-assignment vulnerabilities
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
Details
Laravel 4.1.29 improves the column quoting for all database drivers. This protects your application from some mass assignment vulnerabilities when not using the fillable property on models. If you are using the fillable property on your models to protect against mass assignment, your application is not vulnerable. However, if you are using guarded and are passing a user controlled array into an "update" or "save" type function, you should upgrade to 4.1.29 immediately as your application may be at risk of mass assignment.
The fix
Make column quoting more robust for greater security when
src/Illuminate/Database/Grammar.php+3 −1
@@ -83,7 +83,9 @@ public function wrap($value)*/protected function wrapValue($value){-return $value !== '*' ? sprintf($this->wrapper, $value) : $value;+if ($value === '*') return $value;++return '"'.str_replace('"', '""', $value).'"';}/**
src/Illuminate/Database/Query/Grammars/Grammar.php+0 −7
@@ -5,13 +5,6 @@class Grammar extends BaseGrammar {-/**-* The keyword identifier wrapper format.-*-* @var string-*/-protected $wrapper = '"%s"';-/*** The components that make up a select clause.*
src/Illuminate/Database/Query/Grammars/MySqlGrammar.php+13 −7
@@ -4,13 +4,6 @@class MySqlGrammar extends Grammar {-/**-* The keyword identifier wrapper format.-*-* @var string-*/-protected $wrapper = '`%s`';-/*** The components that make up a select clause.*@@ -99,4 +92,17 @@ public function compileUpdate(Builder $query, $values)return rtrim($sql);}+/**+* Wrap a single string in keyword identifiers.+*+* @param string $value+* @return string+*/+protected function wrapValue($value)+{+if ($value === '*') return $value;++return '`'.str_replace('`', '``', $value).'`';+}+}
src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php+13 −7
@@ -15,13 +15,6 @@ class SqlServerGrammar extends Grammar {'&', '&=', '|', '|=', '^', '^=',);-/**-* The keyword identifier wrapper format.-*-* @var string-*/-protected $wrapper = '[%s]';-/*** Compile a select query into SQL.*@@ -217,4 +210,17 @@ public function getDateFormat()return 'Y-m-d H:i:s.000';}+/**+* Wrap a single string in keyword identifiers.+*+* @param string $value+* @return string+*/+protected function wrapValue($value)+{+if ($value === '*') return $value;++return '['.str_replace(']', ']]', $value).']';+}+}
src/Illuminate/Database/Schema/Grammars/MySqlGrammar.php+13 −7
@@ -6,13 +6,6 @@class MySqlGrammar extends Grammar {-/**-* The keyword identifier wrapper format.-*-* @var string-*/-protected $wrapper = '`%s`';-/*** The possible column modifiers.*@@ -574,4 +567,17 @@ protected function modifyAfter(Blueprint $blueprint, Fluent $column)}}+/**+* Wrap a single string in keyword identifiers.+*+* @param string $value+* @return string+*/+protected function wrapValue($value)+{+if ($value === '*') return $value;++return '`'.str_replace('`', '``', $value).'`';+}+}
src/Illuminate/Database/Schema/Grammars/PostgresGrammar.php+0 −7
@@ -5,13 +5,6 @@class PostgresGrammar extends Grammar {-/**-* The keyword identifier wrapper format.-*-* @var string-*/-protected $wrapper = '"%s"';-/*** The possible column modifiers.*
src/Illuminate/Database/Schema/Grammars/SQLiteGrammar.php+0 −7
@@ -6,13 +6,6 @@class SQLiteGrammar extends Grammar {-/**-* The keyword identifier wrapper format.-*-* @var string-*/-protected $wrapper = '"%s"';-/*** The possible column modifiers.*
src/Illuminate/Database/Schema/Grammars/SqlServerGrammar.php+0 −7
@@ -5,13 +5,6 @@class SqlServerGrammar extends Grammar {-/**-* The keyword identifier wrapper format.-*-* @var string-*/-protected $wrapper = '"%s"';-/*** The possible column modifiers.*