Laravel Security Advisory - January 21 2021
Kane Cohen • January 21, 2021
laravel securityAffected versions
All versions below 6.20.14, 7.30.4, 8.24.0
The issue has been fixed in versions listed above.
Description
This is an update for January 13th security patch which was supposed to fix issue with Laravel database query builder where due to carefully constructed GET parameters it was possible to retreive unintended data from database. More details in related advisory.
Example of a problematic query that is fixed in listed versions:
// Fixed HTTP Request Query in previous patch: https://laravel.com/users?id[]=1&id[]=1
// Fixed HTTP Request Query in current patch: https://laravel.com/users?id[0][]=1&id[0][]=1
$id = Request::input('id');
User::where('id', $id)->where('is_admin', 0)->first();
// This could lead to a query where "is_admin" column is set to 1.
Resolution
All where
-like queries will use only the first item from a flattened array if an array is used as a value parameter.