Laravel Security Advisory - January 21 2021 cover image

Laravel Security Advisory - January 21 2021

Kane Cohen • January 21, 2021

laravel security

Affected versions

All versions below 6.20.14, 7.30.4, 8.24.0

The issue has been fixed in versions listed above.

Description

This is an update for January 13th security patch which was supposed to fix issue with Laravel database query builder where due to carefully constructed GET parameters it was possible to retreive unintended data from database. More details in related advisory.

Example of a problematic query that is fixed in listed versions:

// Fixed HTTP Request Query in previous patch: https://laravel.com/users?id[]=1&id[]=1
// Fixed HTTP Request Query in current patch: https://laravel.com/users?id[0][]=1&id[0][]=1
$id = Request::input('id');
User::where('id', $id)->where('is_admin', 0)->first();
// This could lead to a query where "is_admin" column is set to 1.

Resolution

All where-like queries will use only the first item from a flattened array if an array is used as a value parameter.