Get the latest Laravel/PHP jobs, events and curated articles straight to your inbox, once a week
Source: blog.laravel.com
Security Release: Laravel 6.18.35, 7.24.0Category: Laravel
Note: This security patch only affects applications using the $guarded property on models. In addition, applications that set $guarded to [] or ['*'] are not affected by the bug described in this post.
Today's patch secures another subtle security issue when using $request->all() to update Eloquent's models that use the $guarded property. When listing individual columns in the $guarded property, any columns that are not included in the list can be updated via mass assignment.
Note that this will introduce one extra database query to retrieve the column listing when attempting to mass assign attributes to a model that is using the $guarded property.
Today's patch secures another subtle security issue when using $request->all() to update Eloquent's models that use the $guarded property. When listing individual columns in the $guarded property, any columns that are not included in the list can be updated via mass assignment.
Note that this will introduce one extra database query to retrieve the column listing when attempting to mass assign attributes to a model that is using the $guarded property.
Newsletter
ToastMail
Achieve superior email deliverability with ToastMail! Our AI-driven tool warms up inboxes, monitors reputation, and ensures emails reach their intended destination. Sign up today for a spam-free future.
Community Partners
Laravel/PHP Careers