Get the latest Laravel/PHP jobs, events and curated articles straight to your inbox, once a week
Source: blog.laravel.com
Security Release: Laravel 6.18.35, 7.24.0Category: Laravel
Note: This security patch only affects applications using the $guarded property on models. In addition, applications that set $guarded to [] or ['*'] are not affected by the bug described in this post.
Today's patch secures another subtle security issue when using $request->all() to update Eloquent's models that use the $guarded property. When listing individual columns in the $guarded property, any columns that are not included in the list can be updated via mass assignment.
Note that this will introduce one extra database query to retrieve the column listing when attempting to mass assign attributes to a model that is using the $guarded property.
Today's patch secures another subtle security issue when using $request->all() to update Eloquent's models that use the $guarded property. When listing individual columns in the $guarded property, any columns that are not included in the list can be updated via mass assignment.
Note that this will introduce one extra database query to retrieve the column listing when attempting to mass assign attributes to a model that is using the $guarded property.
Newsletter
Glimpse
Glimpse streamlines Laravel development by seamlessly deploying GitHub pull requests to preview environments with the help of Laravel Forge.
Community Partners
Laravel/PHP Careers