Shulou(Shulou.com)06/01 Report--

This article mainly introduces Laravel major security update example analysis, the article introduced in great detail, has a certain reference value, interested friends must read!

The Laravel team has released Laravel 6 (v6.18.27) and Laravel 7 (v7.22.0), as well as the upcoming Laravel 5.5 LTS planned security release. You should update your application to the latest patch version as soon as possible, especially if you use the " cookie" session driver.

Laravel 6.18.27 and 7.22.0 have been released with security-related patches. All Laravel users should upgrade to these versions as soon as possible.

Laravel 6 is the current LTS version of Laravel. However, previous LTS 5.5 releases will receive significant security updates by the end of August 2020.

Laravel 5.5。Users should avoid using " cookie" session drivers in production environments:

Since we haven't released a secure version of Laravel 5.5 yet, we recommend that all applications running Laravel 5.5 and earlier not use " cookie" session drivers in their production deployments.

Here is what Laravel's official team said:

Today we released a number of fixes to address security vulnerabilities in the framework that we were notified of over the weekend.

Applications that use the " cookie" session driver are primarily affected by this vulnerability. Since we haven't released a secure version of the Laravel 5.5 framework, we recommend that all applications running Laravel 5.5 and earlier not use the " cookie" session driver in their production deployment.

Passport 9.3.2 was also released to provide compatibility with the current version. If you are running Passport on Laravel 6.x or 7.x, you should update to today's Passport version 9.3.2. Passport version is not secure version. However, the library needs to be updated to be compatible with today's framework changes.

Regarding this vulnerability, applications that use the " cookie" session driver also expose an encrypted oracle through their application and are therefore vulnerable to remote code execution. Encryption oracle is a mechanism, such as encrypting arbitrary user input and then displaying the encrypted string to the user. This combination of schemes allows users to generate valid Laravel signature encryption strings for any plain text string, so that when applications use the " cookie" driver, they can generate Laravel session payloads.

Today's fixes prefix cookie values with HMAC hashes of cookie names before encryption, and then verify matching hashes when decrypting, failing to make valid cookie payloads even if the encrypted oracle is exposed by the application.

I personally apologize for the inconvenience caused by today's security release, as the nature of this fix requires us to invalidate existing encryption cookies published by the Laravel app. Thank you for your patience and understanding. That's all for Laravel's "A Sample Analysis of Major Security Updates." Thanks for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.