[5.1] [5.3] @parent tag is not escaping #10068
Comments
|
You should NEVER execute php code from user input. That's what you're doing here. Looking at your code there, I don't see why you have an issue though, because you're just echoing a value in php. |
|
How come |
|
Because it gets compiled by blade into php, then the file is "required". |
|
From your code sample there, that's not happening though. |
|
That sort of thing would only happen if you're actually building files from user input. |
|
@GrahamCampbell I'm doing nothing special you can see, but somehow So can you please tell how to avoid so that |
That's impossible from that code sample. |
|
We don't even have a way to execute |
|
So sorry. Just read our code again. It seems that part isn't done at the "compile" level, but is done after. |
|
You have indeed uncovered a security issue. I'm going to contact Taylor. |
|
@GrahamCampbell many many thanks for reopening the issue. :) |
|
Not at all, security is very important. Sorry I took a while to realise what was going on here. |
|
In future, could you please contact Taylor directly regarding security issues, because now this is public knowledge to anyone wanting to target Laravel apps. |
|
IMO, the issue here is not so much the escaping, but more, that there's an inherit design floor here that allows this to happen in the first place. |
|
Ok, so sorry for not contacting Taylor directly and I will make sure of this next time. I will wait for some update. |
|
I reported this exact issue months ago - and it got closed to due inactivity: #7888 |
|
@theshiftexchange this so strange, I'm giving try to few things but i'm not sure what causing this. I can't say much but this need to resolved quickly. |
It's probably safer to assume e is a function that was defined before, and is not guaranteed to be the one we see above us in the code. Fixing PSR StyleCI fix IDE put spaces there, and there shouldn't be any
GrahamCampbell
changed the title
|
Is anyone able to look into this? The previous fix we had was very good, but it had to be reverted due to a bug. |
|
I looked into this and put something together, just need some tests and i will send a PR. @GrahamCampbell should I send a PR to 5.1 or 5.2 branch ? Thanks |
|
Sorry to disturb, but can somebody fix it for 5.3 at least? I only know how to remove the feature, if you like me to submit a PR!? I am sending this just because 5.3 is coming soon and I think it is better not to have this bug there, than be backward compatible. |
|
The PR had to be reverted not because of BC, but because it didn't actually work properly. We'd definitely accept a PR that does work. :) |
|
Yes it should be fixed, not removed. |
|
@taylorotwell can I request re-open for community to help ? |
|
For now, since we don't use the @parent feature of blade, we've overwritten the method and commented the str_replace line. |
themsaid
changed the title
|
this was fixed in #16033 |
@parentis not escaping when the data comes from the MySQL but it get's compiled and executed. This can be a security issue.I have created a sample repo to demonstrate the issue https://github.com/abhimanyu003/laravelSample
composer installphp artisan migratephp aritsan db:seed( Which will create a user with name@parent)You will see a notice
Master sidebar only display if @\parent tag is executed.which means that@parenttag is executed and not escaped out when it is getting data from MySQL.I'm just fetching the first user from MySQL in
routes.phpfile https://github.com/abhimanyu003/laravelSample/blob/master/app/Http/routes.php then that data passed to viewchild( Location:resouces/views/child.blade.php)You can see at line no 4.
{{ $user->name }}https://github.com/abhimanyu003/laravelSample/blob/master/resources/views/child.blade.php#L4 this is the place where blade supposed to escape@parenttag but it is not rather it is excution it and appending itmaster.blade.phpExpected Result:
Current Result:
PS:
@parentis the also the name of user in database.Thanks
The text was updated successfully, but these errors were encountered: