Framework: Breaking security release 5.6.36

Created on 7 Sep 2018 · 9Comments · Source: laravel/framework

The security release 5.6.36 escapes the output of @lang calls (https://github.com/laravel/framework/commit/d3c0a369057d0b6ebf29b5f51c903b1a85e3e09b). This broke a lot of applications and even Laravel features like the links of simple pagination and the user verification email (#25408, #25430, #25501).

But there is still no additional information on the release (AFAIK), not even a crucial entry in the upgrade guide.

As suggested by @stayallive, can't we just escape the parameters? Shouldn't the application's language files be considered a secure input?

Source

staudenmeir

👍25

Most helpful comment

I completely understand breaking stuff for security reasons, but unlike the cookie serialization stuff this didn't even get a tweet, let alone a mention in the documentation even though it broke a huge amount of applications.

X-Coder264 on 7 Sep 2018

👍19

All 9 comments

X-Coder264 on 7 Sep 2018

👍19

I agree, some heads up should've been given at least, a lot of people now are experiencing this issue and refactoring could take some time.
And days have passed after people complained about this and still no response...

markovic-nikola on 10 Sep 2018

This is still open after 19 days?

daniesy on 26 Sep 2018

😕3 👍3

There has been many issues opened about this and I don't understand neither why all of them are still ignored.
I stopped updating my Laravel apps since this release because it would take so much time to replace everything. Of course I could just search and replace every @lang() directive with {!! __() !!} but this would make no sense for two reasons:

This would reintroduce the XSS vulnerability
This would be totally useless for strings that do not contain any HTML

The best way would be to do the replacement only for strings containing HTML, which would take way too much time and would result in a very ugly code mixing two different syntaxes.

@at-dro proposed a solution 10 days ago in #25408 that sounds good. Is there any chance this could be implemented?

marcbelletre on 27 Sep 2018

👍5

I for now reverted the change by replacing the ViewServiceProvider with: https://github.com/laravel/framework/pull/25408#issuecomment-419085682.

Until I am able to replace all occurrences and/or a fix or comment saying there won't be a fix comes... this at least allows me to move forward and keep being up-to-date with Laravel 5.7.

stayallive on 27 Sep 2018

I gave up wishing for a fix and removed @lang throughout all my projects. I find the @lang update kind of ... let's call it unwise (they made @lang secure by removing functionality and now users are forced to actually write insecure code on purpose so that all their projects don't break), but hey, I'm not running Laravel, so what do I know?

Anyway, I've devised some regex to replace @lang with {!! __() !!}. They're not perfect, but they did the job.

Step1: Remove simple @lang usage
Search for: @lang$['"]([^'|^"]+)['"]$
Replace with: {!! __('$1') !!}

Step2: Remove @lang with parameters
Search: @lang$(['"][^'|^"]+['"][ ]{0,},[ ]{0,}\[['"][^\]]+\])$
Replace with: {!! __($1) !!}

Be sure to make a commit before doing the replacements, in case something breaks.

daniesy on 27 Sep 2018

I downgraded and locked the laravel-framework dependency. I will wait a few weeks more for this one, it really broke everything in so many ways.... so I'll hope a clean solution will be found, before renaming everything.

drakakisgeo on 27 Sep 2018

👍1

I downgraded and locked the laravel-framework dependency. I will wait a few weeks more for this one, it really broke everything in so many ways.... so I'll hope a clean solution will be found, before renaming everything.

Same here

markovic-nikola on 27 Sep 2018

I'm reverting this entire dumpster fire. Will just document if you use @lang its up to you to escape.