Laravel Cookie security issue patch package released

                                                       

Recommended tutorial: "laravel"

Today we released some fixes to solve our Receive notification over the weekend of a security vulnerability in the framework.

Affected primarily by this vulnerability are applications that use the "cookie" session driver. Since we have not yet released a secure version of the framework for Laravel Cookie security issue patch package released 5.5, it is recommended that all applications running Laravel Cookie security issue patch package released 5.5 and earlier do not use the "cookie" session driver in their production deployments.

We have also released Passport 9.3.2 to provide compatibility with current versions. If you are running Passport on Laravel Cookie security issue patch package released 6.x or 7.x, you should update to today's Passport 9.3.2 version. The Passport version is not a secure version. However, the library needs to be updated to be compatible with today's framework changes.

Regarding this vulnerability, applications that use the "cookie" session driver also expose a cryptographic oracle through their application and are therefore vulnerable to remote code execution. An encryption oracle is a mechanism that encrypts input from any user and then displays the encrypted string to the user. This combination of schemes allows users to generate a valid Laravel Cookie security issue patch package released signed encrypted string for any plain text string, so that when applications use the "cookie" driver they can generate Laravel Cookie security issue patch package released session payloads.

Today's fix prefixes the cookie value with the HMAC hash of the cookie name before encryption and then verifies the matching hash when decrypting, making it impossible to make a valid encryption oracle even if the encryption oracle is exposed via the application cookie payload.

I personally apologize for the inconvenience caused by today's security release, as the nature of this fix requires us to invalidate existing encryption cookies issued by Laravel Cookie security issue patch package released applications. Thank you for your patience and understanding.

Original address: https://blog.laravel.com/laravel-cookie-security-releases

Translation address: https://learnku.com/laravel/t/ 47885

The above is the detailed content of Laravel Cookie security issue patch package released. For more information, please follow other related articles on the PHP Chinese website!