dont allow mass filling with table names

laravel · Aug 13, 2020 · a92c3ee · a92c3ee
1 parent 0423b45
commit a92c3ee
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 11 deletions.
diff --git a/src/Illuminate/Database/Eloquent/Concerns/GuardsAttributes.php b/src/Illuminate/Database/Eloquent/Concerns/GuardsAttributes.php
@@ -152,6 +152,7 @@ public function isFillable($key)
         }
 
         return empty($this->getFillable()) &&
+            strpos($key, '.') === false &&
             ! Str::startsWith($key, '_');
     }
 

diff --git a/src/Illuminate/Database/Eloquent/Model.php b/src/Illuminate/Database/Eloquent/Model.php
@@ -273,15 +273,6 @@ public function qualifyColumn($column)
      */
     protected function removeTableFromKey($key)
     {
-        if (strpos($key, '.') !== false) {
-            if (! empty($this->getGuarded()) &&
-                $this->getGuarded() !== ['*']) {
-                throw new LogicException('Mass assignment of Eloquent attributes including table names is unsafe when guarding attributes.');
-            }
-
-            return last(explode('.', $key));
-        }
-
         return $key;
     }
 

diff --git a/tests/Integration/Database/EloquentModelTest.php b/tests/Integration/Database/EloquentModelTest.php
@@ -46,11 +46,11 @@ public function test_cant_update_guarded_attribute_using_json()
 
     public function test_cant_mass_fill_attributes_with_table_names_when_using_guarded()
     {
-        $this->expectException(\LogicException::class);
-
         $model = new TestModel2;
 
         $model->fill(['foo.bar' => 123]);
+
+        $this->assertCount(0, $model->getAttributes());
     }
 
     public function test_user_can_update_nullable_date()
-Original file line number
+Diff line change
@@ Expand Up / @@ -152,6 +152,7 @@ public function isFillable($key) @@
             }
             return empty($this->getFillable()) &&
+                strpos($key, '.') === false &&
                 ! Str::startsWith($key, '_');
         }
@@ Expand Down @@