Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After update laravel to 6.18.35, i got error in model that has $guarded attribute #2078

Closed
uesley opened this issue Aug 10, 2020 · 4 comments · Fixed by #2082
Closed

After update laravel to 6.18.35, i got error in model that has $guarded attribute #2078

uesley opened this issue Aug 10, 2020 · 4 comments · Fixed by #2082
Labels
bug

Comments

@uesley
Copy link

uesley commented Aug 10, 2020

  • Laravel-mongodb Version: 3.6.4
  • PHP Version: 7.3.21
  • Database Driver & Version: mongodb 1.5.5

Description:

Recently, was merged laravel/framework#33777. Since then, I'm getting an error when I try to use the create method with a model that has $guarded attribute

Steps to reproduce

  1. Have a Model that has $guarded attribute:
class Tester extends \Moloquent
{
    protected $guarded = [
        'test',
    ];
}
  1. call Tester::create(['foo' => 'bar']);

Expected behaviour

It should create a object with property 'foo' in database

Actual behaviour

PHP Error: Call to a member function compileColumnListing() on null in /home/project/vendor/laravel/framework/src/Illuminate/Database/Schema/Builder.php on line 136
@divine divine added the bug label Aug 11, 2020
@divine
Copy link
Contributor

divine commented Aug 11, 2020

PRs welcome 👍

I might take a closer look but probably on Sunday.

Thanks!

@jansgescheit
Copy link

Same issue here. i have to downgrade to laravel/framework v6.18.32

with composer require laravel/framework:6.18.32

But be patient this release has the vulnerability wich is fixed with the v6.18.35 and actual not working with this package

laravel/framework (v6.18.32)
----------------------------
 * [CVE-NONE-0001][]: Guard bypass in Eloquent models
[CVE-NONE-0001]: https://blog.laravel.com/security-release-laravel-61834-7232

@geidsonc
Copy link

I had the same problem here.

I fixed the version.

@fish3046 fish3046 mentioned this issue Aug 19, 2020
Merged
@roelofr
Copy link

roelofr commented Aug 20, 2020
edited
Loading

Edit: I noticed what I posted below gets mentioned on the PR. Leaving it in as-is, but it is known.

To continue where @jannnnnn left off, the exact fix that causes this error, is mentioned on the 6.18.35 / 7.25.0 release announcement.

Today's patch fixes this and other potential unexpected behaviors by comparing the column that is being updated with an actual list of database columns that exist on the database table.

Since this involves a security fix that fixes some protected JSON assignments (like foo->bar whilst foo is guarded), it's good to cross-check this against code known to exploit stuff like this. Maybe mocking such a request in a unit test.

An easy fix is also suggested:

As a personal recommendation, I recommend always using $fillable instead of $guarded

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[3.x] Fix guarded to return always true
5 participants
@roelofr @geidsonc @uesley @jansgescheit @divine