Skip to content

Instantly share code, notes, and snippets.

@BlakeGardner
Last active March 1, 2019 19:31
Show Gist options
  • Save BlakeGardner/9183948 to your computer and use it in GitHub Desktop.
Save BlakeGardner/9183948 to your computer and use it in GitHub Desktop.
Security vulnerability in Laravel’s URL validator
<?php
/**
* Imagine if this came from the request or a database entry editable by the user.
* The Laravel URL validator relies on PHP's filter_var() method which considers
* file:// and php:// valid URLs. The vast majority of Laravel users probably
* expect this validator to only validate http:// & https://
* @link http://www.php.net/manual/en/wrappers.php
*/
Route::get('/', function () {
$url = 'file:///etc/hosts';
$validator = \Validator::make
(
['url' => $url],
['url' => 'url']
);
if ($validator->passes()) {
return file_get_contents($url);
}
});
@mateusgf
Copy link

Very very bad :/

Copy link

ghost commented Mar 8, 2016

Has this been patched in any recent Laravel updates?

@jonnysandu
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment