Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
@freekmurze
freekmurze committed May 28, 2020
1 parent b8972d0 commit 38e1b18
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Expand Up @@ -2,6 +2,10 @@

All notable changes to `ignition` will be documented in this file

## 2.0.5 - 2020-05-29

- blacklist certain variable names when fixing variable names

## 2.0.4 - 2020-05-18

- handle exceptions in case the request doesn't have a user (#274)
Expand Down
3 changes: 2 additions & 1 deletion src/Solutions/SuggestCorrectVariableNameSolution.php
View file
Expand Up @@ -121,7 +121,8 @@ private function isBlackListed(string $suggested): bool
'globals',
'_get',
'_post',
'_cookie'
'_cookie',
'_env',
]);
}
}

4 comments on commit 38e1b18

@HenkPoley
Copy link

@HenkPoley HenkPoley commented on 38e1b18 Nov 15, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the end, was a fix for this applied to v1 ? I'm not seeing this _cookie / _env filter in https://github.com/facade/ignition/blob/1.18.0/src/Solutions/SuggestCorrectVariableNameSolution.php

Running into GHSA-m5v7-pr32-mjx2 / CVE-2020-13909 here: Roave/SecurityAdvisories#86

That CVE basically says, if you are using v1, you are on your own (applies to everything before 2.0.5).

Which prohibits installing Laravel v6.x (ignition v2 requires Laravel >=v7.x).

@HenkPoley
Copy link

@HenkPoley HenkPoley commented on 38e1b18 Nov 15, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 Maybe src/Solutions/SuggestCorrectVariableNameSolution.php was gutted shortly after, working around the entire problem.

Was that the fix in the end?

@HenkPoley
Copy link

@HenkPoley HenkPoley commented on 38e1b18 Nov 15, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like that you @freekmurze as the owner can claim the GitHub advisory and edit the version range to be correct (adding below 1.16.15 is vulnerable): https://docs.github.com/en/code-security/security-advisories/editing-a-security-advisory

I have already submitted a change request to MITRE, but I'm not sure how long it will take to trickle down. Or even if that ends up anywhere 😅

@HenkPoley
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've managed to convince MITRE and GitHub on my own already.

Please sign in to comment.