-
Notifications
You must be signed in to change notification settings - Fork 10.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4.2] FormBuilder throwing exception with binding array value to a single value form element #5839
Comments
Well yeah, why would fruit be an array ? |
@Anahkiasen what do you mean? |
Well in your second example you have |
@Anahkiasen There are three main types of formats that can be submitted by the client: text, array, file. Of course in your system you intend for the field to be a string, the user can quite easily change the field name in the http request and throw an exception in your application. Take for instance a website which runs on Laravel (testing for this vulnerability): http://www.laravel-tricks.com/search?q=test --> fine The code is open source: https://github.com/CodepadME/laravel-tricks/blob/master/app/views/partials/search.blade.php |
Seems related to #5645 |
In fact this isn't even model-form binding specific. It even occurs for re-populating old input from the session! Updating title |
@lucasmichot no, this is something totally different. This is not validation related. |
No this is array input related |
@lucasmichot please, this isn't related to validation. This is to do with how Laravel determines what value to populate form elements with; old input, the given value, or a model-binded value. It's NOT validation related at all. The docblock in the code says it returns a string, I believe that was it's intention but it can return an array, therefore it's vulnerable to throwing this exception. |
Hey Gary, this is clear to me this is not validation related. No need to repeat. As I said this is array related |
@lucasmichot no problem 👍 |
@GrahamCampbell, was this closed because the form builder isn't maintained anymore? At least the docblock should be changed even if this bug isn't going to be fixed. |
Send a pull to illuminate/html then. |
Works as expected -- the model view data is bound to the text box correctly
A request is made for an array of fruit and an exception is thrown:
Update: the same thing happens even when not using model binding when re-populating old session input
The issue spawns from the
getValueAttribute
function -- looking at the docblock comment it says it should return a string but it can return an array (in particular to support multiple select values etc). To me it looks like the function should always return either a string, array or null (to represent not addingvalue
attribute to the form element). For those fields where only one value is allowed (text, radio, single select, etc) it should always return a string. For multiple values it should always return an array of selected values or null. Was that the desired effect? Either way the docblock is wrong.https://github.com/laravel/framework/blob/4.2/src/Illuminate/Html/FormBuilder.php#L889
The text was updated successfully, but these errors were encountered: