Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[5.5] Validation bypass for 'before' and 'after' rules when paired with 'date_format' rule. #24191
When using the validation rules 'before' and/or 'after' together with the 'date_format' rule, it is possible to have what should be considered invalid data be accepted by the validator as valid.
My understanding from reading the code is that the 'before' and 'after' rules, when used without de 'date_format' rule, will compare two fields relative to each other. e.g. given the rules:
$rules = ['start' => 'before:finish', 'finish' => 'after:start'];
The 'start' field must have a date which is less than the 'finish' field, and the 'finish' field must have a date which is greater than the 'start' field.
But, when the 'date_format' rule is also used, you can compare a field to another field or a specific date. And therein lies the problem. If you know what date the field is being compared to (You can easily guess that through the error message) and all fields from the request is being passed directly to the validator as data to be validated (This is quite common, Laravel itself does that in the 'ValidatesRequests' trait). You can then send an extra field in the request with the same name as that date and a value of your choosing. The validator will then give preference to compare the field being validate relative to the bogus field, which can have an arbitrary date. (the tests added illustrate this more clearly)
I honestly have no idea how to fix this without breaking backwards compatibility, so this pull request only adds tests that should pass but are now failing.
Sure but the common response to these PRs can be confusing. "We can't do anything with this" (though it may be true), doesn't quite reflect the suggestion that this is a legitimate way to report bugs. So maybe the docs could be clarified as to how these cases should be handled.