The Wayback Machine - https://web.archive.org/web/20210722203852/https://github.com/laravel/framework/pull/37675
Skip to content

/ framework

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[6.x] Fixed dns_get_record loose check of A records for active_url rule #37675

Merged
merged 1 commit into from Jun 13, 2021
Merged

[6.x] Fixed dns_get_record loose check of A records for active_url rule #37675

merged 1 commit into from Jun 13, 2021
+1 −1

Conversation

@0xcrypto
Copy link
Contributor

@0xcrypto 0xcrypto commented Jun 13, 2021

Fixed dns_get_record loose check of A records for active_url rule.

Tested on Laravel v8.46.0, PHP v8.0.7.

This patch is related to security issue I reported at https://huntr.dev/bounties/2-laravel/framework/.
@0xcrypto
Security Fix
27f7a92 
Fixed dns_get_record loose check of A records for active_url rule. 

Tested on Laravel v8.46.0, PHP v8.0.7.

This patch is related to security issue I reported at https://huntr.dev/bounties/2-laravel/framework/.
@0xcrypto 0xcrypto mentioned this pull request Jun 13, 2021
Closed
@GrahamCampbell
GrahamCampbell requested changes Jun 13, 2021
View changes
Copy link
Member

@GrahamCampbell GrahamCampbell left a comment

No tests?
@0xcrypto
Copy link
Contributor Author

@0xcrypto 0xcrypto commented Jun 13, 2021

No tests?

I have manually tested it. If you are a maintainer, can you please see the report I submitted and validate it? It will help me earn a bounty from huntr.dev. Thank you.
@0xcrypto 0xcrypto requested a review from GrahamCampbell Jun 13, 2021
@taylorotwell
Copy link
Member

@taylorotwell taylorotwell commented Jun 13, 2021

Can you explain why appending a . is the correct fix?
@it-can
Copy link
Contributor

@it-can it-can commented Jun 13, 2021

Can you explain why appending a . is the correct fix?

https://stackoverflow.com/questions/44494878/phps-dns-get-record-returning-subdomain-record-instead-of-domain-record/44787603#44787603
@taylorotwell taylorotwell merged commit c50087d into laravel:6.x Jun 13, 2021
17 checks passed
17 checks passed
@github-actions
PHP 7.2 - prefer-lowest
Details
@github-actions
PHP 7.2 - prefer-stable
Details
@github-actions
PHP 7.3 - prefer-lowest
Details
@github-actions
PHP 7.3 - prefer-stable
Details
@github-actions
PHP 7.4 - prefer-lowest
Details
@github-actions
PHP 7.4 - prefer-stable
Details
@github-actions
PHP 8.0 - prefer-lowest
Details
@github-actions
PHP 8.0 - prefer-stable
Details
@github-actions
PHP 7.2 - prefer-lowest - Windows
Details
@github-actions
PHP 7.2 - prefer-stable - Windows
Details
@github-actions
PHP 7.3 - prefer-lowest - Windows
Details
@github-actions
PHP 7.3 - prefer-stable - Windows
Details
@github-actions
PHP 7.4 - prefer-lowest - Windows
Details
@github-actions
PHP 7.4 - prefer-stable - Windows
Details
@github-actions
PHP 8.0 - prefer-lowest - Windows
Details
@github-actions
PHP 8.0 - prefer-stable - Windows
Details
continuous-integration/styleci/pr The analysis has passed
Details
@0xcrypto
Copy link
Contributor Author

@0xcrypto 0xcrypto commented Jun 13, 2021

Thanks @taylorotwell, can you please also validate the patch on huntr.dev (https://huntr.dev/bounties/2-laravel/framework/). I have another security report https://huntr.dev/bounties/3-laravel/framework/ but I am unsure of the fix for this one. If anyone wants to fix it, there is a bounty reward of 75$ by huntr.dev on this one.
chu121su12 added a commit to chu121su12/framework that referenced this pull request Jun 14, 2021
@0xcrypto @chu121su12
Security Fix (laravel#37675)
dbfeda1 
Fixed dns_get_record loose check of A records for active_url rule. 

Tested on Laravel v8.46.0, PHP v8.0.7.

This patch is related to security issue I reported at https://huntr.dev/bounties/2-laravel/framework/.
@GrahamCampbell GrahamCampbell changed the title Fixed dns_get_record loose check of A records for active_url rule [6.x] Fixed dns_get_record loose check of A records for active_url rule Jun 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GrahamCampbell GrahamCampbell

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
@0xcrypto @taylorotwell @it-can @GrahamCampbell