Control: tags -1 patch
Hi,
I've backported upstream's fixes for version 6.x. to version 5.7,
along with a few additional lines that I believe are required to
adequately fix this for 5.7. This seems to work as far as I can tell;
upstream's test suite shows no regressions and the tests they added
along with their fixes also pass.
A patch is attached.
Regards,
Robin
From f8365784a8b5d9c3ef8ad0ce316bf056ea0eef5e Mon Sep 17 00:00:00 2001
From: Robin Gustafsson
Date: Sat, 1 May 2021 15:30:35 +0200
Subject: [PATCH] Security fix: Query Binding Exploitation
Closes: #980899
CVE-2021-21263
---
...01-6.x-Limit-expected-bindings-35865.patch | 98 +++
.../0002-Limit-expected-bindingx-v2.patch | 94 ++
...hereDay-and-whereYear-to-clean-value.patch | 31 ++
...it-bindings-for-having-between-tests.patch | 22 +
...Clean-value-in-orWhereDay-Month-Year.patch | 42
debian/patches/series | 5 +
6 files changed, 292 insertions(+)
create mode 100644 debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
create mode 100644 debian/patches/0002-Limit-expected-bindingx-v2.patch
create mode 100644 debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch
create mode 100644 debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch
create mode 100644 debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch
create mode 100644 debian/patches/series
diff --git a/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch b/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
new file mode 100644
index 00..a42ef10821
--- /dev/null
+++ b/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
@@ -0,0 +1,98 @@
+From: Taylor Otwell
+Date: Wed, 13 Jan 2021 07:35:45 -0600
+Subject: [6.x] Limit expected bindings (#35865)
+
+* limit expected bindings
+
+* limit more bindings
+
+Origin: https://github.com/laravel/framework/commit/d0954f4574f315f0c2e9e65e92cc74b80eadcac1
+---
+ Query/Builder.php | 18 ++
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/Query/Builder.php b/Query/Builder.php
+index 4fa3c6d..0812a70 100755
+--- a/Query/Builder.php
b/Query/Builder.php
+@@ -654,7 +654,7 @@ class Builder
+ );
+
+ if (! $value instanceof Expression) {
+-$this->addBinding($value, 'where');
++$this->addBinding(is_array($value) ? head($value) : $value, 'where');
+ }
+
+ return $this;
+@@ -1051,7 +1051,7 @@ class Builder
+
+ $this->wheres[] = compact('type', 'column', 'values', 'boolean', 'not');
+
+-$this->addBinding($this->cleanBindings($values), 'where');
++$this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 'where');
+
+ return $this;
+ }
+@@ -1119,6 +1119,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('Y-m-d');
+ }
+@@ -1158,6 +1160,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('H:i:s');
+ }
+@@ -1197,6 +1201,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('d');
+ }
+@@ -1236,6 +1242,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('m');
+ }
+@@ -1275,6 +1283,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('Y');
+ }
+@@ -1581,7 +1591,7 @@ class Builder
+ $this->wheres[] = compact('type', 'column', 'operator', 'value', 'boolean');
+
+ if (! $value instanceof Expression) {
+-$this->addBinding($value);
++$this->addBinding((int) $value);
+ }
+
+ return $this;
+@@ -1714,7 +1724,7 @@ class Builder
+ $this->havings[] = compact('type', 'column', 'operator', 'value', 'boolean');
+
+ if (! $value instanceof Expression) {
+-$this->addBinding($value, 'having');
++$this->addBinding(is_array($value) ? head($value) : $value, 'having');
+ }
+
+ return $this;
diff --git a/debian/patches/0002-Limit-expected-bindingx-v2.patch