Laravel 5.4.22 is now released and available. This release fixes a security vulnerability related to the password reset system and everyone should upgrade.
Laravel 5.4.22 patches a security vulnerability in the Laravel 5.4 release series that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice that they are not on their intended application’s domain, they may accidentally enter their login credentials into a malicious application.
The release notes also mention the fix for those running Laravel 5.1 and you need to ensure the password reset link contains the full URL to your site. For example:
{{ url('http://example.com/password/reset/'.$token) }}
5.4.22 Complete Changelog
Added
- Support dynamic number of keys in
MessageBag::hasAny()
(#19002) - Added
Seeder::callSilent()
method (#19007) - Add
make()
method to Eloquent query builder (#19015) - Support
Arrayable
on Eloquent’sfind()
method (#19019) - Added
SendsPasswordResetEmails::validateEmail()
method (#19042) - Allow factory attributes to be factory instances themselves (#19055)
- Implemented
until()
method onEventFake
(#19062) - Added
$encoding
parameter toStr::length()
(#19047, #19079)
Changed
- Throw exception when invalid first argument is passed to
cache()
helper (d9459b2) - Use
getAuthIdentifierName()
inAuthenticatable::getAuthIdentifier()
(#19038) - Clone queries without order by for aggregates (#19064)
- Force host on password reset notification (cef1055)
Fixed
- Set data key when testing file uploads in nested array (#18954)
- Fixed a bug related to sub select queries and extra select statements (#19013)
- Resolve aliases from container when using parameters (#19071)
- Stop worker if database disconnect occurred (#19080, 583b1b8)
- Fixed internal call to
assertJson()
inassertJsonStructure()
(#19090)