- Update dependency laravel/framework to v11.31.0 [SECURITY] - autoclosed

[blumilk-renovate]

This PR contains the following updates:

Package	Type	Update	Change
laravel/framework (source)	require	minor	11.25.0 -> 11.31.0

GitHub Vulnerability Alerts

CVE-2024-52301

Description

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.

Resolution

The framework now ignores argv values for environment detection on non-cli SAPIs.

---

Laravel environment manipulation via query string

BIT-laravel-2024-52301 / CVE-2024-52301 / GHSA-gv7v-rgg6-548h

More information

Details

Description

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.

Resolution

The framework now ignores argv values for environment detection on non-cli SAPIs.

Severity

• CVSS Score: 0.0 / 10 (None)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

References

• https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h
• https://nvd.nist.gov/vuln/detail/CVE-2024-52301
• https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2024-52301.yaml
• https://github.com/advisories/GHSA-gv7v-rgg6-548h
• https://github.com/laravel/framework

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

laravel/framework (laravel/framework)

v11.31.0

Compare Source

• [11.x] Refactor: return Command::FAILURE by @​fernandokbs in https://github.com/laravel/framework/pull/53354
• Allow the Batch and Chain onQueue method to accept Backed Enums by @​onlime in https://github.com/laravel/framework/pull/53359
• Add transaction generics by @​MatusBoa in https://github.com/laravel/framework/pull/53357
• Add laravel default exception blade files to view:cache by @​SamuelWei in https://github.com/laravel/framework/pull/53353
• [11.x] Added useCascadeTruncate method for PostgresGrammar by @​korkoshko in https://github.com/laravel/framework/pull/53343
• Add Application::removeDeferredServices method by @​ollieread in https://github.com/laravel/framework/pull/53362
• Add the ability to append and prepend middleware priority from the application builder by @​ollieread in https://github.com/laravel/framework/pull/53326
• Fix typo in Translator code comment by @​caendesilva in https://github.com/laravel/framework/pull/53366
• [11.x] Handle HtmlString constructed with a null by @​sperelson in https://github.com/laravel/framework/pull/53367
• [11.x] Add URL::forceHttps() to enforce HTTPS scheme for URLs by @​dasundev in https://github.com/laravel/framework/pull/53381
• [11.x] Refactor and add remaining test cases for the DatabaseUuidFailedJobProviderTest class by @​kevinb1989 in https://github.com/laravel/framework/pull/53408
• [11.X] Postgres Aurora failover - DetectsLostConnections by @​vifer in https://github.com/laravel/framework/pull/53404
• whereFullText case consistency by @​parth391 in https://github.com/laravel/framework/pull/53395
• [11.x] Add HasFactory trait to make:model generation command using --all options by @​adel007gh in https://github.com/laravel/framework/pull/53391
• Introduce support for popping items from a stackable context item by @​denjaland in https://github.com/laravel/framework/pull/53403
• [11.x] Test Improvements by @​crynobone in https://github.com/laravel/framework/pull/53414
• [11.x] Add ability to dynamically build mailers on-demand using Mail::build by @​stevebauman in https://github.com/laravel/framework/pull/53411
• [11.x] Refactor and add remaining test cases for the DatabaseFailedJobProviderTest class by @​kevinb1989 in https://github.com/laravel/framework/pull/53409
• [11.x] Fix error event listener in Vite prefetching by @​jnoordsij in https://github.com/laravel/framework/pull/53439
• [11.x] Ensure datetime cache durations account for script execution time by @​timacdonald in https://github.com/laravel/framework/pull/53431
• [11.x] Fix fluent syntax for HasManyThrough when combining HasMany followed by HasOne by @​jnoordsij in https://github.com/laravel/framework/pull/53335
• Correct parameter type of Collection::diffKeys() and Collection::diffKeysUsing() by @​AJenbo in https://github.com/laravel/framework/pull/53441
• Correct parameter type of Collection::intersectByKeys() by @​AJenbo in https://github.com/laravel/framework/pull/53444
• Fix schema foreign ID support for tables with non-standard primary key by @​willrowe in https://github.com/laravel/framework/pull/53442
• [11.x] Cache token repository by @​browner12 in https://github.com/laravel/framework/pull/53428
• Fix validation message when there is a parameter with escaped dot "." by @​mdmahbubhelal in https://github.com/laravel/framework/pull/53416
• [11.x] add optional prefix for cache key by @​browner12 in https://github.com/laravel/framework/pull/53448
• [11.x] Do not overwrite existing link header(s) in AddLinkHeadersForPreloadedAssets middleware by @​jnoordsij in https://github.com/laravel/framework/pull/53463
• [11.x] use assertTrue and assertFalse method, instead of using assertE… by @​iamyusuf in https://github.com/laravel/framework/pull/53453
• [11.x] Add DB::build method by @​stevebauman in https://github.com/laravel/framework/pull/53464
• [11.x] Add ability to dynamically build cache repositories on-demand using Cache::build by @​stevebauman in https://github.com/laravel/framework/pull/53454
• [11.x] Skip the number of connections transacting while testing to run callbacks by @​tonysm in https://github.com/laravel/framework/pull/53377

v11.30.0

Compare Source

• Add $bind parameter to Blade::directive by @​hossein-zare in https://github.com/laravel/framework/pull/53279
• [11.x] Fix trans_choice() when translation replacement include | separator by @​crynobone in https://github.com/laravel/framework/pull/53331
• [11.x] Allow the authorize method to accept Backed Enums directly by @​johanvanhelden in https://github.com/laravel/framework/pull/53330
• [11.x] use exists() instead of count() by @​browner12 in https://github.com/laravel/framework/pull/53328
• [11.x] Docblock Improvements by @​mtlukaszczyk in https://github.com/laravel/framework/pull/53325
• Allow for custom Postgres operators to be added by @​boris-glumpler in https://github.com/laravel/framework/pull/53324
• [11.x] Support Optional Dimensions for vector Column Type by @​akr4m in https://github.com/laravel/framework/pull/53316
• [11.x] Test Improvements by @​saMahmoudzadeh in https://github.com/laravel/framework/pull/53306
• [11.x] Added dropColumnsIfExists, dropColumnIfExists and dropForeignIfExists by @​eusonlito in https://github.com/laravel/framework/pull/53305
• [11.x] Provide an error message for PostTooLargeException by @​patrickomeara in https://github.com/laravel/framework/pull/53301
• [11.x] Fix integrity constraint violation on failed_jobs_uuid_unique by @​bytestream in https://github.com/laravel/framework/pull/53264
• Revert "[11.x] Added dropColumnsIfExists, dropColumnIfExists and dropForeignIfExists" by @​taylorotwell in https://github.com/laravel/framework/pull/53338
• [11.x] Introduce HasUniqueStringIds by @​cosmastech in https://github.com/laravel/framework/pull/53280
• [11.x] Refactor: check for contextual attribute before getting parameter class name by @​korkoshko in https://github.com/laravel/framework/pull/53339
• [11.x] Pick up existing views and markdowns when creating mails by @​kevinb1989 in https://github.com/laravel/framework/pull/53308
• [11.x] Add withoutDefer and withDefer testing helpers by @​timacdonald in https://github.com/laravel/framework/pull/53340

v11.29.0

Compare Source

• [10.x] Ensure headers are only attached to illuminate responses by @​timacdonald in https://github.com/laravel/framework/pull/53019
• [11.x] Component name guessing with prefix by @​royduin in https://github.com/laravel/framework/pull/53183
• [11.x] Allow list of rate limiters without requiring unique keys by @​timacdonald in https://github.com/laravel/framework/pull/53177
• Add directive @​bool to Blade by @​david-valdivia in https://github.com/laravel/framework/pull/53179
• [11.x] Fixes handling Js::from(collect()); by @​crynobone in https://github.com/laravel/framework/pull/53206
• [11.x] fix PHPDoc for \Illuminate\Redis\Connections\Connection::$events by @​taka-oyama in https://github.com/laravel/framework/pull/53211
• [11.x] fix PHPDoc for \Illuminate\Database\Connection by @​taka-oyama in https://github.com/laravel/framework/pull/53212
• [11.x] Include class-string generics for Validator::$exception by @​cosmastech in https://github.com/laravel/framework/pull/53210
• [11.x] Remove a few useless return void statements. by @​lucasmichot in https://github.com/laravel/framework/pull/53225
• [11.x] Fixes phpdoc type of Number::forHumans() by @​toarupg0318 in https://github.com/laravel/framework/pull/53218
• [11.x] Fix handling exceptions thrown in eval()'d code by @​jlabedo in https://github.com/laravel/framework/pull/53204
• [11.x] Allow using castAsJson() on non default db connection during test by @​crynobone in https://github.com/laravel/framework/pull/53256
• Improve query builder tests by @​timacdonald in https://github.com/laravel/framework/pull/53251
• [11.x] Fix incorrect bindings in DB::update when using a collection as a value by @​crynobone in https://github.com/laravel/framework/pull/53254
• fix: EloquentCollection find and unique generics by @​calebdw in https://github.com/laravel/framework/pull/53239
• [11.x] Add getConnection() Method to Factory Class for Retrieving Database Connection by @​jonathanpmartins in https://github.com/laravel/framework/pull/53237
• [11.x] Add waitUntil method to Process by @​xurshudyan in https://github.com/laravel/framework/pull/53236
• Allow Vite entry points to be merged by @​JackWH in https://github.com/laravel/framework/pull/53233
• [11.x] Add helper method to determine stray request prevention state by @​xurshudyan in https://github.com/laravel/framework/pull/53232
• [11.x] Fix typo $previousLCurrency to $previousCurrency for clarity and consistency by @​mdariftiens in https://github.com/laravel/framework/pull/53261

v11.28.1

Compare Source

• [11.x] Fix trim getting discarded in ViewMakeCommand by @​GrahamCampbell in https://github.com/laravel/framework/pull/53174
• [11.x] Discard PHP_CLI_SERVER_WORKERS on Windows environment by @​crynobone in https://github.com/laravel/framework/pull/53178
• [11.x] Improves PHP 8.4 compatibility by @​crynobone in https://github.com/laravel/framework/pull/53182
• [11.x] Fix handling empty values passed to enum_value() function instead of only empty string by @​crynobone in https://github.com/laravel/framework/pull/53181

v11.28.0

Compare Source

• [11.x] Update Authorizable methods with BackedEnum support by @​bastien-phi in https://github.com/laravel/framework/pull/53079
• [11.x] Use null as default cursor value for PHP Redis by @​jayan-blutui in https://github.com/laravel/framework/pull/53095
• [11.x] PHPDoc Improvements by @​schulerj89 in https://github.com/laravel/framework/pull/53097
• [11.x] Fix resource not escaped correctly in substituteBindingsIntoRawSql() by @​aedart in https://github.com/laravel/framework/pull/53100
• [11.x] feat: add useful defaultLocale and defaultCurrency helpers to Number facade by @​sts-ryan-holton in https://github.com/laravel/framework/pull/53101
• [11.x] Fix determining pivot timestamp column name(s) when parent relation missing one or both of timestamps by @​daniser in https://github.com/laravel/framework/pull/53103
• [11.x] Add phpstan assertions for last in Collection isEmpty and isNotEmpty by @​bastien-phi in https://github.com/laravel/framework/pull/53107
• feat: interactive env:encrypt & env:decrypt by @​hhermsen in https://github.com/laravel/framework/pull/53081
• [11.x] PHPDoc Improvements by @​schulerj89 in https://github.com/laravel/framework/pull/53109
• [11.x] Feat: remove HasFactory in model when not required by @​MrPunyapal in https://github.com/laravel/framework/pull/53104
• [11.x] Add Illuminate\Support\enum_value to resolve BackedEnum or UnitEnum to scalar by @​crynobone in https://github.com/laravel/framework/pull/53096
• [11.x] allow guessing of nested component by @​browner12 in https://github.com/laravel/framework/pull/52669
• [11.x] Introduce RouteParameter attribute by @​bastien-phi in https://github.com/laravel/framework/pull/53080
• [11.x] Refactored to use enum_value() in castBinding() by @​toarupg0318 in https://github.com/laravel/framework/pull/53131
• [11.x] Test Improvements remove code duplication by @​toarupg0318 in https://github.com/laravel/framework/pull/53128
• Revert "[11.x] Test Improvements remove code duplication" by @​taylorotwell in https://github.com/laravel/framework/pull/53132
• [11.x] Fix HasManyThrough::one() by @​staudenmeir in https://github.com/laravel/framework/pull/53119
• [11.x] Console supports Laravel Prompts 0.3+ by @​edjw in https://github.com/laravel/framework/pull/53136
• [11.x] PHPDoc Improvements by @​xurshudyan in https://github.com/laravel/framework/pull/53139
• fix: make model command with folder path - factory incorrect import path by @​JeRabix in https://github.com/laravel/framework/pull/53142
• [11.x] feat: refine return type for throw_if and throw_unless to reflect actual behavior with "falsey" values by @​crishoj in https://github.com/laravel/framework/pull/53154
• [11.x] Ensure where with array respects boolean by @​timacdonald in https://github.com/laravel/framework/pull/53147
• [11.x] Gracefully handle null passwords when verifying credentials by @​gbradley in https://github.com/laravel/framework/pull/53156
• [11.x] feat: restore type-narrowing bahavior for throw_* helpers by @​crishoj in https://github.com/laravel/framework/pull/53164
• [11.x] Add CollectedBy attribute by @​alsterholm in https://github.com/laravel/framework/pull/53122
• [11.x] Add successful and failed methods to ProcessPoolResults by @​Riley19280 in https://github.com/laravel/framework/pull/53160
• Issue with constrained() method used after foreignIdFor(), instead of table name when $table parameter is not passed uses column name by @​granitibrahimi in https://github.com/laravel/framework/pull/53144

v11.27.2

Compare Source

• [11.x] Fixes regression with queue:work Command by @​crynobone in https://github.com/laravel/framework/pull/53076
• [11.x] Fixes parameter declaration for ServiceProvider::optimizes() by @​crynobone in https://github.com/laravel/framework/pull/53074

v11.27.1

Compare Source

• [11.x] Fix border overflow on theme switcher when hovering by @​mezotv in https://github.com/laravel/framework/pull/53064
• [11.x] Optimize commands registry by @​erikgaal in https://github.com/laravel/framework/pull/52928
• [11.x] Fix #​53071 by @​it-can in https://github.com/laravel/framework/pull/53072

v11.27.0

Compare Source

• [11.x] feat: narrow types for throw_if and throw_unless by @​calebdw in https://github.com/laravel/framework/pull/53005
• [11.x] Prevent calling tries() twice by @​themsaid in https://github.com/laravel/framework/pull/53010
• [11.x] Improve PHPDoc by @​schulerj89 in https://github.com/laravel/framework/pull/53009
• [11.x] Utilise Illuminate\Support\php_binary() by @​crynobone in https://github.com/laravel/framework/pull/53008
• [11.x] Set HasAttributes@​casts() array generics by @​cosmastech in https://github.com/laravel/framework/pull/53024
• [11.x] Improve Schema::hasTable() performance by @​hafezdivandari in https://github.com/laravel/framework/pull/53006
• [11.x] Always inherit parent attributes by @​royduin in https://github.com/laravel/framework/pull/53011
• [11.x] feat: introduce option to change default Number currency by @​sts-ryan-holton in https://github.com/laravel/framework/pull/53022
• [11.x] feat: add Str::doesntContain() method and supporting tests by @​sts-ryan-holton in https://github.com/laravel/framework/pull/53035
• [11.x] Str: Add extension support for Str::inlineMarkdown() by @​ryangjchandler in https://github.com/laravel/framework/pull/53033
• Fix: Correct typehint on repository retrieval methods by @​liamduckett in https://github.com/laravel/framework/pull/53025
• [11.x] Test for forgetting non-flexible keys for file driver by @​timacdonald in https://github.com/laravel/framework/pull/53018
• Add metadata to mailable view data by @​TobMoeller in https://github.com/laravel/framework/pull/53042
• [11.x] PHPDoc Improvements by @​schulerj89 in https://github.com/laravel/framework/pull/53054
• [11.x] Test Improvements by @​toarupg0318 in https://github.com/laravel/framework/pull/53057
• [11.x] PHPDoc Improvements by @​seriquynh in https://github.com/laravel/framework/pull/53053
• Add Exception Handling for jsonOptions() Method by @​shamimulalam in https://github.com/laravel/framework/pull/53056
• [11.x] Fixes make:model for Form Requests by @​joshmanders in https://github.com/laravel/framework/pull/53052
• [11.x] Fixes validation using shouldConvertToBoolean when parameter uses dot notation by @​bytestream in https://github.com/laravel/framework/pull/53048
• [11.x] Add methods to the HTTP kernel to append middleware relative to other middleware by @​ollieread in https://github.com/laravel/framework/pull/52897
• [11.x] Add --json flag to queue:work command for structured logging by @​josecl in https://github.com/laravel/framework/pull/52887
• [11.x] Improve performance of Redis queue block_for when a worker has multiple queues to service by @​michael-scinocca in https://github.com/laravel/framework/pull/52826

v11.26.0

Compare Source

• [11.x] Fix PHPDoc typo by @​LucaRed in https://github.com/laravel/framework/pull/52960
• Add stop() method to Process and Pool by @​MiniCodeMonkey in https://github.com/laravel/framework/pull/52959
• [11.x] Improve PHPDoc by @​staudenmeir in https://github.com/laravel/framework/pull/52949
• [11.x] Fix crash of method PreventsCircularRecursion::withoutRecursion() on mocked models by @​maximetassy in https://github.com/laravel/framework/pull/52943
• [11.x] Document callable types for Enumerable::implode() by @​devfrey in https://github.com/laravel/framework/pull/52937
• [11.x] Allows Unit & Backed Enums for registering named RateLimiter & RateLimited middleware by @​sethsandaru in https://github.com/laravel/framework/pull/52935
• [11.x] Test Improvements by @​crynobone in https://github.com/laravel/framework/pull/52933
• [11.x] Fixes trust proxy REMOTE_ADDR not working in Swoole by @​chuoke in https://github.com/laravel/framework/pull/52889
• [11.x] Fixes function loading conflicts when using [@include](https://redirect.github.com/include)('vendor/autoload.php') via Laravel Envoy by @​s-damian in https://github.com/laravel/framework/pull/52974
• [11.x] Support Laravel Prompts 0.3+ by @​crynobone in https://github.com/laravel/framework/pull/52993
• Allow mass assignment with mutators when using model::guarded by @​Apfelfrisch in https://github.com/laravel/framework/pull/52962
• [11.x] Add make:job-middleware artisan command by @​dshafik in https://github.com/laravel/framework/pull/52965
• [11.x] Auto discover Events outside app namespace when folder name is in kebab-case by @​xizprodev in https://github.com/laravel/framework/pull/52976
• [11.x] Feat: factory generic in make:model command by @​MrPunyapal in https://github.com/laravel/framework/pull/52855

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.