Announcement

**Note: This security patch only affects applications using the `$guarded` property on models. In addition, applications that set `$guarded` to `[]` or `['*']` are not affected by the bug described in this post.** Today we are releasing a follow-up to yesterday's security patches. Today's patch secures another subtle security issue when using `$request->all()` to update Eloquent's models that use the `$guarded` property. When listing individual columns in the `$guarded` property, any columns that are not included in the list can be updated via mass assignment. This is expected behavior. However, unexpected updates may happen if requests are crafted to contain JSON column nesting expressions (`{"foo->bar": "value"}`). Even if the JSON `foo` column is guarded, this expression could update the `bar` JSON key within the column (because `foo->bar` is not listed in the guarded clause). Today's patch fixes this and other potential unexpected behaviors by comparing the column that is being updated with an actual list of database columns that exist on the database table. We retrieve this column list using Laravel's schema inspection facilities that already existed in the framework. Note that this will introduce one extra database query to retrieve the column listing when attempting to mass assign attributes to a model that is using the `$guarded` property. If the `$guarded` property is empty or is set to `['*']` the extra query is unnecessary and will not be executed. Applications that use `$fillable` are already protected by default and do not require us to confirm the column's validity. **As a personal recommendation, I recommend always using `$fillable` instead of `$guarded`. In general, `$fillable` is a safer approach to mass assignment protection because you are forced to list any new columns added to the database to the `$fillable` array. In contrast, you may easily forget to add a new column to a `$guarded` array, leaving it open for mass assignment by default.**

Today we released a security patch for Laravel 6.x and 7.x. In previous releases of Laravel, it was possible to mass assign Eloquent attributes that included the model's table name: ``` $model->fill(['users.name' => 'Taylor']); ``` When doing so, Eloquent would remove the table name from the attribute for you. This was a "convenience" feature of Eloquent and was not documented. However, when paired with validation, this can lead to unexpected and unvalidated values being saved to the database. For this reason, we have removed the automatic stripping of table names from mass-asignment operations so that the attributes go through the typical "fillable" / "guarded" logic. Any attributes containing table names that are not explicitly declared as fillable will be discarded. This security release will be a breaking change for applications that were relying on the undocumented table name stripping during mass assignment. **Since this feature was relatively unknown and undocumented, we expect the vast majority of Laravel applications to be able to upgrade without issues.**

Laravel v7.19.0 is released in 2020/07/07, here are the changes we`ve merged into this release.

Laravel v7.16.0 is released in 2020/06/16, here are the changes we`ve merged into this release.

Laravel v7.14.0 is released in 2020/06/02, here are the changes we`ve merged into this release.

Laravel v7.12.0 is released in 2020/05/26, here are the changes we`ve merged into this release.