-
Notifications
You must be signed in to change notification settings - Fork 11.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[5.7] Signed route allowed for passing $absolute false but was never checked as such #26265
Conversation
71384cb
to
eec3eb6
Compare
This is a breaking change please target master. |
Can you elaborate on how you think this is breaking? It was intended as a bugfix the default value for $absolute If i'm missing something please inform me. |
It is not if you are extending UrlGenerator and overwriting the hasValidSignature method, it will throw a warning. (Some environments tend to convert warnings to errors) |
And I believe the $absolute parameter should only be used for $this->route() for the outside one not for the one inside hash_hmac() but maybe im wrong. |
This last point is actually the bug I'm trying to fix. |
I agree, the changed method signature for |
I'm open to suggestions. But since the signature of |
It can be both a bug, and a breaking change. I'm not saying the change is bad, but perhaps it should have targeted the next release to avoid problems with existing packages. These types of changes can be implemented locally in your application until the next release, so you both get the functionality you need, and don't introduce any breaking changes to the framework in the middle of the 5.7 release. |
I use the signature and expires parameter to valid it through my SPA app by an ajax call, but this pr broke it =( |
@LucasLeandro1204 can you be a bit more specific? |
is this issue solved ? I have juste updated to 5.7.13 but the issue persist.... $absolute is never passed and still true even if we set it to false on the temporarySignedRoute method and it throw an invalid signature =-( |
@messi89 create a verifySignature middleware passing false and replace it in kernel |
something like that ?
I will try it |
@messi89 yeap, don't forget to throw |
@LucasLeandro1204 same issue
the only way i found is to modify
|
problem solved after check the macro on FoundationServiceProvider
so in my middleware I change
to
|
Signed route allowed for passing $absolute false but was never checked as such