Upgrading To 5.6.30 From 5.6 (Security Release)
Laravel 5.6.30 is a security release of Laravel and is recommended as an immediate upgrade for all users. Laravel 5.6.30 also contains a breaking change to cookie encryption and serialization logic, so please read the following notes carefully when upgrading your application.
This vulnerability may only be exploited if your
application encryption key (APP_KEY
environment variable) has been accessed by a
malicious user. Typically, it is not
possible for users of your application to gain access to
this value. However, ex-employees that had access to the
encryption key may be able to use the key to attack your
applications. If you have any reason to believe your
encryption key is in the hands of a malicious party, you
should always rotate the key to a new
value.
Cookie Serialization
Laravel 5.6.30 disables all serialization / unserialization of cookie values. Since all Laravel cookies are encrypted and signed, cookie values are typically considered safe from client tampering. However, if your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application.
Disabling serialization on all cookie values will invalidate all of your application's sessions and users will need to log into the application again. In addition, any other encrypted cookies your application is setting will have invalid values. For this reason, you may wish to add additional logic to your application to validate that your custom cookie values match an expected list of values; otherwise, you should discard them.
Configuring Cookie Serialization
Since this vulnerability is not able to be exploited
without access to your application's encryption key, we
have chosen to provide a way to re-enable encrypted
cookie serialization while you make your application
compatible with these changes. To enable / disable
cookie serialization, you may change the static
serialize
property of the
App\Http\Middleware\EncryptCookies
middleware:
/**
* Indicates if cookies should be serialized.
*
* @var bool
*/
protected static $serialize = true;
Note: When encrypted cookie serialization is enabled, your application will be vulnerable to attack if its encryption key is accessed by a malicious party. If you believe your key may be in the hands of a malicious party, you should rotate the key to a new value before enabling encrypted cookie serialization.
Dusk 4.0.0
Dusk 4.0.0 has been released and does not serialize cookies. If you choose to enable cookie serialization, you should continue to use Dusk 3.0.0. Otherwise, you should upgrade to Dusk 4.0.0.
Passport 6.0.7
Passport 6.0.7 has been released with a new
Laravel\Passport\Passport::withoutCookieSerialization()
method. Once you have disabled cookie serialization, you
should call this method within your application's
AppServiceProvider
.
Upgrading To 5.6.0 From 5.5
Estimated Upgrade Time: 10 - 30 Minutes
Note:
We attempt to document every possible breaking change. Since some of these breaking changes are in obscure parts of the framework only a portion of these changes may actually affect your application.
PHP
Laravel 5.6 requires PHP 7.1.3 or higher.
Updating Dependencies
Update your laravel/framework
dependency to
5.6.*
and your fideloper/proxy
dependency to ^4.0
in your
composer.json
file.
In addition, if you are using the following first-party Laravel packages, you should upgrade them to their latest release:
Of course, don't forget to examine any 3rd party packages consumed by your application and verify you are using the proper version for Laravel 5.6 support.
Symfony 4
All of the underlying Symfony components used by Laravel
have been upgraded to the Symfony ^4.0
release series. If you are directly interacting with
Symfony components within your application, you should
review the Symfony
change log.
PHPUnit
You should update the phpunit/phpunit
dependency of your application to ^7.0
.
Arrays
The Arr::wrap
Method
Passing null
to the Arr::wrap
method will now return an empty array.
Artisan
The optimize
Command
The previously deprecated optimize
Artisan
command has been removed. With recent improvements to
PHP itself including the OPcache, the
optimize
command no longer provides any
relevant performance benefit. Therefore, you may remove
php artisan optimize
from the
scripts
within your
composer.json
file.
Blade
HTML Entity Encoding
In previous versions of Laravel, Blade (and the
e
helper) would not double encode HTML
entities. This was not the default behavior of the
underlying htmlspecialchars
function and
could lead to unexpected behavior when rendering content
or passing in-line JSON content to JavaScript
frameworks.
In Laravel 5.6, Blade and the e
helper will
double encode special characters by default. This brings
these features into alignment with the default behavior
of the underlying htmlspecialchars
PHP
function. If you would like to maintain the previous
behavior of preventing double encoding, you may use the
Blade::withoutDoubleEncoding
method:
<?php
namespace App\Providers;
use Illuminate\Support\Facades\Blade;
use Illuminate\Support\ServiceProvider;
class AppServiceProvider extends ServiceProvider
{
/**
* Bootstrap any application services.
*
* @return void
*/
public function boot()
{
Blade::withoutDoubleEncoding();
}
}
Cache
The Rate Limiter tooManyAttempts
Method
The unused $decayMinutes
parameter was
removed from this method's signature. If you were
overriding this method with your own implementation, you
should also remove the argument from your method's
signature.
Database
Index Order Of Morph Columns
The indexing of the columns built by the
morphs
migration method has been reversed
for better performance. If you are using the
morphs
method in one of your migrations,
you may receive an error when attempting to run the
migration's down
method. If the application
is still in development, you may use the
migrate:fresh
command to rebuild the
database from scratch. If the application is in
production, you should pass an explicit index name to
the morphs
method.
MigrationRepositoryInterface
Method
Addition
A new getMigrationsBatches
method has been
added to the MigrationRepositoryInterface
.
In the very unlikely event that you were defining your
own implementation of this class, you should add this
method to your implementation. You may view the default
implementation in the framework as an example.
Eloquent
The getDateFormat
Method
This getDateFormat
method is now
public
instead of
protected
.
Hashing
New Configuration File
All hashing configuration is now housed in its own
config/hashing.php
configuration file. You
should place a copy of the default
configuration file in your own application. Most
likely, you should maintain the bcrypt
driver as your default driver. However,
argon
is also supported.
Helpers
The e
Helper
In previous versions of Laravel, Blade (and the
e
helper) would not double encode HTML
entities. This was not the default behavior of the
underlying htmlspecialchars
function and
could lead to unexpected behavior when rendering content
or passing in-line JSON content to JavaScript
frameworks.
In Laravel 5.6, Blade and the e
helper will
double encode special characters by default. This brings
these features into alignment with the default behavior
of the underlying htmlspecialchars
PHP
function. If you would like to maintain the previous
behavior of preventing double encoding, you may pass
false
as the second argument to the
e
helper:
<?php echo e($string, false); ?>
Logging
New Configuration File
All logging configuration is now housed in its own
config/logging.php
configuration file. You
should place a copy of the default
configuration file in your own application and
tweak the settings based on your application's
needs.
The log
and log_level
configuration options may be removed from the
config/app.php
configuration file.
The configureMonologUsing
Method
If you were using the configureMonologUsing
method to customize the Monolog instance for your
application, you should now create a custom
Log channel. For more information on how to create
custom channels, check out the full
logging documentation.
The Log Writer
Class
The Illuminate\Log\Writer
class has been
renamed to Illuminate\Log\Logger
. If you
were explicitly type-hinting this class as a dependency
of one of your application's classes, you should update
the class reference to the new name. Or, alternatively,
you should strongly consider type-hinting the
standardized Psr\Log\LoggerInterface
interface instead.
The Illuminate\Contracts\Logging\Log
Interface
This interface has been removed since this interface was
a total duplication of the
Psr\Log\LoggerInterface
interface. You
should type-hint the
Psr\Log\LoggerInterface
interface
instead.
withSwiftMessage
Callbacks
In previous releases of Laravel, Swift Messages
customization callbacks registered using
withSwiftMessage
were called after
the content was already encoded and added to the
message. These callbacks are now called before
the content is added, which allows you to customize the
encoding or other message options as needed.
Pagination
Bootstrap 4
The pagination links generated by the paginator now
default to Bootstrap 4. To instruct the paginator to
generate Bootstrap 3 links, call the
Paginator::useBootstrapThree
method from
the boot
method of your
AppServiceProvider
:
<?php
namespace App\Providers;
use Illuminate\Pagination\Paginator;
use Illuminate\Support\ServiceProvider;
class AppServiceProvider extends ServiceProvider
{
/**
* Bootstrap any application services.
*
* @return void
*/
public function boot()
{
Paginator::useBootstrapThree();
}
}
Resources
The original
Property
The original
property of resource
responses is now set to the original model
instead of a JSON string / array. This allows for easier
inspection of the response's model during testing.
Routing
Returning Newly Created Models
When returning a newly created Eloquent model directly
from a route, the response status will now automatically
be set to 201
instead of 200
.
If any of your application's tests were explicitly
expecting a 200
response, those tests
should be updated to expect 201
.
Trusted Proxies
Due to underlying changes in the trusted proxy
functionality of Symfony HttpFoundation, slight changes
must be made to your application's
App\Http\Middleware\TrustProxies
middleware.
The $headers
property, which was previously
an array, is now a bit property that accepts several
different values. For example, to trust all forwarded
headers, you may update your $headers
property to the following value:
use Illuminate\Http\Request;
/**
* The headers that should be used to detect proxies.
*
* @var int
*/
protected $headers = Request::HEADER_X_FORWARDED_ALL;
For more information on the available
$headers
values, check out the full
documentation on trusting
proxies.
Validation
The ValidatesWhenResolved
Interface
The validate
method of the
ValidatesWhenResolved
interface / trait has
been renamed to validateResolved
in order
to avoid conflicts with the
$request->validate()
method.
Miscellaneous
We also encourage you to view the changes in the
laravel/laravel
GitHub
repository. While many of these changes are not
required, you may wish to keep these files in sync with
your application. Some of these changes will be covered
in this upgrade guide, but others, such as changes to
configuration files or comments, will not be. You can
easily view the changes with the GitHub
comparison tool and choose which updates are
important to you.