Render trying to call string about inertia-laravel HOT 11 CLOSED

I have the same issue. If I use ->with($data) instead, it seems to work properly.

from inertia-laravel.

Yeah sorry folks, I had fixed this serious security bug back in June. See d09e6b1. Are you on the latest version of inertia-laravel?

The whole issue here was my using is_callable instead of checking if it was a closure.

Before:

array_walk_recursive($props, function (&$prop) {
    if (is_callable($prop)) {
        $prop = App::call($prop);
    }
});

After:

array_walk_recursive($props, function (&$prop) {
    if ($prop instanceof Closure) {
        $prop = App::call($prop);
    }
});

Make sure you get on the latest version of inertia-laravel, and you'll be good.

from inertia-laravel.

I think the purpose might be to have lazy props (props that are only resolved when they're actually needed)?

Either way this is a pretty big security concern, for example a user entering phpinfo as a value somewhere that'll be passed back to the Inertia component, will actually execute phpinfo()!

from inertia-laravel.

All good. When it comes to security bugs, commotion is required.

Also, thanks @scottzirkel, you obviously found this in May already, thanks for reporting.

from inertia-laravel.

Having same issue. As a test, try and update a user's name to "dump." It will try to invoke the dump().

from inertia-laravel.

Yeah, any string that is callable will error out. Obviously this is not going to work since we're dealing with user provided data.

I checked in the PingCRM app, and it errors out there too. Was thinking I was doing something wrong. I'm not sure why the props are being called recursively like that, but everything works smooth with that commented out.

from inertia-laravel.

@scottzirkel

Funny, I did the same thing, I checked PingCRM to see if the mistake was on my end.

What do you think about using a specific key name, for all user input, that skips the recursive calls? I'm just worried about removing it completely in case the creator has some purpose for it that I don't know about.

from inertia-laravel.

Oh I have no doubt it serves a purpose, I just haven't sorted out what that is yet. I've had it commented out locally and have yet to see an error from it.

I feel like it should be the opposite, specify a key name for what should be called? Not sure. Without knowing it's true purpose, I'm kind of at a loss.

from inertia-laravel.

Sure enough, I hadn't refactored that. Thanks @Resin01!

from inertia-laravel.

For example, given the right circumstances you can get phpinfo to execute:

from inertia-laravel.

My bad, composer dependencies were indeed locked on a certain commit 🙈 So sorry for the unnecessary commotion

from inertia-laravel.