Maravel-Framework
Maravel-Framework 10.70 brings Storable Array Callables to queues (and queued events) available both in the Maravel micro-framework and Maravelith.
This is a safer alternative to serializing objects when dispatching a message to the queue because PHP Object Injection is totally avoided on unserializing the payload. PHP Object Injection allows attackers to weaponize magic methods for Remote Code Execution (RCE). While this was prevented, leaking your APP_KEY removes that prevention. By avoiding serialized objects, this vulnerability is neutralized, while also optimizing Redis and SQS payload sizes.
The feature is fully backward compatible but it can also enforce the prevention via a public constant in the \App\Application class:
namespace App;
class Application extends \Laravel\Lumen\Application
{
public const FORBID_SERIALIZED_OBJECTS_IN_QUEUE = true;
}
Maravelith docs were updated:
- https://macropay-solutions.github.io/maravelith-docs/events#queueable-array-callables-recommended
- https://macropay-solutions.github.io/maravelith-docs/queues#queueing-storable-array-callables-recommended
Maravel docs were updated:
- https://macropay-solutions.github.io/maravel-docs/events
- https://macropay-solutions.github.io/maravel-docs/queues
Both templates received a patch release with a new app/CallablesAsArray folder that contains example classes and their usage.
Top comments (0)