摘要:查閱官方文檔后得知,新版為了防止對(duì)象的序列化反序列化漏洞被利用���,不再對(duì)值進(jìn)行自動(dòng)的序列化和反序列化處理�����。舉個(gè)栗子更新到后��,因?yàn)椴辉僮詣?dòng)對(duì)值進(jìn)行序列化處理��,而只能加密字符串?dāng)?shù)據(jù)�,這個(gè)時(shí)候程序就會(huì)拋出錯(cuò)誤。
最近手殘升級(jí)了項(xiàng)目里 Laravel 的小版本號(hào)(v5.5.39 => v5.5.45)����,這不升級(jí)則已�,一升級(jí)就出了問題!
Sentry 平臺(tái)上提示錯(cuò)誤:openssl_encrypt() expects parameter 1 to be string, array given�,具體報(bào)錯(cuò)記錄如下:
ErrorException
openssl_encrypt() expects parameter 1 to be string, array given
vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php in handleError at line 91
vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php in handleError at line 34
vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php in openssl_encrypt
vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php in encrypt at line 91
vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php in encrypt at line 139
vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php in handle at line 66
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in then at line 102
vendor/laravel/framework/src/Illuminate/Routing/Router.php in runRouteWithinStack at line 660
vendor/laravel/framework/src/Illuminate/Routing/Router.php in runRoute at line 635
vendor/laravel/framework/src/Illuminate/Routing/Router.php in dispatchToRoute at line 601
vendor/laravel/framework/src/Illuminate/Routing/Router.php in dispatch at line 590
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in IlluminateFoundationHttp{closure} at line 176
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 30
vendor/barryvdh/laravel-debugbar/src/Middleware/InjectDebugbar.php in handle at line 58
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/fideloper/proxy/src/TrustProxies.php in handle at line 56
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php in handle at line 30
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php in handle at line 30
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php in handle at line 27
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php in handle at line 46
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in IlluminatePipeline{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in IlluminateRouting{closure} at line 53
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in then at line 102
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in sendRequestThroughRouter at line 151
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in handle at line 116
public/index.php at line 55
仔細(xì)查看上面的異常堆棧記錄,并且進(jìn)行斷點(diǎn)調(diào)試���,最終確定是由于 Laravel 5.5 升級(jí)小版本后 Cookie 加密的邏輯變動(dòng)所導(dǎo)致的報(bào)錯(cuò)��。
查閱 Laravel 官方文檔(Laravel 5.5 Upgrade Guide)后得知�,Laravel 新版為了防止 PHP 對(duì)象的序列化/反序列化漏洞被利用�����,不再對(duì) Cookie 值進(jìn)行自動(dòng)的序列化和反序列化處理。
舉個(gè)栗子:
Cookie::queue("user", ["id" => 1, "name" => "admin"], 720, "/")
Laravel 更新到 v5.5.42 后�����,因?yàn)?Laravel 不再自動(dòng)對(duì) Cookie 值 ["id" => 1, "name" => "admin"] 進(jìn)行序列化處理�,而 openssl_encrypt ( string $data ... ) 只能加密字符串?dāng)?shù)據(jù),這個(gè)時(shí)候程序就會(huì)拋出錯(cuò)誤:openssl_encrypt() expects parameter 1 to be string, array given��。
解決方法:
新版里面在中間件 AppHttpMiddlewareEncryptCookies 新增靜態(tài)屬性 $serialize����,當(dāng)設(shè)置為 true 時(shí)可開啟 Cookie 值的自動(dòng)序列化和反序列化處理。
/**
* Indicates if cookies should be serialized.
*
* @var bool
*/
protected static $serialize = true;
【推薦】將 Cookie 值使用 JSON 函數(shù)編碼成字符串后再進(jìn)行存儲(chǔ)(獲取 Cookie 值后需調(diào)用 JSON 函數(shù)進(jìn)行解碼)���。
Cookie::queue("user", json_encode(["id" => 1, "name" => "admin"]), 720, "/");
-EOF-
首發(fā)于知乎專欄《PHP和Laravel學(xué)習(xí)》:https://zhuanlan.zhihu.com/p/...
掃碼關(guān)注《PHP和Laravel學(xué)習(xí)》微信公眾號(hào):
文章版權(quán)歸作者所有���,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除����。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/31203.html
