Security Fix (#37675)

Fixed dns_get_record loose check of A records for active_url rule. Tested on Laravel v8.46.0, PHP v8.0.7. This patch is related to security issue I reported at https://huntr.dev/bounties/2-laravel/framework/.
laravel · Jun 13, 2021 · c50087d · c50087d
1 parent ac66e87
commit c50087d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/Illuminate/Validation/Concerns/ValidatesAttributes.php b/src/Illuminate/Validation/Concerns/ValidatesAttributes.php
@@ -59,7 +59,7 @@ public function validateActiveUrl($attribute, $value)
 
         if ($url = parse_url($value, PHP_URL_HOST)) {
             try {
-                return count(dns_get_record($url, DNS_A | DNS_AAAA)) > 0;
+                return count(dns_get_record($url.'.', DNS_A | DNS_AAAA)) > 0;
             } catch (Exception $e) {
                 return false;
             }