aravel 4.1.29 improves the column quoting for all database drivers. This protects your application from some mass assignment vulnerabilities when not using the fillable
property on models. If you are using the
fillable
property on your models to protect against mass assignment, your application is not vulnerable. However, if you are using guarded
and are passing a user controlled array into an "update" or
"save" type function, you should upgrade to 4.1.29
immediately as your application may be at risk of mass assignment.
To upgrade to Laravel 4.1.29, simply composer update
. No breaking changes are introduced in this release.
Laravel 4.1.26 introduces security improvements for "remember me" cookies. Before this update, if a remember cookie was hijacked by another malicious user, the cookie would remain valid for a long period of time, even after the true owner of the account reset their password, logged out, etc.
This change requires the addition of a new remember_token
column to your users
(or equivalent) database table. After this change, a fresh token will be assigned to the user each time they login to your application.
The token will also be refreshed when the user logs out of the application. The implications of this change are: if a "remember me" cookie is hijacked, simply logging out of the application will invalidate the cookie.
First, add a new, nullable remember_token
of VARCHAR(100), TEXT, or equivalent to your users
table.
Next, if you are using the Eloquent authentication driver, update your User
class with the following three methods:
public function getRememberToken()
{
return $this->remember_token;
}
public function setRememberToken($value)
{
$this->remember_token = $value;
}
public function getRememberTokenName()
{
return 'remember_token';
}
Note: All existing "remember me" sessions will be invalidated by this change, so all users will be forced to re-authenticate with your application.
Two new methods were added to the Illuminate\Auth\UserProviderInterface
interface. Sample implementations may be found in the default drivers:
public function retrieveByToken($identifier, $token);
public function updateRememberToken(UserInterface $user, $token);
The Illuminate\Auth\UserInterface
also received the three new methods described in the "Upgrade Path".
为把应用程序升级为 Laravel 4.1,需要将 composer.json
文件中 laravel/framework
的版本改为 4.1.*
。
把 public/index.php
文件替换为 仓库里这个新版本。
把 artisan
文件替换为 仓库里这个新版本。
更新 app/config/app.php
配置文件中的 aliases
和 providers
数组。更新后的数组值可以 在这个文件中 找到。记得在更新完成后将你自定义的服务提供器/别名添加回数组中。
从仓库 添加新的 app/config/remote.php
文件。
在 app/config/session.php
文件中添加新的 expire_on_close
配置选项,默认值为 false
。
在 app/config/queue.php
文件中添加新的 failed
配置区,默认值如下:
'failed' => array(
'database' => 'mysql', 'table' => 'failed_jobs',
),
(可选) 更新 app/config/view.php
文件中的 pagination
配置选项为 pagination::slider-3
。
如果 app/controllers/BaseController.php
的顶部有 use
语句,把 use Illuminate\Routing\Controllers\Controller;
改为 use Illuminate\Routing\Controller;
。
框架的密码提示功能进行了较大修改以提供更好的灵活性。你可以运行 Artisan 命令 php artisan auth:reminders-controller
(看完下面的内容之后再运行)来查看新版密码提示控制器是什么样的。你还可以浏览并根据 更新过的文档 来更新你的应用程序。
更新 app/lang/en/reminders.php
语言文件以匹配 这个更新过的文件。
出于安全原因,不再使用 URL 域名来检测你的应用程序环境,因为很容易被攻击者伪造从而修改请求的运行环境。你应该改用主机名(Mac、Linux 和 Windows 的 hostname
命令)来进行环境检测。
Laravel 现在创建一个单一的日志文件:app/storage/logs/laravel.log
。不过,你还是可以在 app/start/global.php
文件中配置日志行为。
在 bootstrap/start.php
文件中,移除 $app->redirectIfTrailingSlash()
调用。由于该方法的功能已经通过框架自带的 .htaccess
文件实现了,所以不再需要了。
然后,替换 Apache 的 .htaccess
文件为 这个新版本,用于处理尾部斜杠。
现在通过 Route::current()
获取当前路由,以前是 Route::getCurrentRoute()
。
完成上述修改后,运行 composer update
更新应用程序的核心文件即可。If you receive class load errors, try running the update
command with the --no-scripts
option enabled like so: composer update --no-scripts
(On Linux,
you may have to run sudo composer update
if you are getting Permission Denied errors).
The wildcard event listeners no longer append the event to your handler functions parameters. If you require finding the event that was fired you should use Event::firing()
.