Closed cidrbl0ck closed 1 year ago
The line right after the function declaration, and right before the if
statement should be okay! I don't think restarting apache2
is necessary, but it wouldn't hurt if you wanted to make sure that the code change is synced.
Many thanks!
One more question on this if I may @cydrobolt , Does this format look correct:
public static function finishSetup(Request $request) { abort(404) if (!isset($_COOKIE['setup_arguments'])) { abort(404); }
As noted here: https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc
It mentions that to remediate this vulnerability without upgrading, you add an "abort(404)' into the first line of 'finishSetup'. I wanted to verify what I am seeing just to ensure it's in the right place.
public static function finishSetup(Request $request) { // get data from cookie, decode JSON if (!isset($_COOKIE['setup_arguments'])) { abort(404); }
Is this correct? Is a restart of Apache2 or anything required to implement this change?
Also FWIW an upgrade is planned, however I'd like to resolve this issue before then.
Your Environment