[8.x] Add Transliterate shortcut to the Str helper #40681
Conversation
GrahamCampbell
changed the title
|
Some email addresses could genuinely have UTF-8 characters in them though, right? Or is that not allowed? 😅 |
src/Illuminate/Support/Str.php
Outdated
| * @param bool|null $strict | ||
| * @return string | ||
| */ | ||
| public static function transliterate($string, $unkown = '?', $strict = false) |
There was a problem hiding this comment.
Should the $unkown argument be $unknown? https://github.com/voku/portable-ascii/blob/f1c1181c85e099b66713c7a36a6d65814795d149/src/voku/helper/ASCII.php#L1178
If accepted, most Str methods also get added to the Stringable class.
There was a problem hiding this comment.
I debated changing this and the strict flag. As both on their own are nondescript. However, decided to keep their original names for consistency.
I could change $unkown to $unkownFallback and $strict to $useIntl as it's a bit more descriptive.
There was a problem hiding this comment.
Sorry, I meant that there's a typo missing the second 'n' in unk_n_own.
Currently, the only allowed special characters are |
Description
Add a transliterate shortcut to the String helper.
I've added the by recommendation on a recent PR around fixing security exploit in the UI package.
In short, MYSQL and other DB hosts will transliterate special characters in queries, making it possible to bypass security checks and throttles.
In the case of the UI security exploit, by default, Laravel throttles login attempts by the applications email/username. However, if I use special characters to replace standard characters in my email when the email gets to the Database, the query parameters will transliterate. This means that
ⓣⓔⓢⓣ@ⓛⓐⓡⓐⓥⓔⓛ.ⓒⓞⓜwill be read as[email protected]by the Database. This made it was possible for a user to brute force a password by bypassing the login throttle.Adding this shortcut will make it easier to implement a more elegant solution to the current UI fix while also making it easier for users to improve the security of their application or similar functionality by adding transliteration directly from the helper without needing prior knowledge of the ASCII package.