Laravel 5.5 升級到 5.5.42 後遇到的 Cookie 序列化問題

楊曉智發表於2019-04-09

最近手殘升級了專案裡 Laravel 的小版本號(v5.5.39 => v5.5.45),這不升級則已,一升級就出了問題!

Sentry 平臺上提示錯誤:openssl_encrypt() expects parameter 1 to be string, array given,具體報錯記錄如下:

ErrorException
openssl_encrypt() expects parameter 1 to be string, array given
vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php in handleError at line 91
vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php in handleError at line 34
vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php in openssl_encrypt
vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php in encrypt at line 91
vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php in encrypt at line 139
vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php in handle at line 66
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in then at line 102
vendor/laravel/framework/src/Illuminate/Routing/Router.php in runRouteWithinStack at line 660
vendor/laravel/framework/src/Illuminate/Routing/Router.php in runRoute at line 635
vendor/laravel/framework/src/Illuminate/Routing/Router.php in dispatchToRoute at line 601
vendor/laravel/framework/src/Illuminate/Routing/Router.php in dispatch at line 590
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in Illuminate\Foundation\Http\{closure} at line 176
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 30
vendor/barryvdh/laravel-debugbar/src/Middleware/InjectDebugbar.php in handle at line 58
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/fideloper/proxy/src/TrustProxies.php in handle at line 56
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php in handle at line 30
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php in handle at line 30
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php in handle at line 27
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php in handle at line 46
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in Illuminate\Pipeline\{closure} at line 149
vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php in Illuminate\Routing\{closure} at line 53
vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php in then at line 102
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in sendRequestThroughRouter at line 151
vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php in handle at line 116
public/index.php at line 55

仔細檢視上面的異常堆疊記錄,並且進行斷點除錯,最終確定是由於 Laravel 5.5 升級小版本後 Cookie 加密的邏輯變動所導致的報錯。

查閱 Laravel 官方文件(Laravel 5.5 Upgrade Guide)後得知,Laravel 新版為了防止 PHP 物件的序列化/反序列化漏洞被利用,不再對 Cookie 值進行自動的序列化和反序列化處理。

舉個栗子:

\Cookie::queue('user', ['id' => 1, 'name' => 'admin'], 720, '/')

Laravel 更新到 v5.5.42 後,因為 Laravel 不再自動對 Cookie 值 ['id' => 1, 'name' => 'admin'] 進行序列化處理,而 openssl_encrypt ( string $data ... ) 只能加密字串資料,這個時候程式就會丟擲錯誤:openssl_encrypt() expects parameter 1 to be string, array given。

解決方法:

  • 新版裡面在中介軟體 AppHttpMiddlewareEncryptCookies 新增靜態屬性 $serialize,當設定為 true 時可開啟 Cookie 值的自動序列化和反序列化處理。
/**
 * Indicates if cookies should be serialized.
 *
 * @var bool
 */
protected static $serialize = true;
  • 【推薦】將 Cookie 值使用 JSON 函式編碼成字串後再進行儲存(獲取 Cookie 值後需呼叫 JSON 函式進行解碼)。
\Cookie::queue('user', json_encode(['id' => 1, 'name' => 'admin']), 720, '/');

-EOF-

首發於知乎專欄《PHP和Laravel學習》:https://zhuanlan.zhihu.com/p/...

掃碼關注《PHP和Laravel學習》微信公眾號:

clipboard.png

相關文章