Laravel 13.15 Patches date_equals Validation Bypass, Adds Typed Translations
Laravel 13.15 includes a security fix for the date_equals validation rule, which could allow invalid date strings to pass validation due to PHP's loose comparison of null and zero. An attacker submitting a malformed date could bypass validation if the reference date resolved to a falsy timestamp like the Unix epoch. The fix switches to strict comparison for equality checks while preserving normal behavior for valid DateTime objects, requiring no code changes from developers. The release also tightens route unserialization to limit exposure to object-injection attacks during route caching. Additionally, 13.15 introduces typed translation accessors — trans()->string() and trans()->array() — reducing friction for developers using strict static analysis tools like PHPStan or Psalm.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in