Shared security patch analysis results
AI Used: deepseek deepseek-reasoner--- cache/framework_v12.38.1/src/Illuminate/Console/Concerns/CreatesMatchingTest.php 2025-11-13 02:14:13.270210068 +0000+++ cache/framework_v12.39.0/src/Illuminate/Console/Concerns/CreatesMatchingTest.php 2025-11-18 17:17:33.711502987 +0000@@ -40,6 +40,7 @@ 'name' => (new Stringable($path))->after($this->laravel['path'])->beforeLast('.php')->append('Test')->replace('\\', '/'), '--pest' => $this->option('pest'), '--phpunit' => $this->option('phpunit'),+ '--force' => $this->hasOption('force') && $this->option('force'), ]) == 0; } }
Vulnerability Existed: no
No vulnerability - N/A - src/Illuminate/Console/Concerns/CreatesMatchingTest.php [Lines 40-41]
Old Code:
```php
'name' => (new Stringable($path))->after($this->laravel['path'])->beforeLast('.php')->append('Test')->replace('\\', '/'),
'--pest' => $this->option('pest'),
'--phpunit' => $this->option('phpunit'),
]) == 0;
```
Fixed Code:
```php
'name' => (new Stringable($path))->after($this->laravel['path'])->beforeLast('.php')->append('Test')->replace('\\', '/'),
'--pest' => $this->option('pest'),
'--phpunit' => $this->option('phpunit'),
'--force' => $this->hasOption('force') && $this->option('force'),
]) == 0;
```
Explanation:
The added code retrieves the 'force' option using `$this->hasOption('force') && $this->option('force')`, which returns a boolean value based on user input. This boolean is passed to `$this->call()` as a parameter. The `call` method in Laravel uses internal command dispatching and does not involve shell execution or string concatenation that could lead to injection. The value is scalar and used safely within the framework's parameter handling, with no evidence of unsanitized data reaching a vulnerable sink.
--- cache/framework_v12.38.1/src/Illuminate/Container/Attributes/Give.php 2025-11-13 02:14:13.275210389 +0000+++ cache/framework_v12.39.0/src/Illuminate/Container/Attributes/Give.php 2025-11-18 17:17:33.715503244 +0000@@ -12,9 +12,7 @@ /** * Provide a concrete class implementation for dependency injection. *- * @template T- *- * @param class-string<T> $class+ * @param string $class * @param array|null $params */ public function __construct(
No vulnerabilities detected in the provided diff. The changes are limited to docblock comments and do not affect the executable code or introduce any security risks.
--- cache/framework_v12.38.1/src/Illuminate/Database/Eloquent/Factories/Factory.php 2025-11-13 02:14:13.297211802 +0000+++ cache/framework_v12.39.0/src/Illuminate/Database/Eloquent/Factories/Factory.php 2025-11-18 17:17:33.735504528 +0000@@ -471,7 +471,10 @@ $query = $model->newQueryWithoutScopes(); $query->fillAndInsert(- $madeCollection->map(fn (Model $model) => $model->getAttributes())->all()+ $madeCollection->withoutAppends()+ ->setHidden([])+ ->map(static fn (Model $model) => $model->attributesToArray())+ ->all() ); }
Vulnerability Existed: no Explanation: The change modifies how model attributes are collected for database insertion in a factory. The old code used `getAttributes()`, which returns all raw attributes including hidden and appended ones. The new code uses `attributesToArray()` after calling `withoutAppends()` and `setHidden([])`, which excludes virtual appended attributes but includes all database attributes (even those marked as hidden for serialization). Taint tracing: - Entry point: User input could potentially influence factory definitions if the application improperly passes user data to factory states, but this is not inherent to the code change. - Transformation: Attributes are generated based on factory definitions, which may use Faker or fixed values. No specific sanitization is applied here, but the data flow is controlled by the application. - Sink: The `fillAndInsert` method eventually uses Eloquent's query builder, which employs parameterized queries or equivalent mechanisms, preventing SQL injection. - Why safe: The change does not introduce new attack vectors or alter the security posture. Database insertion remains protected against SQL injection, and the attribute selection change ensures only relevant database columns are inserted, excluding virtual appended attributes. No evidence of unsanitized user input reaching the sink in an exploitable way.
--- cache/framework_v12.38.1/src/Illuminate/Foundation/Application.php 2025-11-13 02:14:13.311212702 +0000+++ cache/framework_v12.39.0/src/Illuminate/Foundation/Application.php 2025-11-18 17:17:33.748505362 +0000@@ -45,7 +45,7 @@ * * @var string */- const VERSION = '12.38.1';+ const VERSION = '12.39.0'; /** * The base path for the Laravel installation.
Vulnerability Existed: no None - N/A - src/Illuminate/Foundation/Application.php Lines 45 Old Code: `const VERSION = '12.38.1';` Fixed Code: `const VERSION = '12.39.0';` Explanation: The change only updates a hardcoded version constant from '12.38.1' to '12.39.0'. There is no user input entry point, and the value is not used in any sink (e.g., database queries, output functions). The modification does not alter any security-related logic or introduce any data flow from untrusted sources. Therefore, no vulnerability is present.
--- cache/framework_v12.38.1/src/Illuminate/Foundation/Configuration/ApplicationBuilder.php 2025-11-13 02:14:13.313212831 +0000+++ cache/framework_v12.39.0/src/Illuminate/Foundation/Configuration/ApplicationBuilder.php 2025-11-18 17:17:33.749505426 +0000@@ -363,7 +363,7 @@ /** * Register and configure the application's exception handler. *- * @param callable|null $using+ * @param callable(\Illuminate\Foundation\Configuration\Exceptions)|null $using * @return $this */ public function withExceptions(?callable $using = null)@@ -373,12 +373,12 @@ \Illuminate\Foundation\Exceptions\Handler::class ); - $using ??= fn () => true;-- $this->app->afterResolving(- \Illuminate\Foundation\Exceptions\Handler::class,- fn ($handler) => $using(new Exceptions($handler)),- );+ if ($using !== null) {+ $this->app->afterResolving(+ \Illuminate\Foundation\Exceptions\Handler::class,+ fn ($handler) => $using(new Exceptions($handler)),+ );+ } return $this; }
Vulnerability Existed: no
None - N/A - src/Illuminate/Foundation/Configuration/ApplicationBuilder.php [Lines 363-379]
Old Code:
```php
$using ??= fn () => true;
$this->app->afterResolving(
\Illuminate\Foundation\Exceptions\Handler::class,
fn ($handler) => $using(new Exceptions($handler)),
);
```
Fixed Code:
```php
if ($using !== null) {
$this->app->afterResolving(
\Illuminate\Foundation\Exceptions\Handler::class,
fn ($handler) => $using(new Exceptions($handler)),
);
}
```
Explanation: The parameter `$using` is a callable provided during application configuration by the developer and is not derived from attacker-controlled input (e.g., user request data). The code change only affects whether a callback is registered in the dependency injection container, with no alteration to data validation, sanitization, or sinks. The invocation of `$using` occurs within a controlled environment during service resolution, and there is no evidence of attacker influence or unsanitized data flow to a security-sensitive sink.
--- cache/framework_v12.38.1/src/Illuminate/Foundation/Console/RouteListCommand.php 2025-11-13 02:14:13.316213024 +0000+++ cache/framework_v12.39.0/src/Illuminate/Foundation/Console/RouteListCommand.php 2025-11-18 17:17:33.754505747 +0000@@ -268,6 +268,7 @@ ($this->option('path') && ! Str::contains($route['uri'], $this->option('path'))) || ($this->option('method') && ! Str::contains($route['method'], strtoupper($this->option('method')))) || ($this->option('domain') && ! Str::contains((string) $route['domain'], $this->option('domain'))) ||+ ($this->option('middleware') && ! Str::contains($route['middleware'], $this->option('middleware'))) || ($this->option('except-vendor') && $route['vendor']) || ($this->option('only-vendor') && ! $route['vendor'])) { return;@@ -500,6 +501,7 @@ ['action', null, InputOption::VALUE_OPTIONAL, 'Filter the routes by action'], ['name', null, InputOption::VALUE_OPTIONAL, 'Filter the routes by name'], ['domain', null, InputOption::VALUE_OPTIONAL, 'Filter the routes by domain'],+ ['middleware', null, InputOption::VALUE_OPTIONAL, 'Filter the routes by middleware'], ['path', null, InputOption::VALUE_OPTIONAL, 'Only show routes matching the given path pattern'], ['except-path', null, InputOption::VALUE_OPTIONAL, 'Do not display the routes matching the given path pattern'], ['reverse', 'r', InputOption::VALUE_NONE, 'Reverse the ordering of the routes'],
Vulnerability Existed: no
None - N/A - src/Illuminate/Foundation/Console/RouteListCommand.php 268,500
Old Code:
```php
($this->option('domain') && ! Str::contains((string) $route['domain'], $this->option('domain'))) ||
($this->option('except-vendor') && $route['vendor']) ||
($this->option('only-vendor') && ! $route['vendor'])) {
```
Fixed Code:
```php
($this->option('domain') && ! Str::contains((string) $route['domain'], $this->option('domain'))) ||
($this->option('middleware') && ! Str::contains($route['middleware'], $this->option('middleware'))) ||
($this->option('except-vendor') && $route['vendor']) ||
($this->option('only-vendor') && ! $route['vendor'])) {
```
Explanation:
The change adds a new 'middleware' filter option to the route list command. User input from the command-line option 'middleware' is used in the `filterRoute` method with `Str::contains` to check if the route's middleware string contains the user-provided substring. The `Str::contains` function performs a safe string comparison and does not evaluate or execute the input. The data flow is: user input → `option('middleware')` → `Str::contains` for filtering → output display (CLI or JSON). No sanitization is needed as the input is only used for string matching in a controlled context, and there is no sink that could lead to code execution, injection, or other vulnerabilities. The output is rendered to the terminal, not a web context, so XSS is not applicable. No specific bypass exists for this usage.
--- cache/framework_v12.38.1/src/Illuminate/Foundation/Testing/RefreshDatabase.php 2025-11-13 02:14:13.326213666 +0000+++ cache/framework_v12.39.0/src/Illuminate/Foundation/Testing/RefreshDatabase.php 2025-11-18 17:17:33.770506775 +0000@@ -85,6 +85,8 @@ $this->app[Kernel::class]->setArtisan(null); + $this->updateLocalCacheOfInMemoryDatabases();+ RefreshDatabaseState::$migrated = true; } @@ -92,6 +94,22 @@ } /**+ * Update locally cached in-memory PDO connections after migration.+ *+ * @return void+ */+ protected function updateLocalCacheOfInMemoryDatabases()+ {+ $database = $this->app->make('db');++ foreach ($this->connectionsToTransact() as $name) {+ if ($this->usingInMemoryDatabase($name)) {+ RefreshDatabaseState::$inMemoryConnections[$name] = $database->connection($name)->getPdo();+ }+ }+ }++ /** * Migrate the database. * * @return void
Vulnerability Existed: no
CWE-89 - SQL Injection - src/Illuminate/Foundation/Testing/RefreshDatabase.php [Lines added in diff, approximately 94-107]
Old Code:
```php
// No corresponding code in old version
```
Fixed Code:
```php
protected function updateLocalCacheOfInMemoryDatabases()
{
$database = $this->app->make('db');
foreach ($this->connectionsToTransact() as $name) {
if ($this->usingInMemoryDatabase($name)) {
RefreshDatabaseState::$inMemoryConnections[$name] = $database->connection($name)->getPdo();
}
}
}
```
Explanation:
The added code caches PDO connections for in-memory databases during test setup. There is no user input involved in this process. The `connectionsToTransact()` method returns test-defined connection names (e.g., from test class properties), and `usingInMemoryDatabase()` checks configuration values (e.g., from `config/database.php`). Both are controlled by the codebase, not external attackers. The PDO object is retrieved and stored without any manipulation or use in SQL queries, and it is later restored only for internal test state management. No sanitization is needed as the data flow does not incorporate user-controlled values. Defenses such as Laravel's database abstraction layer ensure safe handling of PDO connections.
--- cache/framework_v12.38.1/src/Illuminate/Http/Client/PendingRequest.php 2025-11-13 02:14:13.335214245 +0000+++ cache/framework_v12.39.0/src/Illuminate/Http/Client/PendingRequest.php 2025-11-18 17:17:33.787507866 +0000@@ -884,9 +884,9 @@ /** * Send a pool of asynchronous requests concurrently. *- * @param callable $callback+ * @param (callable(\Illuminate\Http\Client\Pool): mixed) $callback * @param int|null $concurrency- * @return array<array-key, \Illuminate\Http\Client\Response>+ * @return array<array-key, \Illuminate\Http\Client\Response|\Illuminate\Http\Client\ConnectionException|\Illuminate\Http\Client\RequestException> */ public function pool(callable $callback, ?int $concurrency = null) {
Vulnerability Existed: no
None - N/A - src/Illuminate/Http/Client/PendingRequest.php [884-894]
Old Code:
/**
* Send a pool of asynchronous requests concurrently.
*
* @param callable $callback
* @param int|null $concurrency
* @return array<array-key, \Illuminate\Http\Client\Response>
*/
Fixed Code:
/**
* Send a pool of asynchronous requests concurrently.
*
* @param (callable(\Illuminate\Http\Client\Pool): mixed) $callback
* @param int|null $concurrency
* @return array<array-key, \Illuminate\Http\Client\Response|\Illuminate\Http\Client\ConnectionException|\Illuminate\Http\Client\RequestException>
*/
Explanation:
The changes are purely documentation improvements that update type hints and return type annotations. No code logic was modified - only comments were updated to provide better type information for the callback parameter and return values. Since these are comment changes only, they don't affect runtime behavior or introduce any security vulnerabilities.
--- cache/framework_v12.38.1/src/Illuminate/Http/Client/RequestException.php 2025-11-13 02:14:13.335214245 +0000+++ cache/framework_v12.39.0/src/Illuminate/Http/Client/RequestException.php 2025-11-18 17:17:33.787507866 +0000@@ -16,7 +16,7 @@ /** * The current truncation length for the exception message. *- * @var int|false+ * @var int|false|null */ public $truncateExceptionsAt; @@ -28,6 +28,13 @@ public static $truncateAt = 120; /**+ * Whether the response has been summarized in the message.+ *+ * @var bool+ */+ public $hasBeenSummarized = false;++ /** * Create a new exception instance. * * @param \Illuminate\Http\Client\Response $response@@ -35,7 +42,7 @@ */ public function __construct(Response $response, $truncateExceptionsAt = null) {- parent::__construct("HTTP request returned status code {$response->status()}", $response->status());+ parent::__construct($this->prepareMessage($response), $response->status()); $this->truncateExceptionsAt = $truncateExceptionsAt; @@ -80,14 +87,31 @@ */ public function report(): void {+ if ($this->hasBeenSummarized) {+ return;+ }++ $this->message = $this->prepareMessage($this->response);++ $this->hasBeenSummarized = true;+ }++ /**+ * Prepare the exception message.+ *+ * @param \Illuminate\Http\Client\Response $response+ * @return string+ */+ protected function prepareMessage(Response $response)+ {+ $message = "HTTP request returned status code {$response->status()}";+ $truncateExceptionsAt = $this->truncateExceptionsAt ?? static::$truncateAt; - $summary = $truncateExceptionsAt- ? Message::bodySummary($this->response->toPsrResponse(), $truncateExceptionsAt)- : Message::toString($this->response->toPsrResponse());+ $summary = is_int($truncateExceptionsAt)+ ? Message::bodySummary($response->toPsrResponse(), $truncateExceptionsAt)+ : Message::toString($response->toPsrResponse()); - if (! is_null($summary)) {- $this->message .= ":\n{$summary}\n";- }+ return is_null($summary) ? $message : $message.":\n{$summary}\n"; } }
No vulnerabilities were identified in the provided code changes. The modifications primarily refactor the message preparation logic and add a flag to prevent duplicate summarization, without introducing or altering security-sensitive behavior. The response body is handled through existing methods (`Message::bodySummary` or `Message::toString`) that truncate or convert the content, but no unsanitized user input reaches a sink in a way that creates a vulnerability such as injection or information disclosure. The code does not demonstrate any bypass of defenses or uncontrolled data flow to sensitive operations.
--- cache/framework_v12.38.1/src/Illuminate/Http/Concerns/InteractsWithContentTypes.php 2025-11-13 02:14:13.336214309 +0000+++ cache/framework_v12.39.0/src/Illuminate/Http/Concerns/InteractsWithContentTypes.php 2025-11-18 17:17:33.787507866 +0000@@ -55,6 +55,10 @@ $types = (array) $contentTypes; foreach ($accepts as $accept) {+ if ($accept && $pos = strpos($accept, ';')) {+ $accept = trim(substr($accept, 0, $pos));+ }+ if ($accept === '*/*' || $accept === '*') { return true; }@@ -86,6 +90,10 @@ $contentTypes = (array) $contentTypes; foreach ($accepts as $accept) {+ if ($accept && $pos = strpos($accept, ';')) {+ $accept = trim(substr($accept, 0, $pos));+ }+ if (in_array($accept, ['*/*', '*'])) { return $contentTypes[0]; }
Vulnerability Existed: no
No vulnerability - N/A - src/Illuminate/Http/Concerns/InteractsWithContentTypes.php [55-58,86-89]
Old Code:
```php
foreach ($accepts as $accept) {
if ($accept === '*/*' || $accept === '*') {
return true;
}
// ... existing code for content type matching
}
```
Fixed Code:
```php
foreach ($accepts as $accept) {
if ($accept && $pos = strpos($accept, ';')) {
$accept = trim(substr($accept, 0, $pos));
}
if ($accept === '*/*' || $accept === '*') {
return true;
}
// ... existing code for content type matching
}
```
Explanation: The change adds parameter stripping from the Accept header values before content type matching. This ensures that media types are compared without parameters, aligning with HTTP standards. The entry point is user-controlled Accept header values, which are transformed by removing anything after a semicolon and trimming. The sink is content type matching using string comparisons and regex (with preg_quote for escaping). No security vulnerability is present, as the transformation normalizes input for correct functionality, and the sink does not allow injection or other exploits due to the use of safe comparisons and escaping. The change is a functional bug fix for accurate content negotiation.
--- cache/framework_v12.38.1/src/Illuminate/Http/Resources/Json/ResourceCollection.php 2025-11-13 02:14:13.338214437 +0000+++ cache/framework_v12.39.0/src/Illuminate/Http/Resources/Json/ResourceCollection.php 2025-11-18 17:17:33.789507994 +0000@@ -23,7 +23,7 @@ /** * The mapped collection instance. *- * @var \Illuminate\Support\Collection+ * @var \Illuminate\Support\Collection|null */ public $collection;
Vulnerability Existed: no Old Code: `* @var \Illuminate\Support\Collection` Fixed Code: `* @var \Illuminate\Support\Collection|null` Explanation: The change is only in the docblock comment, updating the type hint to include null. This does not affect the runtime behavior of the code, as docblocks are for documentation and IDE support only. No code logic is modified, so no security vulnerability is introduced or fixed.
--- cache/framework_v12.38.1/src/Illuminate/Pagination/resources/views/simple-tailwind.blade.php 2025-11-13 02:14:13.346214952 +0000+++ cache/framework_v12.39.0/src/Illuminate/Pagination/resources/views/simple-tailwind.blade.php 2025-11-18 17:17:33.796508444 +0000@@ -1,25 +1,25 @@ @if ($paginator->hasPages())- <nav role="navigation" aria-label="{!! __('Pagination Navigation') !!}" class="flex justify-between">- {{-- Previous Page Link --}}+ <nav role="navigation" aria-label="{{ __('Pagination Navigation') }}" class="flex gap-2 items-center justify-between">+ @if ($paginator->onFirstPage())- <span class="relative inline-flex items-center px-4 py-2 text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-default leading-5 rounded-md dark:text-gray-600 dark:bg-gray-800 dark:border-gray-600">+ <span class="inline-flex items-center px-4 py-2 text-sm font-medium text-gray-600 bg-white border border-gray-300 cursor-not-allowed leading-5 rounded-md dark:text-gray-300 dark:bg-gray-700 dark:border-gray-600"> {!! __('pagination.previous') !!} </span> @else- <a href="{{ $paginator->previousPageUrl() }}" rel="prev" class="relative inline-flex items-center px-4 py-2 text-sm font-medium text-gray-700 bg-white border border-gray-300 leading-5 rounded-md hover:text-gray-500 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-700 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-300 dark:focus:border-blue-700 dark:active:bg-gray-700 dark:active:text-gray-300">+ <a href="{{ $paginator->previousPageUrl() }}" rel="prev" class="inline-flex items-center px-4 py-2 text-sm font-medium text-gray-800 bg-white border border-gray-300 leading-5 rounded-md hover:text-gray-700 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-800 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-200 dark:focus:border-blue-700 dark:active:bg-gray-700 dark:active:text-gray-300 hover:bg-gray-100 dark:hover:bg-gray-900 dark:hover:text-gray-200"> {!! __('pagination.previous') !!} </a> @endif - {{-- Next Page Link --}} @if ($paginator->hasMorePages())- <a href="{{ $paginator->nextPageUrl() }}" rel="next" class="relative inline-flex items-center px-4 py-2 text-sm font-medium text-gray-700 bg-white border border-gray-300 leading-5 rounded-md hover:text-gray-500 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-700 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-300 dark:focus:border-blue-700 dark:active:bg-gray-700 dark:active:text-gray-300">+ <a href="{{ $paginator->nextPageUrl() }}" rel="next" class="inline-flex items-center px-4 py-2 text-sm font-medium text-gray-800 bg-white border border-gray-300 leading-5 rounded-md hover:text-gray-700 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-800 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-200 dark:focus:border-blue-700 dark:active:bg-gray-700 dark:active:text-gray-300 hover:bg-gray-100 dark:hover:bg-gray-900 dark:hover:text-gray-200"> {!! __('pagination.next') !!} </a> @else- <span class="relative inline-flex items-center px-4 py-2 text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-default leading-5 rounded-md dark:text-gray-600 dark:bg-gray-800 dark:border-gray-600">+ <span class="inline-flex items-center px-4 py-2 text-sm font-medium text-gray-600 bg-white border border-gray-300 cursor-not-allowed leading-5 rounded-md dark:text-gray-300 dark:bg-gray-700 dark:border-gray-600"> {!! __('pagination.next') !!} </span> @endif+ </nav> @endif
Vulnerability Existed: no
CWE-79 - Improper Neutralization of Input During Web Page Generation - src/Illuminate/Pagination/resources/views/simple-tailwind.blade.php [2]
Old Code: `aria-label="{!! __('Pagination Navigation') !!}"`
Fixed Code: `aria-label="{{ __('Pagination Navigation') }}"`
Explanation: The value `__('Pagination Navigation')` is a translation from a fixed key and is not attacker-controlled. The translation system loads strings from application-defined language files, not user input. Therefore, even with unescaped output in the old code, no XSS vulnerability exists as the source is not influenced by web requests or user data. The change to escaped output is a defensive improvement but does not address an actual vulnerability.
--- cache/framework_v12.38.1/src/Illuminate/Pagination/resources/views/tailwind.blade.php 2025-11-13 02:14:13.346214952 +0000+++ cache/framework_v12.39.0/src/Illuminate/Pagination/resources/views/tailwind.blade.php 2025-11-18 17:17:33.796508444 +0000@@ -1,30 +1,34 @@ @if ($paginator->hasPages())- <nav role="navigation" aria-label="{{ __('Pagination Navigation') }}" class="flex items-center justify-between">- <div class="flex justify-between flex-1 sm:hidden">+ <nav role="navigation" aria-label="{{ __('Pagination Navigation') }}">++ <div class="flex gap-2 items-center justify-between sm:hidden">+ @if ($paginator->onFirstPage())- <span class="relative inline-flex items-center px-4 py-2 text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-default leading-5 rounded-md dark:text-gray-600 dark:bg-gray-800 dark:border-gray-600">+ <span class="inline-flex items-center px-4 py-2 text-sm font-medium text-gray-600 bg-white border border-gray-300 cursor-not-allowed leading-5 rounded-md dark:text-gray-300 dark:bg-gray-700 dark:border-gray-600"> {!! __('pagination.previous') !!} </span> @else- <a href="{{ $paginator->previousPageUrl() }}" class="relative inline-flex items-center px-4 py-2 text-sm font-medium text-gray-700 bg-white border border-gray-300 leading-5 rounded-md hover:text-gray-500 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-700 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-300 dark:focus:border-blue-700 dark:active:bg-gray-700 dark:active:text-gray-300">+ <a href="{{ $paginator->previousPageUrl() }}" rel="prev" class="inline-flex items-center px-4 py-2 text-sm font-medium text-gray-800 bg-white border border-gray-300 leading-5 rounded-md hover:text-gray-700 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-800 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-200 dark:focus:border-blue-700 dark:active:bg-gray-700 dark:active:text-gray-300 hover:bg-gray-100 dark:hover:bg-gray-900 dark:hover:text-gray-200"> {!! __('pagination.previous') !!} </a> @endif @if ($paginator->hasMorePages())- <a href="{{ $paginator->nextPageUrl() }}" class="relative inline-flex items-center px-4 py-2 ml-3 text-sm font-medium text-gray-700 bg-white border border-gray-300 leading-5 rounded-md hover:text-gray-500 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-700 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-300 dark:focus:border-blue-700 dark:active:bg-gray-700 dark:active:text-gray-300">+ <a href="{{ $paginator->nextPageUrl() }}" rel="next" class="inline-flex items-center px-4 py-2 text-sm font-medium text-gray-800 bg-white border border-gray-300 leading-5 rounded-md hover:text-gray-700 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-800 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-200 dark:focus:border-blue-700 dark:active:bg-gray-700 dark:active:text-gray-300 hover:bg-gray-100 dark:hover:bg-gray-900 dark:hover:text-gray-200"> {!! __('pagination.next') !!} </a> @else- <span class="relative inline-flex items-center px-4 py-2 ml-3 text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-default leading-5 rounded-md dark:text-gray-600 dark:bg-gray-800 dark:border-gray-600">+ <span class="inline-flex items-center px-4 py-2 text-sm font-medium text-gray-600 bg-white border border-gray-300 cursor-not-allowed leading-5 rounded-md dark:text-gray-300 dark:bg-gray-700 dark:border-gray-600"> {!! __('pagination.next') !!} </span> @endif+ </div> - <div class="hidden sm:flex-1 sm:flex sm:items-center sm:justify-between">+ <div class="hidden sm:flex-1 sm:flex sm:gap-2 sm:items-center sm:justify-between">+ <div>- <p class="text-sm text-gray-700 leading-5 dark:text-gray-400">+ <p class="text-sm text-gray-700 leading-5 dark:text-gray-600"> {!! __('Showing') !!} @if ($paginator->firstItem()) <span class="font-medium">{{ $paginator->firstItem() }}</span>@@ -40,18 +44,19 @@ </div> <div>- <span class="relative z-0 inline-flex rtl:flex-row-reverse shadow-sm rounded-md">+ <span class="inline-flex rtl:flex-row-reverse shadow-sm rounded-md">+ {{-- Previous Page Link --}} @if ($paginator->onFirstPage()) <span aria-disabled="true" aria-label="{{ __('pagination.previous') }}">- <span class="relative inline-flex items-center px-2 py-2 text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-default rounded-l-md leading-5 dark:bg-gray-800 dark:border-gray-600" aria-hidden="true">+ <span class="inline-flex items-center px-2 py-2 text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-not-allowed rounded-l-md leading-5 dark:bg-gray-700 dark:border-gray-600 dark:text-gray-400" aria-hidden="true"> <svg class="w-5 h-5" fill="currentColor" viewBox="0 0 20 20"> <path fill-rule="evenodd" d="M12.707 5.293a1 1 0 010 1.414L9.414 10l3.293 3.293a1 1 0 01-1.414 1.414l-4-4a1 1 0 010-1.414l4-4a1 1 0 011.414 0z" clip-rule="evenodd" /> </svg> </span> </span> @else- <a href="{{ $paginator->previousPageUrl() }}" rel="prev" class="relative inline-flex items-center px-2 py-2 text-sm font-medium text-gray-500 bg-white border border-gray-300 rounded-l-md leading-5 hover:text-gray-400 focus:z-10 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-500 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:active:bg-gray-700 dark:focus:border-blue-800" aria-label="{{ __('pagination.previous') }}">+ <a href="{{ $paginator->previousPageUrl() }}" rel="prev" class="inline-flex items-center px-2 py-2 text-sm font-medium text-gray-500 bg-white border border-gray-300 rounded-l-md leading-5 hover:text-gray-400 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-500 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:active:bg-gray-700 dark:focus:border-blue-800 dark:text-gray-300 dark:hover:bg-gray-900 dark:hover:text-gray-300" aria-label="{{ __('pagination.previous') }}"> <svg class="w-5 h-5" fill="currentColor" viewBox="0 0 20 20"> <path fill-rule="evenodd" d="M12.707 5.293a1 1 0 010 1.414L9.414 10l3.293 3.293a1 1 0 01-1.414 1.414l-4-4a1 1 0 010-1.414l4-4a1 1 0 011.414 0z" clip-rule="evenodd" /> </svg>@@ -63,7 +68,7 @@ {{-- "Three Dots" Separator --}} @if (is_string($element)) <span aria-disabled="true">- <span class="relative inline-flex items-center px-4 py-2 -ml-px text-sm font-medium text-gray-700 bg-white border border-gray-300 cursor-default leading-5 dark:bg-gray-800 dark:border-gray-600">{{ $element }}</span>+ <span class="inline-flex items-center px-4 py-2 -ml-px text-sm font-medium text-gray-700 bg-white border border-gray-300 cursor-default leading-5 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-300">{{ $element }}</span> </span> @endif @@ -72,10 +77,10 @@ @foreach ($element as $page => $url) @if ($page == $paginator->currentPage()) <span aria-current="page">- <span class="relative inline-flex items-center px-4 py-2 -ml-px text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-default leading-5 dark:bg-gray-800 dark:border-gray-600">{{ $page }}</span>+ <span class="inline-flex items-center px-4 py-2 -ml-px text-sm font-medium text-gray-700 bg-gray-200 border border-gray-300 cursor-default leading-5 dark:bg-gray-700 dark:border-gray-600 dark:text-gray-300">{{ $page }}</span> </span> @else- <a href="{{ $url }}" class="relative inline-flex items-center px-4 py-2 -ml-px text-sm font-medium text-gray-700 bg-white border border-gray-300 leading-5 hover:text-gray-500 focus:z-10 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-700 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-400 dark:hover:text-gray-300 dark:active:bg-gray-700 dark:focus:border-blue-800" aria-label="{{ __('Go to page :page', ['page' => $page]) }}">+ <a href="{{ $url }}" class="inline-flex items-center px-4 py-2 -ml-px text-sm font-medium text-gray-700 bg-white border border-gray-300 leading-5 hover:text-gray-700 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-700 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:text-gray-300 dark:hover:text-gray-300 dark:active:bg-gray-700 dark:focus:border-blue-800 hover:bg-gray-100 dark:hover:bg-gray-900" aria-label="{{ __('Go to page :page', ['page' => $page]) }}"> {{ $page }} </a> @endif@@ -85,14 +90,14 @@ {{-- Next Page Link --}} @if ($paginator->hasMorePages())- <a href="{{ $paginator->nextPageUrl() }}" rel="next" class="relative inline-flex items-center px-2 py-2 -ml-px text-sm font-medium text-gray-500 bg-white border border-gray-300 rounded-r-md leading-5 hover:text-gray-400 focus:z-10 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-500 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:active:bg-gray-700 dark:focus:border-blue-800" aria-label="{{ __('pagination.next') }}">+ <a href="{{ $paginator->nextPageUrl() }}" rel="next" class="inline-flex items-center px-2 py-2 -ml-px text-sm font-medium text-gray-500 bg-white border border-gray-300 rounded-r-md leading-5 hover:text-gray-400 focus:outline-none focus:ring ring-gray-300 focus:border-blue-300 active:bg-gray-100 active:text-gray-500 transition ease-in-out duration-150 dark:bg-gray-800 dark:border-gray-600 dark:active:bg-gray-700 dark:focus:border-blue-800 dark:text-gray-300 dark:hover:bg-gray-900 dark:hover:text-gray-300" aria-label="{{ __('pagination.next') }}"> <svg class="w-5 h-5" fill="currentColor" viewBox="0 0 20 20"> <path fill-rule="evenodd" d="M7.293 14.707a1 1 0 010-1.414L10.586 10 7.293 6.707a1 1 0 011.414-1.414l4 4a1 1 0 010 1.414l-4 4a1 1 0 01-1.414 0z" clip-rule="evenodd" /> </svg> </a> @else <span aria-disabled="true" aria-label="{{ __('pagination.next') }}">- <span class="relative inline-flex items-center px-2 py-2 -ml-px text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-default rounded-r-md leading-5 dark:bg-gray-800 dark:border-gray-600" aria-hidden="true">+ <span class="inline-flex items-center px-2 py-2 -ml-px text-sm font-medium text-gray-500 bg-white border border-gray-300 cursor-not-allowed rounded-r-md leading-5 dark:bg-gray-700 dark:border-gray-600 dark:text-gray-400" aria-hidden="true"> <svg class="w-5 h-5" fill="currentColor" viewBox="0 0 20 20"> <path fill-rule="evenodd" d="M7.293 14.707a1 1 0 010-1.414L10.586 10 7.293 6.707a1 1 0 011.414-1.414l4 4a1 1 0 010 1.414l-4 4a1 1 0 01-1.414 0z" clip-rule="evenodd" /> </svg>
Vulnerability Existed: no
No vulnerability - N/A - src/Illuminate/Pagination/resources/views/tailwind.blade.php [all lines]
Old Code: The entire file before changes (cosmetic updates only).
Fixed Code: The entire file after changes (cosmetic updates only).
Explanation:
The diff contains only cosmetic changes, such as updates to CSS classes, the addition of `rel="prev"` and `rel="next"` attributes for SEO and accessibility, and minor structural adjustments. All user-facing outputs use Blade templating with appropriate escaping:
- URLs in `href` attributes are escaped with `{{ }}`, preventing XSS.
- Unescaped outputs `{!! !!}` are used only for translation strings (e.g., `__('pagination.previous')`), which are not user-controlled and are defined in application language files.
- Page numbers and other data are escaped with `{{ }}`.
No user input reaches any sink unescaped, and no security vulnerabilities are introduced or fixed in this diff.
--- cache/framework_v12.38.1/src/Illuminate/Support/Facades/View.php 2025-11-13 02:14:13.365216173 +0000+++ cache/framework_v12.39.0/src/Illuminate/Support/Facades/View.php 2025-11-18 17:17:33.815509664 +0000@@ -78,6 +78,7 @@ * @method static void startPrepend(string $section, string $content = '') * @method static string stopPrepend() * @method static string yieldPushContent(string $section, string $default = '')+ * @method static bool isStackEmpty(string $section) * @method static void flushStacks() * @method static void startTranslation(array $replacements = []) * @method static string renderTranslation()
Vulnerability Existed: no None - N/A - src/Illuminate/Support/Facades/View.php 78 Old Code: * @method static string yieldPushContent(string $section, string $default = '') * @method static void flushStacks() Fixed Code: * @method static string yieldPushContent(string $section, string $default = '') * @method static bool isStackEmpty(string $section) * @method static void flushStacks() Explanation: The change only adds a docblock method for `isStackEmpty`. This is documentation and does not affect the runtime code or introduce any vulnerability. No code logic is modified, so there is no entry point for user input or sink involved in this diff. The addition is purely for IDE autocompletion and does not alter the behavior of the facade or its underlying implementation.
--- cache/framework_v12.38.1/src/Illuminate/Testing/Concerns/TestDatabases.php 2025-11-13 02:14:13.370216494 +0000+++ cache/framework_v12.39.0/src/Illuminate/Testing/Concerns/TestDatabases.php 2025-11-18 17:17:33.818509856 +0000@@ -20,6 +20,13 @@ protected static $schemaIsUpToDate = false; /**+ * The root database name prior to concatenating the token.+ *+ * @var null|string+ */+ protected static $originalDatabaseName = null;++ /** * Boot a test database. * * @return void@@ -186,6 +193,12 @@ */ protected function testDatabase($database) {+ if (! isset(self::$originalDatabaseName)) {+ self::$originalDatabaseName = $database;+ } else {+ $database = self::$originalDatabaseName;+ }+ $token = ParallelTesting::token(); return "{$database}_test_{$token}";
Vulnerability Existed: no
No specific CWE identified - The change involves internal consistency in test database naming without security implications.
Old Code:
```php
protected function testDatabase($database)
{
$token = ParallelTesting::token();
return "{$database}_test_{$token}";
}
```
Fixed Code:
```php
protected function testDatabase($database)
{
if (! isset(self::$originalDatabaseName)) {
self::$originalDatabaseName = $database;
} else {
$database = self::$originalDatabaseName;
}
$token = ParallelTesting::token();
return "{$database}_test_{$token}";
}
```
Explanation:
The modification introduces a static variable to cache the original database name, ensuring it remains consistent across multiple method calls. The `$database` parameter is derived from internal configuration or test setup, not from user input, and there is no evidence it reaches any vulnerable sink (e.g., SQL queries). The returned string is used for test database naming, and Laravel's database layer handles such names safely without direct interpolation into SQL. No sanitization bypass or injection vulnerability is present or introduced.
--- cache/framework_v12.38.1/src/Illuminate/View/Compilers/Concerns/CompilesConditionals.php 2025-11-13 02:14:13.376216880 +0000+++ cache/framework_v12.39.0/src/Illuminate/View/Compilers/Concerns/CompilesConditionals.php 2025-11-18 17:17:33.825510306 +0000@@ -138,6 +138,17 @@ } /**+ * Compile the has-stack statements into valid PHP.+ *+ * @param string $expression+ * @return string+ */+ protected function compileHasStack($expression)+ {+ return "<?php if (! \$__env->isStackEmpty{$expression}): ?>";+ }++ /** * Compile the section-missing statements into valid PHP. * * @param string $expression
--- cache/framework_v12.38.1/src/Illuminate/View/Concerns/ManagesStacks.php 2025-11-13 02:14:13.378217008 +0000+++ cache/framework_v12.39.0/src/Illuminate/View/Concerns/ManagesStacks.php 2025-11-18 17:17:33.828510498 +0000@@ -148,7 +148,7 @@ */ public function yieldPushContent($section, $default = '') {- if (! isset($this->pushes[$section]) && ! isset($this->prepends[$section])) {+ if ($this->isStackEmpty($section)) { return $default; } @@ -166,6 +166,14 @@ } /**+ * Determine if the stack has any content in it.+ */+ public function isStackEmpty(string $section): bool+ {+ return ! isset($this->pushes[$section]) && ! isset($this->prepends[$section]);+ }++ /** * Flush all of the stacks. * * @return void
Vulnerability Existed: no
CWE Name - CWE ID - File Lines: Not applicable
Old Code:
```php
if (! isset($this->pushes[$section]) && ! isset($this->prepends[$section])) {
```
Fixed Code:
```php
if ($this->isStackEmpty($section)) {
```
Explanation:
The diff refactors the condition for checking if a stack is empty by extracting it into a new method `isStackEmpty`. The logic remains identical: it checks if `$section` exists in `$this->pushes` or `$this->prepends`. The sink is the return value of `yieldPushContent`, which may output content from stacks or the default value. User input could enter via `$default` parameter or content in `pushes`/`prepends` arrays, but the diff does not alter the data flow, validation, or sanitization of these values. The change is purely structural and does not introduce or fix any security vulnerability. Taint tracing shows no change in how user-controlled data reaches the sink, and no specific bypass or exploit is enabled by this modification.