Issue Description

OJS, OMP, and OPS use the 3rd-party Illuminate/Database package for database interactions. Recently a potential vulnerability in this package was published: GHSA-3p32-j457-pg5x.

The original fix for this issue was applied in #6632 and released in OJS/OMP/OPS 3.2.1-3 and 3.3.0-2. However, apparently the previous fix was not complete -- see laravel/framework#35865 (comment). This has led to another release of illuminate/database with an additional fix applied.

Affected releases

PKP has not definitively confirmed whether its software can be attacked using this mechanism, but out of an abundance of caution recommends resolving it.

• OJS, OMP, and OPS 3.3.0-3 and newer are not affected.
• OJS, OMP, and OPS 3.2.1-4 and newer are not affected.
• OJS, OMP, and OPS 3.3.0-0 (RC1), 3.3.0-1 (RC2), and 3.3.0-2 (OJS 3.3.0) may be affected.
• OJS, OMP, and OPS 3.2.0 (all builds), 3.2.1-0, 3.2.1-1, 3.2.1-2, and 3.2.1-3 may be affected.
• All builds of OJS and OMP 3.1.1, and 3.1.2 may be affected.
• All builds of OJS 3.1.0 may be affected.
• OMP 3.1.0 and older are not affected. OJS 3.0.2 and older are not affected.

Resolution

The best way to resolve this issue is to use the latest releases of OJS, OMP, or OPS. This issue is resolved in 3.3.0-3 and 3.2.1-4. For older releases, the issue can be corrected following the instructions below.

Check your OJS/OMP/OPS code version by looking in dbscrits/xml/version.xml.

OJS/OMP/OPS 3.3.0-0 (RC1), 3.3.0-1 (RC2), 3.3.0-2 (3.3.0)

To resolve this issue, use Composer:

cd lib/pkp
composer require laravel/framework:7.30.4

You should see the following confirmation that 7.30.4 has been installed and patched:

Gathering patches for dependencies. This might take a minute.
  - Updating laravel/framework (v7.30.3 => v7.30.4): Downloading (100%)         
  - Applying patches for laravel/framework
    lib/laravel-helper-4017.diff (Inhibit __ Laravel helper)

If you see this, the issue is resolved!

Affected versions of OJS/OMP/OPS 3.2.1 or older

If you are using OJS/OMP/OPS 3.2.1-3, then only the steps below are necessary. Otherwise, you must apply the changes documented in #6632 before following the instructions below.

When applying patches, it is always recommended to use the --dry-run option first to ensure that the patch will apply cleanly.

Correction Using Composer (recommended)

Depending on your version of OJS, OMP, or OPS, use one of the following patch URLs in the instructions below in place of PATCH URL HERE:

• OJS/OMP/OPS 3.2.1 (all builds): https://github.com/pkp/pkp-lib/commit/caa8882267aa7e4ce77584612d29ff4f8a4bcf95.diff
• OJS/OMP/OPS 3.2.0 (all builds): https://github.com/pkp/pkp-lib/commit/ee67a9d405b7c8645f3c20cb4557e8f3b0313227.diff
• OJS/OMP 3.1.2 (all builds): https://github.com/pkp/pkp-lib/commit/4f02f0b4c4cca5976b3d771588951f4846930a62.diff
• OJS/OMP 3.1.1 (all builds): https://github.com/pkp/pkp-lib/commit/7dcc46b4148c263fcdc6bbf9c98627f038f66176.diff
• OJS 3.1.0 (all builds): https://github.com/pkp/pkp-lib/commit/6081b34fbcb13cbf2bfd5394797c10e967e8b5dc.diff

To apply the fix:

1. Patch the Composer configuration file:

   cd lib/pkp
   wget -O - -q "PATCH URL HERE" | patch -p1

   You should see the following output:

   patching file composer.json
   patching file lib/laravel-binding-6718.diff
   

2. Run Composer to apply the patch:

   composer install

   You should see the following output:

   Gathering patches for dependencies. This might take a minute.
   - Installing illuminate/database (v5.8.36): Loading from cache
   - Applying patches for illuminate/database
     lib/laravel-binding-6632.diff (Patch Laravel binding array issue)
     lib/laravel-binding-6718.diff (Patch Laravel binding array issue v2)
   

   This indicates that two patches were successfully applied. If you see this, the issue is resolved.

Correction By Patching Illuminate/Database Directly

This method involves modifying a dependency, and re-running Composer may cause the changes to be reverted. For this reason it's preferable to use the Composer-based update method documented above.

Depending on your version of OJS, OMP, or OPS, use one of the following patch URLs in the instructions below in place of PATCH URL HERE:

• OJS/OMP/OPS 3.2.1 (all builds): https://raw.githubusercontent.com/pkp/pkp-lib/stable-3_2_1/lib/laravel-binding-6718.diff
• OJS/OMP/OPS 3.2.0 (all builds): https://raw.githubusercontent.com/pkp/pkp-lib/stable-3_2_0/lib/laravel-binding-6718.diff
• OJS/OMP 3.1.2 (all builds): https://raw.githubusercontent.com/pkp/pkp-lib/stable-3_1_2/lib/laravel-binding-6718.diff
• OJS/OMP 3.1.1 (all builds): https://raw.githubusercontent.com/pkp/pkp-lib/ojs-stable-3_1_1/lib/laravel-binding-6718.diff
  (use -p2 instead of -p4 when running the patch commands)
• OJS 3.1.0 (all builds): https://raw.githubusercontent.com/pkp/pkp-lib/ojs-stable-3_1_0/lib/laravel-binding-6718.diff
  (use -p2 instead of -p4 when running the patch commands)

To directly patch the issue:

cd lib/pkp/lib/vendor/illuminate/database
wget -q -O - "PATCH URL HERE" | patch -p4 --dry-run

You should see the following output:

patching file Query/Builder.php

This indicates that the patch was successfully applied. If you see this, the issue is resolved.