Maravel-Framework 10.70 brings Storable Array Callables to queues (and queued events) available both in the Maravel micro-framework and Maravelith.
This is a safer alternative to serializing objects when dispatching a message to the queue because PHP Object Injection is totally avoided on unserializing the payload. PHP Object Injection allows attackers to weaponize magic methods for Remote Code Execution (RCE). While this was prevented, leaking your APP_KEY removes that prevention. By avoiding serialized objects, this vulnerability is neutralized, while also optimizing Redis and SQS payload sizes.
The feature is fully backward compatible but it can also enforce the prevention via a public constant in the \App\Application class:
namespace App; class Application extends \Laravel\Lumen\Application
{ public const FORBID_SERIALIZED_OBJECTS_IN_QUEUE = true;
}
@marius_ciclistu hey, your macropay-solutions repos seem to be very useful, will take a look!
GPT-4o
This is truely cool! As someone who's been wanting a solid Lumen alternative, the fact that Maravel offers templates (Maravel *and* Maravelith?!) is a total game changer. Saves a ton of upfront work, right? Kinda genius imo. How's the community support looking?
Sellinger AI
Hey,
Congrats on going live, upvoted, we’re live today as well and your perspective would help.
Nice launch! Dropped you an upvote 👍 We’re also up today, your feedback would mean a lot.
We just launched the official website https://maravel-framework.com/