Laravel のセキュリティはどうなってる？突撃ソースコードリーディング（PHPカンファレンス福岡2024）

Transcript

1. 
   1)1
   $POGFSFODF
   'VLVPLB
    -BSBWFM
   ͷηΩϡϦςΟ͸Ͳ͏ͳͬͯΔʁ ಥܸιʔείʔυϦʔσΟϯάɻ CZ
   3PLV
   !BEKQ

2. ࣗݾ঺հ

3. ࣗݾ঺հ ϓϩϑΟʔϧ w3PLV
   w1)1FSྺ೥͘Β͍
   wגࣜձࣾ"%
   ୅ද
   wژ౎෎ग़਎ɺେࡕࢢࡏॅ
   wొ࿥ηΩεϖ
   wғޟɺ͓ञ !BEKQ ୈ

   025290 ߸

4. ࣗݾ঺հ աڈͷτʔΫ 1)1FS,BJHJ
    1)1FS,BJHJ
   

5. ຊ೔ͷΞδΣϯμ

6. ࠓճͷझࢫ ͳͥ
   -BSBWFM
   ͷηΩϡϦςΟΛֶͿͷ͔ w-BSBWFM
   ͕΍͍ͬͯΔ͜ͱɺ΍͍ͬͯͳ͍͜ͱΛ஌Δɻ
   
   ˠ
   ๻Βʢ࣮૷ऀʣ͕΍Δ͜ͱΛਖ਼͘͠஌Δɻ

7. ࠓճͷझࢫ ਐΊํ w8FCΞϓϦέʔγϣϯͷओཁͳ੬ऑੑΛɺͻͱͭͣͭ
   -BSBWFM
   ʹ౰ͯ͸Ίͯ֬ೝ͢Δɻ
   wυΩϡϝϯτͰ͸ͳ͘ɺιʔείʔυϨϕϧͰ֬ೝ͢Δ

8. ࠓճͷझࢫ ओཁͳ੬ऑੑ w*1"ʮ҆શͳ΢ΣϒαΠτͷ ࡞Γํʢվఆୈ̓൛ʣʯ
   wʮ
   ΢ΣϒΞϓϦέʔγϣ ϯͷηΩϡϦςΟ࣮૷ʯʹ ܝࡌ͞Ε͍ͯΔݸͷ੬ऑ ੑʹ͍ͭͯ৮Ε·͢ɻ

9. ࠓճͷझࢫ ݸͷ੬ऑੑ 
   42-
   ΠϯδΣΫγϣϯ
   
   04
   ίϚϯυɾΠϯδΣΫγϣϯ
   
   ύε໊ύϥϝʔλͷະνΣοΫσΟ ϨΫτϦɾτϥόʔαϧ
   

   
   ηογϣϯ؅ཧͷෆඋ
   
   ΫϩεαΠτɾεΫϦϓςΟϯά 
   $43' ΫϩεαΠτɾϦΫΤε τɾϑΥʔδΣϦ
   
   )551
   ϔομɾΠϯδΣΫγϣϯ
   
   ϝʔϧϔομɾΠϯδΣΫγϣϯ
   
   ΫϦοΫδϟοΩϯά
   
   όοϑΝΦʔόʔϑϩʔ
   
   ΞΫηε੍ޚ΍ೝՄ੍ޚͷܽམ

10. ࠓճͷझࢫ ࠓ೔஻Βͳ͍͜ͱ w֤੬ऑੑͷৄࡉͳઆ໌
    ˠ
    ಙؙຊಡΜͰͶɻ

11. 
    42-
    ΠϯδΣΫγϣϯ

12. 42-ΠϯδΣΫγϣϯ ֓ཁ w໰୊ͷ͋Δ
    42-
    จͷ૊ΈཱͯʹΑΓɺ߈ܸʹΑΔσʔλ ϕʔεͷෆਖ਼ૢ࡞Λ·Ͷ͘੬ऑੑɻ $user_name = $_GET['user_name']; $sql = "select

    * from users where user_name = '" . $user_name . "'"; $pdo->query($sql); ྫ $_GET[‘user_name’] = “a’; drop users; select ‘a”

13. 42-ΠϯδΣΫγϣϯ جຊతͳରࡦ wಈతͳ42-ͷ૊Έཱͯʹ͸ɺϓϨʔεϗϧμʔΛ༻͍Δɻ
    ·ͨ͸ɺ਺஋౳΁ͷΩϟετ΍ݕূΛ࣮֬ʹߦ͏ɻ $user_name = $_GET['user_name']; $sql = "select

    * from users where user_name = ?"; $pdo->prepare($sql)->execute([$user_name]);

14. 42-ΠϯδΣΫγϣϯ -BSBWFM
    ͷ৔߹ᶃ User::query() ->where('user_name', '=', $request->user_name) ->get(); ͜Ε͸໰୊ͳ͍ʁ

15. 42-ΠϯδΣΫγϣϯ -BSBWFM
    ͷ৔߹ᶃ User::query() ->where('user_name', '=', $request->user_name) ->get();

16. 42-ΠϯδΣΫγϣϯ a*MMVNJOBUFa%BUBCBTFa&MPRVFOUa#VJMEFSXIFSF public function where($column, $operator = null, $value =

    null, $boolean = 'and') { if ($column instanceof Closure && is_null($operator)) { // ུ } else { $this->query->where(...func_get_args()); } return $this; }

17. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa#VJMEFSXIFSF public function where($column, $operator = null, $value =

    null, $boolean = 'and') { // ུ $type = 'Basic'; $this->wheres[] = compact( 'type', 'column', 'operator', 'value', 'boolean' ); // ུ return $this; } ͜͜Ͱ͸ϓϩύςΟ $wheres ʹ [“type” => “Basic”, “column” => “user_name”, “operator” => “=”, “value” => ೖྗ஋, …] ͱ͍͏஋ΛೖΕ͍ͯΔ͚ͩɻ

18. 42-ΠϯδΣΫγϣϯ -BSBWFM
    ͷ৔߹ᶃ User::query() ->where('user_name', '=', $request->user_name) ->get();

19. 42-ΠϯδΣΫγϣϯ a*MMVNJOBUFa%BUBCBTFa&MPRVFOUa#VJMEFSHFU public function get($columns = ['*']) { $builder =

    $this->applyScopes(); if (count($models = $builder->getModels($columns)) > 0) { $models = $builder->eagerLoadRelations($models); } return $builder->getModel()->newCollection($models); }

20. 42-ΠϯδΣΫγϣϯ a*MMVNJOBUFa%BUBCBTFa&MPRVFOUa#VJMEFSHFU.PEFMT public function getModels($columns = ['*']) { return $this->model->hydrate(

    $this->query->get($columns)->all() )->all(); }

21. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa#VJMEFSHFU public function get($columns = ['*']) { return collect(

    $this->onceWithColumns( Arr::wrap($columns), function () { return $this->processor->processSelect( $this, $this->runSelect() ); }) ); }

22. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa#VJMEFSSVO4FMFDU protected function runSelect() { return $this->connection->select( $this->toSql(), $this->getBindings(),

    ! $this->useWritePdo ); }

23. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa#VJMEFSUP4RM public function toSql() { $this->applyBeforeQueryCallbacks(); return $this->grammar->compileSelect($this); }

24. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa(SBNNBSTa(SBNNBSDPNQJMF4FMFDU public function compileSelect(Builder $query) { // ུ $sql

    = trim($this->concatenate( $this->compileComponents($query)) ); // ུ return $sql; }

25. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa(SBNNBSTa(SBNNBSDPNQJMF$PNQPOFOUT protected function compileComponents(Builder $query) { $sql = [];

    foreach ($this->selectComponents as $component) { if (isset($query->$component)) { $method = 'compile'.ucfirst($component); $sql[$component] = $this->$method( $query, $query->$component ); } } return $sql; } compileWhere()

26. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa(SBNNBSTa(SBNNBSDPNQJMF8IFSFT public function compileWheres(Builder $query) { // ུ if

    (count($sql = $this->compileWheresToArray($query)) > 0) { return $this->concatenateWhereClauses($query, $sql); } return ''; }

27. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa(SBNNBSTa(SBNNBSDPNQJMF8IFSFT5P"SSBZ protected function compileWheresToArray($query) { return collect($query->wheres)->map( function ($where)

    use ($query) { return $where['boolean'].' ‘. $this->{"where{$where['type']}"}($query, $where); } )->all(); } whereBasic()

28. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa(SBNNBSTa(SBNNBSXIFSF#BTJD protected function whereBasic(Builder $query, $where) { $value =

    $this->parameter($where['value']); $operator = str_replace('?', '??', $where['operator']); return $this->wrap($where['column']).' '.$operator.' '.$value; } “user_name = ?” ͕ return ͞ΕΔ ʹ ϓϨʔεϗϧμ͕࢖ΘΕ͍ͯΔʂ public function parameter($value) { return $this->isExpression($value) ? $this->getValue($value) : '?'; }

29. 42-ΠϯδΣΫγϣϯ -BSBWFM
    ͷ৔߹ᶄ User::query() ->whereRaw( 'concat(first_name, last_name) like "%' . $request->user_name

    . '%"' ) ->get();

30. 42-ΠϯδΣΫγϣϯ -BSBWFM
    ͷ৔߹ᶄ User::query() ->whereRaw( 'concat(first_name, last_name) like "%' . $request->user_name

    . '%"' ) ->get();

31. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa&MPRVFOUa#VJMEFS@@DBMM public function __call($method, $parameters) { // ུ $this->forwardCallTo($this->query,

    $method, $parameters); return $this; }

32. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa#VJMEFSXIFSF3BX public function whereRaw($sql, $bindings = [], $boolean =

    'and') { $this->wheres[] = ['type' => 'raw', 'sql' => $sql, 'boolean' => $boolean]; $this->addBinding((array) $bindings, 'where'); return $this; } ࠓ౓͸ϓϩύςΟ $wheres ʹ [“type” => “raw”, “sql” => ‘concat("first_name", "last_name") like “%ೖྗ஋%”’, …] ͱɺೖྗ஋ΛؚΉSQL͕ͦͷ··ೖΔɻ

33. 42-ΠϯδΣΫγϣϯ -BSBWFM
    ͷ৔߹ᶄ User::query() ->whereRaw( 'concat(first_name, last_name) like "%' . $request->user_name

    . '%"' ) ->get();

34. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa(SBNNBSTa(SBNNBSDPNQJMF8IFSFT5P"SSBZ protected function compileWheresToArray($query) { return collect($query->wheres)->map( function ($where)

    use ($query) { return $where['boolean'].' ‘. $this->{"where{$where['type']}"}($query, $where); } )->all(); } whereRaw() ※్த·Ͱ͸͖ͬ͞ͱಉ͡ͳͷͰলུ

35. 42-ΠϯδΣΫγϣϯ *MMVNJOBUFa%BUBCBTFa2VFSZa(SBNNBSTa(SBNNBSXIFSF3BX protected function whereRaw(Builder $query, $where) { return $where['sql'];

    } concat(“first_name", "last_name") like “%ೖྗ஋%” ͕ͦͷ·· return ͞ΕΔʂ ʹ SQLΠϯδΣΫγϣϯ͕੒ཱ

36. 42-ΠϯδΣΫγϣϯ ͜Ε͕ਖ਼ղ User::query() ->whereRaw( 'concat(first_name, last_name) like ?', ['%' .

    $request->user_name . '%'] ) ->get();

37. 42-ΠϯδΣΫγϣϯ -BSBWFM
    ͕΍͍ͬͯΔ͜ͱ w#VJMEFSXIFSF
    ͷୈҾ਺ʢҾ਺ͭͷ৔߹͸ୈҾ਺ʣ ʹೖΕͨ஋͸ɺϓϨʔεϗϧμʹม׵ͯ͘͠ΕΔɻ
    wͨͩ͠ɺୈҾ਺͕
    &YQSFTTJPO
    %#SBX
    ͳͲ
    ͷ৔߹ ͸ྫ֎ɻ

38. 42-ΠϯδΣΫγϣϯ ๻Β͕΍Δ͜ͱ wXIFSF3BX
    TFMFDU3BX
    PSEFS#Z3BX
    %#SBX
    

    ͳͲΛ࢖༻͢Δࡍ͸ɺೖྗ஋Λͦͷ··ೖΕͣʹϓϨʔε ϗϧμʹ͠ɺೖྗ஋͸ୈҾ਺
    CJOEJOHT
    ʹ౉͔͢ɺࣗ ྗͰαχλΠζ͢Δɻ

39. 42-ΠϯδΣΫγϣϯ ͜Ε͸େৎ෉ʁ User::query() ->orderBy($request->orderby, $request->order) ->limit($request->limit) ->get();

40. 
    04
    ίϚϯυΠϯδΣΫγ ϣϯ

41. 04ίϚϯυΠϯδΣΫγϣϯ ֓ཁ wϓϩάϥϜ͔Β
    04
    ίϚϯυΛ࣮ߦ͍ͯ͠Δ৔߹ɺίϚϯ υͷ૊Έཱͯͷ໰୊ʹΑΓɺ߈ܸऀ͕ѱҙ͋ΔίϚϯυΛ ࣮ߦͰ͖ͯ͠·͏੬ऑੑɻ exec("ffmpeg -f mp4 -i {$file}");

42. 04ίϚϯυΠϯδΣΫγϣϯ Ұൠతͳରࡦ wಈతʹ04ίϚϯυΛ࣮ߦ͢Δ৔߹͸ɺҾ਺Λे෼ʹνΣ οΫɺ΋͘͠͸Τεέʔϓ͢Δɻ $file = escapeshellarg($file); exec("ffmpeg -f mp4

    -i {$file}");

43. 04ίϚϯυΠϯδΣΫγϣϯ -BSBWFM
    ͕΍͍ͬͯΔ͜ͱ wԿ΋ͯ͘͠Ε·ͤΜ
    wͨͩ͠ɺ"SUJTBODBMM
    ͷୈҾ਺ʹؔͯ͠͸ɺ FTDBQFTIFMMBSH
    Λ΍ͬͯ͘Ε͍ͯΔɻ

44. 04ίϚϯυΠϯδΣΫγϣϯ ๻Β͕΍Δ͜ͱ wಈతʹ04ίϚϯυΛ࣮ߦ͢Δ৔߹͸ɺҾ਺Λे෼ʹνΣ οΫɺ΋͘͠͸Τεέʔϓ͢Δɻ

45. 
    σΟϨΫτϦɾτϥόʔα ϧ

46. σΟϨΫτϦɾτϥόʔαϧ ֓ཁ w֎෦͔Βͷύϥϝʔλ΍63*ʹԠͯ͡ಈతʹϑΝΠϧΛಡ ΈࠐΜͰ͍Δ৔߹ʹɺ߈ܸʹΑͬͯҙਤ͠ͳ͍ϑΝΠϧΛ Ӿཡ͞Εͯ͠·͏໰୊ɻ readfile("storage/" . $_GET['file']); ྫ $_GET[‘file’]

    = “../.env”

47. σΟϨΫτϦɾτϥόʔαϧ Ұൠతͳରࡦ wϑΝΠϧ໊Λύϥϝʔλ౳Ͱࢦఆ͢ΔઃܭΛආ͚Δɻ
    ઃܭ্΍ΉΛಘͳ͍৔߹ɺݻఆͷσΟϨΫτϦΛࢦఆ͠ɺ ύϥϝʔλʹσΟϨΫτϦؚ͕·Εͳ͍Α͏ʹ͢Δɻ
    readfile("storage/" . basename($_GET['file']));

48. σΟϨΫτϦɾτϥόʔαϧ -BSBWFM
    ͷ৔߹ Storage::get($request->file);

49. σΟϨΫτϦɾτϥόʔαϧ *MMVNJOBUFa'JMFTZTUFNa'JMFTZTUFN"EBQUFSHFU public function get($path) { try { return $this->driver->read($path);

    } catch (UnableToReadFile $e) { throw_if($this->throwsExceptions(), $e); } }

50. σΟϨΫτϦɾτϥόʔαϧ -FBHVFa'MZTZTUFNa'JMFTZTUFNSFBE public function read(string $location): string { return $this->adapter->read(

    $this->pathNormalizer->normalizePath($location) ); } ※ ඪ४ͷ “local” σΟεΫͷ৔߹ɺ ɹ$pathNormalizer ͸ɺ ɹLeague\Flysystem\WhitespacePathNormalizer

51. σΟϨΫτϦɾτϥόʔαϧ -FBHVFa'MZTZTUFNa8IJUFTQBDF1BUI/PSNBMJ[FSOPSNBMJ[F1BUI public function normalizePath(string $path): string { $path =

    str_replace('\\', '/', $path); $this->rejectFunkyWhiteSpace($path); return $this->normalizeRelativePath($path); }

52. σΟϨΫτϦɾτϥόʔαϧ -FBHVFa'MZTZTUFNa8IJUFTQBDF1BUI/PSNBMJ[FSSFKFDU'VOLZ8IJUF4QBDF private function rejectFunkyWhiteSpace(string $path): void { if (preg_match('#\p{C}+#u',

    $path)) { throw CorruptedPathDetected::forPath($path); } } ύεʹ੍ޚจࣈؚ͕·Ε͍ͯͨΒྫ֎Λ౤͛Δʂ

53. σΟϨΫτϦɾτϥόʔαϧ -FBHVFa'MZTZTUFNa8IJUFTQBDF1BUI/PSNBMJ[FSOPSNBMJ[F3FMBUJWF1BUI private function normalizeRelativePath(string $path): string { $parts =

    []; foreach (explode('/', $path) as $part) { switch ($part) { // ུ case '..': if (empty($parts)) { throw PathTraversalDetected::forPath($path); } array_pop($parts); break; // ུ } } return implode('/', $parts); } ύεʹ .. ͕͋Ε͹ྫ֎Λ౤͛Δʢ·ͨ͸আڈʣ

54. σΟϨΫτϦɾτϥόʔαϧ -BSBWFM
    ͕΍͍ͬͯΔ͜ͱ wύεͷதʹ੍ޚจࣈ΍
    
    ͕͋Ε͹ྫ֎Λεϩʔ͢Δ

55. σΟϨΫτϦɾτϥόʔαϧ ๻Β͕΍Δ͜ͱ wϑΝΠϧૢ࡞͸ՄೳͳݶΓ
    -BSBWFM
    ͷ
    4UPSBHF
    Λ࢖༻͢Δɻ
    wͦ΋ͦ΋ϑΝΠϧ໊Λύϥϝʔλ౳Ͱࢦఆ͢ΔઃܭΛආ͚Δɻ
    wઃܭ্΍ΉΛಘͳ͍৔߹ɺݻఆͷσΟϨΫτϦΛࢦఆ͠ɺύϥ ϝʔλʹσΟϨΫτϦؚ͕·Εͳ͍Α͏ʹ͢Δɻ
    ಛʹ
    1)1
    ඪ४ͷϑΝΠϧૢ࡞ؔ਺Λ࢖༻ͤ͟ΔΛಘͳ͍৔߹ ͸ཁ஫ҙɻ

56. 
    ηογϣϯ؅ཧͷෆඋ

57. ηογϣϯ؅ཧͷෆඋ ֓ཁ wར༻ऀͷηογϣϯ*%͕ୈࡾऀʹ஌ΒΕΔ͜ͱʹΑΓɺͦ ͷར༻ऀʹͳΓ͢·ͯ͠ΞΫηε͞ΕΔ੬ऑੑ
    w߈ܸྨܕ͸ଟ༷Ͱɺେผ͢Δͱɺᶃηογϣϯ*%ͷਪଌɺ ᶄηογϣϯ*%ͷ౪Έग़͠ɺᶅηογϣϯ*%ͷڧ੍ɺ
    ͷྨܕ͕͋Δɻ

58. ηογϣϯ؅ཧͷෆඋ Ұൠతͳରࡦ wηογϣϯ*%Λਪଌࠔ೉ͳ΋ͷʹ͢Δ
    wηογϣϯ*%Λ63-ύϥϝʔλʹ֨ೲ͠ͳ͍ʢ$PPLJFʹ อଘ͢Δʣ
    wೝূ੒ޭ࣌ʹηογϣϯ*%Λมߋ͢Δ
    wೝূલʹ͸ηογϣϯม਺ʹൿີ৘ใΛอଘ͠ͳ͍

59. ηογϣϯ؅ཧͷෆඋ Ұൠతͳରࡦ session.use_only_cookies = 1 session_start(); session_regenerate_id(true); ϩάΠϯ࣌ɺ·ͨ͸ϦΫΤετ͝ͱʹ session_regenerate_id() Λίʔϧ͢Δ͜ͱʹΑΓɺηογϣϯIDΛมߋɻ

    php.ini URL͔ΒηογϣϯIDΛड͚औΒͳ͍ɻ

60. ηογϣϯ؅ཧͷෆඋ -BSBWFM
    ͷ৔߹ TFTTJPO@TUBSU
    తͳ΍ͭ͸Ͳ͜ʹɾɾɾʁ
    

61. ηογϣϯ؅ཧͷෆඋ "QQa)UUQa,FSOFM
    ˞-BSBWFM
    Y protected $middlewareGroups = [ 'web' => [ \App\Http\Middleware\EncryptCookies::class,

    \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Session\Middleware\StartSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, \Illuminate\Routing\Middleware\SubstituteBindings::class, ], // ུ ];

62. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa.JEEMFXBSFa4UBSU4FTTJPOIBOEMF public function handle($request, Closure $next) { // ུ

    $session = $this->getSession($request); // ུ return $this->handleStatefulRequest($request, $session, $next); }

63. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa.JEEMFXBSFa4UBSU4FTTJPOIBOEMF public function handle($request, Closure $next) { // ུ

    $session = $this->getSession($request); // ུ return $this->handleStatefulRequest($request, $session, $next); }

64. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa.JEEMFXBSFa4UBSU4FTTJPOHFU4FTTJPO public function getSession(Request $request) { return tap( $this->manager->driver(),

    function ($session) use ($request) { $session->setId( $request->cookies->get($session->getName() ) ); }); } config/session.php ͷ 'driver' ͕ σϑΥϧτͷ 'file' ͷ৔߹ɺ Illuminate\Session\Store ·ͨ͸ Illuminate\Session\EncryptedStore (ಉ config ͷ 'encrypt' ʹΑΔ) ΛΠϯελϯεԽͯ͠ฦ͢ɻ

65. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa.JEEMFXBSFa4UBSU4FTTJPOHFU4FTTJPO public function getSession(Request $request) { return tap( $this->manager->driver(),

    function ($session) use ($request) { $session->setId( $request->cookies->get($session->getName() ) ); }); }

66. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa4UPSFTFU*E public function setId($id) { $this->id = $this->isValidId($id) ?

    $id : $this->generateSessionId(); } protected function generateSessionId() { return Str::random(40); }

67. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa.JEEMFXBSFa4UBSU4FTTJPOIBOEMF public function handle($request, Closure $next) { // ུ

    $session = $this->getSession($request); // ུ return $this->handleStatefulRequest($request, $session, $next); }

68. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa.JEEMFXBSFa4UBSU4FTTJPOIBOEMF4UBUFGVM3FRVFTU protected function handleStatefulRequest(Request $request, $session, Closure $next) {

    $request->setLaravelSession( $this->startSession($request, $session) ); // ུ }

69. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa.JEEMFXBSFa4UBSU4FTTJPOTUBSU4FTTJPO protected function startSession(Request $request, $session) { return tap($session,

    function ($session) use ($request) { $session->setRequestOnHandler($request); $session->start(); }); }

70. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa4UPSFTUBSU public function start() { $this->loadSession(); if (! $this->has('_token'))

    { $this->regenerateToken(); } return $this->started = true; }

71. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa4UPSFMPBE4FTTJPO protected function loadSession() { $this->attributes = array_merge( $this->attributes,

    $this->readFromHandler() ); $this->marshalErrorBag(); }

72. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa4UPSFSFBE'SPN)BOEMFS protected function readFromHandler() { if ($data = $this->handler->read($this->getId()))

    { // ུ } return []; } $handler ͸ɺ ηογϣϯυϥΠό͕ file ͷ৔߹͸ Illuminate\Session\FileSessionHandler ※ ৄ͘͠͸ SessionManager ݟͯɻ

73. ηογϣϯ؅ཧͷෆඋ *MMVNJOBUFa4FTTJPOa'JMF4FTTJPO)BOEMFSSFBE public function read($sessionId): string|false { if ($this->files->isFile($path =

    $this->path.'/'. $sessionId) && $this->files->lastModified($path) >= Carbon::now()- >subMinutes($this->minutes)->getTimestamp()) { return $this->files->sharedGet($path); } return ''; }

74. ηογϣϯ؅ཧͷෆඋ ͜͜·ͰͰΘ͔ͬͨ͜ͱ w1)1ඪ४ͷηογϣϯػߏ͸࢖ΘͣɺಠࣗϑΝΠϧ؅ཧ͠ ͍ͯΔΒ͍͠ɻ
    ʹQIQJOJͷηογϣϯؔ࿈ͷઃఆ͸ແҙຯɻ
    wηογϣϯ*%
    ͸
    $PPLJF
    ͔Β͔͠औಘ͍ͯ͠ͳ͍ɻ
    wηογϣϯ*%
    ͸े෼ʹਪଌͮ͠Β͍ɻ
    wࣗಈతʹηογϣϯ*%ΛৼΓ௚͍ͯ͠Δؾ഑͸ͳ͍ɻ

75. ηογϣϯ؅ཧͷෆඋ -BSBWFM
    ެࣜͷ
    -PHJO$POUSPMMFS
    ͷαϯϓϧ public function authenticate(Request $request): RedirectResponse { // ུ

    if (Auth::attempt($credentials)) { $request->session()->regenerate(); return redirect()->intended('dashboard'); } // ུ }

76. ηογϣϯ؅ཧͷෆඋ -BSBWFM
    ͕΍͍ͬͯΔ͜ͱ wਪଌͮ͠Β͍ηογϣϯ*%ͷੜ੒
    wηογϣϯ*%ͷऔಘݩΛ
    $PPLJF
    ʹݶఆ
    ʹ
    63-ύϥϝʔλʹηογϣϯ*%Λ༩͑ͯ΋ແࢹ

77. ηογϣϯ؅ཧͷෆඋ ๻Β͕΍Δ͜ͱ wೝূ੒ޭ࣌ʹηογϣϯ*%Λมߋ͢Δɻ
    wೝূલʹ͸ηογϣϯม਺ʹൿີ৘ใΛอଘ͠ͳ͍ɻ

78. 
    ΫϩεαΠτɾεΫϦϓς Οϯά

79. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ ֓ཁ w8FCϖʔδʹར༻ऀͷೖྗ಺༰౳Λग़ྗ͢Δࡍͷෆඋʹ ΑΓɺ8FCϖʔδʹεΫϦϓτ౳ΛຒΊࠐ·Εͯ͠·͏ ੬ऑੑɻ <p><?php echo $_GET['search']; ?> ͷݕࡧ݁Ռ</p>

    ྫ) ?search=<script>location.href=“http:example.com”</script>

80. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ Ұൠతͳରࡦ wϢʔβೖྗ஋ͷग़ྗʹରͯ͠ɺIUNMTQFDJBMDIBST
    Λ͔ ͚Δɻ
    wอݥతʹɺશͯͷม਺ग़ྗʹର࣮͠ࢪ͢Δͷ͕ϕετɻ <p><?php echo htmlspecialchars($_GET['search']); ?>

    ͷݕࡧ݁Ռ</p> ※ PHP 8.1 ΑΓલ͸ɺୈ2Ҿ਺ʹ ENT_QUOTES ͕ඞཁɻ

81. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ -BSBWFM
    ͷ৔߹ @if ($search) <p>{{ $search }} ͷݕࡧ݁Ռ</p> @endif return

    view('index', [ 'search' => $request->search, ]);

82. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ Կͱͳ͘஌͍ͬͯΔͱࢥ͍·͕͢ɾɾɾ w#MBEF
    ϑΝΠϧ
    
    YYYCMBEFQIQ
    
    Λɺ1)1ͱ࣮ͯ͠ߦՄ ೳͳܗʹม׵
    ίϯύΠϧ
    ্ͨ͠ͰಡΈࠐΜͰ͍Δɻ
    wຖճίϯύΠϧ͍ͯ͠Δͱ஗͍ͷͰɺม׵ޙͷϑΝΠϧΛ Ωϟογϡ͍ͯ͠Δ
    

    
    DBDIF
    ϑΥϧμҎԼʹ͓͍͍ͯ Δ
    ɻ
    wม׵ݩϑΝΠϧͷλΠϜελϯϓ͕ߋ৽͞ΕΔͱ࠶ม׵ɻ

83. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ -BSBWFM
    ͷ৔߹ return view('index', [ 'search' => $request->search, ]);

84. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ MBSBWFMGSBNFXPSLTSD*MMVNJOBUF'PVOEBUJPOIFMQFSTQIQ function view($view = null, $data = [], $mergeData

    = []) { $factory = app(ViewFactory::class); if (func_num_args() === 0) { return $factory; } return $factory->make($view, $data, $mergeData); }

85. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa'BDUPSZNBLF public function make($view, $data = [], $mergeData =

    []) { $path = $this->finder->find( $view = $this->normalizeName($view) ); $data = array_merge($mergeData, $this->parseData($data)); return tap($this->viewInstance($view, $path, $data), function ($view) { $this->callCreator($view); }); }

86. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa'BDUPSZWJFX*OTUBODF protected function viewInstance($view, $path, $data) { return new

    View( $this, $this->getEngineFromPath($path), $view, $path, $data ); }

87. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa7JFX@@DPOTUSVDU public function __construct(Factory $factory, Engine $engine, $view, $path,

    $data = []) { $this->view = $view; $this->path = $path; $this->engine = $engine; $this->factory = $factory; $this->data = $data instanceof Arrayable ? $data- >toArray() : (array) $data; } Ҿ਺Λ٧ΊͯΔ͚ͩɻ ͜͜Ͱ͸·ͩίϯύΠϧ͸ ͯ͠ͳͦ͞͏ɻ

88. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ -BSBWFM
    ͷ৔߹ return view('index', [ 'search' => $request->search, ]); w7JFX
    Πϯελϯε͕ίϯτϩʔϥ͔Β
    SFUVSO
    ͞ΕΔɻ
    

    w*MMVNJOBUFa3PVUJOHa3PVUFSUP3FTQPOTF
    ʹΑΓɺ
    *MMVNJOBUFa)UUQa3FTQPOTF
    ʹ٧ΊΒΕΔɻ

89. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUF3PVUJOH3PVUFSUP3FTQPOTF public static function toResponse($request, $response) { // ུ

    } elseif (! $response instanceof SymfonyResponse) { $response = new Response($response, 200, ['Content- Type' => 'text/html']); } // ུ return $response->prepare($request); } $response ͕ View ΦϒδΣΫτ

90. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa)UUQa3FTQPOTF@@DPOTUSVDU public function __construct($content = '', $status = 200,

    array $headers = []) { $this->headers = new ResponseHeaderBag($headers); $this->setContent($content); $this->setStatusCode($status); $this->setProtocolVersion('1.0'); }

91. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa)UUQa3FTQPOTFTFU$POUFOU public function setContent(mixed $content): static { // ུ

    elseif ($content instanceof Renderable) { $content = $content->render(); } parent::setContent($content); return $this; }

92. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa7JFXSFOEFS public function render(callable $callback = null) { try

    { $contents = $this->renderContents(); // ུ } catch (Throwable $e) { // ུ } }

93. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa7JFXSFOEFS$POUFOUT protected function renderContents() { $this->factory->incrementRender(); $this->factory->callComposer($this); $contents =

    $this->getContents(); $this->factory->decrementRender(); return $contents; }

94. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa7JFXHFU$POUFOUT protected function getContents() { return $this->engine->get( $this->path, $this->gatherData()

    ); } $engine ͸௨ৗ Illuminate\View\Engines\CompilerEngine

95. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa&OHJOFTa$PNQJMFS&OHJOFHFU public function get($path, array $data = []) {

    // ུ if (! isset($this- >compiledOrNotExpired[$path]) && $this->compiler- >isExpired($path)) { $this->compiler->compile($path); } } $compiler ͸௨ৗ Illuminate\View\Compilers\BladeCompiler

96. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa$PNQJMFSTa#MBEF$PNQJMFSDPNQJMF public function compile($path = null) { // ུ

    if (! is_null($this->cachePath)) { $contents = $this->compileString( $this->files->get($this->getPath()) ); // ུ } }

97. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa$PNQJMFSTa#MBEF$PNQJMFSDPNQJMF4USJOH public function compileString($value) { // ུ foreach (token_get_all($value)

    as $token) { $result .= is_array($token) ? $this->parseToken($token) : $token; } // ུ }

98. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa$PNQJMFSTa#MBEF$PNQJMFSQBSTF5PLFO protected function parseToken($token) { [$id, $content] = $token;

    if ($id == T_INLINE_HTML) { foreach ($this->compilers as $type) { $content = $this->{"compile{$type}"}($content); } } return $content; } ഑ྻ $compilers ͷத਎͸ ['Extensions', 'Statements', 'Echos']

99. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa$PNQJMFSTa$PODFSOTa$PNQJMFT&DIPTDPNQJMF&DIPT public function compileEchos($value) { foreach ($this->getEchoMethods() as $method)

    { $value = $this->$method($value); } return $value; } $method ͸ҎԼͷ3ͭ 'compileRawEchos' 'compileEscapedEchos' ‘compileRegularEchos'

100. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ *MMVNJOBUFa7JFXa$PNQJMFSTa$PODFSOTa$PNQJMFT&DIPTDPNQJMF3FHVMBS&DIPT protected function compileRegularEchos($value) { $pattern = sprintf(‘/(@)?%s\s*(.+?)\s*%s(\r?\n)?/s', $this->contentTags[0],

     $this->contentTags[1]); $callback = function ($matches) { $whitespace = empty($matches[3]) ? '' : $matches[3].$matches[3]; $wrapped = sprintf($this->echoFormat, $this->wrapInEchoHandler($matches[2])); return $matches[1] ? substr($matches[0], 1) : "<?php echo {$wrapped}; ?>{$whitespace}"; }; return preg_replace_callback($pattern, $callback, $value); } ɾɾɾ{{ ɾɾɾ}} {{ $search }} ͸ <?php echo e($__bladeCompiler->applyEchoHandler($search)) ?> ͱͳΔ

101. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ -BSBWFM
     ͕΍͍ͬͯΔ͜ͱ w\\
     ^^
     ʹࣗಈతʹ
     F
     Λ͚ͭͯΤεέʔϓͯ͘͠ΕΔ

102. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ ๻Β͕΍Δ͜ͱ w\
     ^
     ͷ࢖༻Λඞཁ࠷খݶʹ͢Δɻ
     w\
     ^
     Ͱදࣔ͢Δ஋΍ϝιου಺΋ඞཁՕॴ͸ඞͣΤεέ ʔϓ
     PS
     αχλΠζɻ
     wΞϓϦͷίʔυʹ
     FDIP
     ΍
     QSJOU@G
     ͸ॻ͔ͳ͍

103. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ ΍ͬͯ͠·͍͕ͪͳϛε {!! $form->input('search', $search) !! public function input(string $name,

     mixed $value) { return sprintf( '<input type="text" name="%s" value="%s">', $name, old($name, $value) ); }

104. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ ΍ͬͯ͠·͍͕ͪͳϛε {!! $form->input('search', $search) !! public function input(string $name,

     mixed $value) { return sprintf( '<input type="text" name="%s" value="%s">', e($name), e(old($name, $value)) ); }

105. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ ΍ͬͯ͠·͍͕ͪͳϛε {{-- Wysiwyg ΤσΟλʹΑΓHTML͕ೖྗ͞ΕΔͨΊΤεέʔϓ ͠ͳ͍ --}} {!! $article->content !!}

106. ΫϩεαΠτɾεΫϦϓςΟϯάʢ944ʣ ΍ͬͯ͠·͍͕ͪͳϛε {{-- Wysiwyg ΤσΟλʹΑΓHTML͕ೖྗ͞ΕΔͨΊΤεέʔϓ ͠ͳ͍ --}} {!! strip_tags($article->content, $allowed)

     !!}

107. 
     $43' ΫϩεαΠτɾϦΫ ΤετɾϑΥʔδΣϦ

108. $43' ֓ཁ wਖ਼نͷϦΫΤετ͔Ͳ͏͔ͷݕূෆ଍ʹΑΓɺ
     ѱҙ͋Δ֎෦αΠτΛܦ༝ͯ͠ɺར༻ऀ͕ҙਤʹ൓ͯ͠ॏ ཁͳॲཧΛ࣮ߦͤ͞ΒΕͯ͠·͏੬ऑੑɻ
     wύιίϯԕִૢ࡞ࣄ݅
     wʮ͸·ͪͪΌΜʯࣄ݅

109. $43' Ұൠతͳରࡦ wϦΫΤετૹ৴ݩը໘ʹͯɺୈࡾऀ͕༧ଌෆՄೳͳτʔΫ ϯΛੜ੒͠ɺϦΫΤετͱͱ΋ʹૹ৴ɻ
     wϦΫΤετड৴࣌ʹɺτʔΫϯͷਖ਼౰ੑΛݕূ͢Δɻ
     ʢੜ੒࣌ʹηογϣϯʹ֨ೲ͓ͯ͘͠ʣ

110. $43' -BSBWFM
     ͷ৔߹ <form method="post" action="{{ route('store') }}"> @csrf

111. $43' -BSBWFM
     ͷ৔߹ <form method="post" action="{{ route('store') }}"> @csrf લষͰಡΜͩ BladeCompiler

     ʹΑͬͯॲཧ͞ΕΔɻ

112. $43' *MMVNJOBUFa7JFXa$PNQJMFSTa$PODFSOTa$PNQJMFT)FMQFSTDPNQJMF$TSG protected function compileCsrf() { return '<?php echo csrf_field();

     ?>'; }

113. $43' WFOEPSMBSBWFMGSBNFXPSLTSD*MMVNJOBUF'PVOEBUJPOIFMQFSTQIQ function csrf_field() { return new HtmlString('<input type="hidden" name="_token"

     value="'.csrf_token().'">'); }

114. $43' WFOEPSMBSBWFMGSBNFXPSLTSD*MMVNJOBUF'PVOEBUJPOIFMQFSTQIQ function csrf_token() { $session = app('session'); if (isset($session))

     { return $session->token(); } throw new RuntimeException('Application session store not set.'); }

115. $43' *MMVNJOBUFa4FTTJPOa4UPSF public function token() { return $this->get('_token'); } ͜͜Ͱ͸ηογϣϯ͔ΒτʔΫϯΛऔಘ͍ͯ͠Δ͚ͩͰɺ

     ੜ੒͸͍ͯ͠ͳ͍ɻ

116. $43' *MMVNJOBUFa4FTTJPOa4UPSF public function start() { $this->loadSession(); if (! $this->has('_token'))

     { $this->regenerateToken(); } return $this->started = true; } ※ ͜ͷϝιου͕ݺ͹ΕΔܦҢ͸ 4ষࢀরɻ ͜͜Ͱ΍ͬͯͨʂ

117. $43' -BSBWFM
     ͷ৔߹ <form method="post" action="{{ route('store') }}"> @csrf w4UBSU4FTTJPO
     ϛυϧ΢ΣΞʹΑͬͯੜ੒͞ΕͨτʔΫϯ ͕ɺJOQVU
     UZQFlIJEEFOz
     ͱͯ͠ग़ྗ͞Ε͍ͯΔɻ
     

     wͰ͸ɺτʔΫϯͷݕূ͸Ͳ͜Ͱ΍͍ͬͯΔʁ

118. $43' "QQa)UUQa,FSOFM
     ˞-BSBWFM
     Y protected $middlewareGroups = [ 'web' => [ \App\Http\Middleware\EncryptCookies::class,

     \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Session\Middleware\StartSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, \Illuminate\Routing\Middleware\SubstituteBindings::class, ], // ུ ];

119. $43' a*MMVNJOBUFa'PVOEBUJPOa)UUQa.JEEMFXBSFa7FSJGZ$TSG5PLFOIBOEMF public function handle($request, Closure $next) { if (

     $this->isReading($request) || $this->runningUnitTests() || $this->inExceptArray($request) || $this->tokensMatch($request) ) { // ུ } throw new TokenMismatchException('CSRF token mismatch.'); }

120. $43' a*MMVNJOBUFa'PVOEBUJPOa)UUQa.JEEMFXBSFa7FSJGZ$TSG5PLFOIBOEMF public function handle($request, Closure $next) { if (

     $this->isReading($request) || $this->runningUnitTests() || $this->inExceptArray($request) || $this->tokensMatch($request) ) { // ུ } throw new TokenMismatchException('CSRF token mismatch.'); }

121. $43' a*MMVNJOBUFa'PVOEBUJPOa)UUQa.JEEMFXBSFa7FSJGZ$TSG5PLFOJT3FBEJOH protected function isReading($request) { return in_array( $request->method(), ['HEAD',

     'GET', ‘OPTIONS'] ); }

122. $43' a*MMVNJOBUFa'PVOEBUJPOa)UUQa.JEEMFXBSFa7FSJGZ$TSG5PLFOIBOEMF public function handle($request, Closure $next) { if (

     $this->isReading($request) || $this->runningUnitTests() || $this->inExceptArray($request) || $this->tokensMatch($request) ) { // ུ } throw new TokenMismatchException('CSRF token mismatch.'); }

123. $43' a*MMVNJOBUFa'PVOEBUJPOa)UUQa.JEEMFXBSFa7FSJGZ$TSG5PLFOUPLFOT.BUDI protected function tokensMatch($request) { $token = $this->getTokenFromRequest($request); return

     is_string($request->session()->token()) && is_string($token) && hash_equals($request->session()->token(), $token); }

124. $43' a*MMVNJOBUFa'PVOEBUJPOa)UUQa.JEEMFXBSFa7FSJGZ$TSG5PLFOIBOEMF public function handle($request, Closure $next) { if (

     $this->isReading($request) || $this->runningUnitTests() || $this->inExceptArray($request) || $this->tokensMatch($request) ) { // ུ } throw new TokenMismatchException('CSRF token mismatch.'); } ϦΫΤετϝιου͕ GET, HEAD, OPTIONS Ҏ֎Ͱ ϦΫΤετʹτʔΫϯ͕ແ͍ɺ ΋͘͠͸ηογϣϯͷτʔΫϯͱ Ұக͍ͯ͠ͳ͚Ε͹ྫ֎Λεϩʔ

125. $43' -BSBWFM
     ͕΍͍ͬͯΔ͜ͱ w$43'༻τʔΫϯΛੜ੒ͯ͠ηογϣϯʹೖΕ͍ͯΔ
     w!DTSG
     σΟϨΫςΟϒͰɺ্هτʔΫϯΛૹ৴͢Δ
     JOQVU
     λάΛੜ੒͍ͯ͠Δ
     w1045165%&-&5&
     ϝιουͷશͯͷϦΫΤετʹ
     ର͠ɺτʔΫϯ͕ෆҰகͰ͋Ε͹ྫ֎Λεϩʔ

126. $43' ๻Β͕΍Δ͜ͱ wॏཁͳॲཧʢσʔλϕʔεͷߋ৽ɺϝʔϧͷૹ৴౳ʣ͸
     ඞͣ
     1045165%&-&5&
     ϝιουͰߦ͏ɻ
     w7FSJGZ$TSG5PLFO
     ϛυϧ΢ΣΞΛඞͣ༗ޮʹ͢Δɻ
     wෆ༻ҙʹ
     7FSJGZ$TSG5PLFO
     ͷআ֎ΛߦΘͳ͍ɻ

127. 
     )551
     ϔομɾΠϯδΣΫ γϣϯ

128. )551ϔομɾΠϯδΣΫγϣϯ ֓ཁ wಈతʹ)551ϨεϙϯεϔομΛੜ੒͢ΔॲཧͷෆඋʹΑ Γɺෆਖ਼ͳΫοΩʔͷੜ੒ɺෆਖ਼ͳϦμΠϨΫτɺදࣔ಺ ༰ͷվมͳͲ͕ߦΘΕΔ੬ऑੑɻ

129. )551ϔομɾΠϯδΣΫγϣϯ ֓ཁ wయܕతʹ͸ɺม਺಺ʹվߦΛؚΊΔ͜ͱʹΑΓɺҙਤ͠ͳ͍)551ϔ ομΛૹ৴͢Δύλʔϯ
     wͨͩ͠ɺ1)1
     ͷ
     IFBEFS
     ؔ਺͸ෳ਺ͷϔομΛૹ৴Ͱ͖ͳ͍ͨΊɺ ͜ͷ߈ܸํ๏͸੒ཱ͠ͳ͍ʢͱࢥ͏͕ɺಙؙຊ
     1
     ΋ࢀরʣɻ $POUFOU%JTQPTJUJPO
     BUUBDINFOU
     fi MFOBNF\

     fi MF^ $POUFOU%JTQPTJUJPO
     BUUBDINFOU
     fi MFOBNFIPHF
     -PDBUJPO
     IUUQFYBNQMFDPN

130. )551ϔομɾΠϯδΣΫγϣϯ Ұൠతͳରࡦ w)551ϔομʢϦμΠϨΫτؚΉʣʹϢʔβ༝དྷͷ஋Λؚ Ίͳ͍ɻؚΊ͟ΔΛಘͳ͍৔߹͸ɺݫີʹνΣοΫΛߦ ͏ɻ

131. )551ϔομɾΠϯδΣΫγϣϯ -BSBWFM
     ͕΍͍ͬͯΔ͜ͱ wಛʹͳ͠

132. )551ϔομɾΠϯδΣΫγϣϯ ๻Β͕΍Δ͜ͱ w)551ϔομʢϦμΠϨΫτؚΉʣʹϢʔβ༝དྷͷ஋Λؚ Ίͳ͍ɻؚΊ͟ΔΛಘͳ͍৔߹͸ɺݫີʹνΣοΫΛߦ ͏ɻ

133. 
     ϝʔϧϔομɾΠϯδΣΫ γϣϯ

134. ϝʔϧϔομɾΠϯδΣΫγϣϯ ֓ཁ wϝʔϧϔομʢ'SPNϔομͳͲʣʹϢʔβೖྗ஋ΛؚΉ ৔߹ɺೖྗ஋ͷݕূෆ଍ʹΑΓɺҙਤ͠ͳ͍ϔομ΍ຊจ Λૠೖ͞Εͯ͠·͏੬ऑੑɻ

135. ϝʔϧϔομɾΠϯδΣΫγϣϯ ֓ཁ mb_send_mail( "[email protected]", "͓໰͍߹Θ͕ͤ͋Γ·ͨ͠", $_POST['body'], "From: " . $_POST['from'],

     ): bool $_POST[‘from’] ʹ "[email protected] \n BCC: [email protected]" ͷΑ͏ͳจࣈྻΛೖΕΔͱ੒ཱ

136. ϝʔϧϔομɾΠϯδΣΫγϣϯ Ұൠతͳରࡦ wϝʔϧϔομʹϢʔβೖྗ஋ΛؚΊͳ͍ɻ
     w΍ΉΛಘؚͣΊΔ৔߹ɺݫີͳݕূΛߦ͏ɺվߦΛআڈ͢ Δ౳ͷରࡦΛߦ͏ɻ

137. ϝʔϧϔομɾΠϯδΣΫγϣϯ -BSBWFM
     ͷ৔߹ class SampleMail extends Mailable { public function build()

     { return $this->from($this->email) ->subject($this->title) ->text('sample'); } }

138. ϝʔϧϔομɾΠϯδΣΫγϣϯ -BSBWFM
     ͷ৔߹ class SampleMail extends Mailable { public function build()

     { return $this->from($this->email) ->subject($this->title) ->text('sample'); } }

139. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.BJMBCMFGSPN public function from($address, $name = null) { return

     $this->setAddress($address, $name, 'from'); }

140. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.BJMBCMFTFU"EESFTT protected function setAddress($address, $name = null, $property =

     'to') { // ུ foreach ($this->addressesToArray($address, $name) as $recipient) { $recipient = $this->normalizeRecipient($recipient); $this->{$property}[] = [ 'name' => $recipient->name ?? null, 'address' => $recipient->email, ]; } // ུ } ͜͜Ͱ͸ΞυϨεͷܗࣜνΣοΫ͸΍͍ͬͯͳ͍ɻ

141. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.BJMBCMFTFOE public function send($mailer) { return $this->withLocale($this->locale, function ()

     use ($mailer) { // ུ return $mailer->send($this->buildView(), $this->buildViewData(), function ($message) { $this->buildFrom($message) ->buildRecipients($message) ->buildSubject($message) // ུ }); }); }

142. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.BJMBCMFCVJME'SPN protected function buildFrom($message) { if (! empty($this->from)) {

     $message->from($this->from[0]['address'], $this->from[0]['name']); } return $this; }

143. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.FTTBHFGSPN public function from($address, $name = null) { is_array($address)

     ? $this->message->from(...$address) : $this->message->from(new Address($address, (string) $name)); return $this; }

144. ϝʔϧϔομɾΠϯδΣΫγϣϯ 4ZNGPOZa$PNQPOFOUa.JNFa"EESFTT@@DPOTUSVDU public function __construct(string $address, string $name = '')

     { // ུ $this->address = trim($address); $this->name = trim(str_replace(["\n", "\r"], '', $name)); if (!self::$validator->isValid($this->address, class_exists(MessageIDValidation::class) ? new MessageIDValidation() : new RFCValidation())) { throw new RfcComplianceException(sprintf('Email "%s" does not comply with addr-spec of RFC 2822.', $address)); } } ΞυϨε͕ܗࣜҧ൓Ͱ͋Ε͹ྫ֎Λεϩʔ͍ͯ͠Δ FromName ͔Β΋վߦΛআڈ͍ͯ͠Δʢ੍ޚจࣈ͸ʁʣ

145. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.FTTBHFGSPN public function from($address, $name = null) { is_array($address)

     ? $this->message->from(...$address) : $this->message->from(new Address($address, (string) $name)); return $this; } ͬͪ͜ʹ΋ൈ͚͕݀͋Γͦ͏ɾɾɾ

146. ϝʔϧϔομɾΠϯδΣΫγϣϯ -BSBWFM
     ͷ৔߹ class SampleMail extends Mailable { public function build()

     { return $this->from($this->email) ->subject($this->title) ->text('sample'); } }

147. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.BJMBCMFTVCKFDU public function subject($subject) { $this->subject = $subject; return

     $this; } ͜͜Ͱ΋ܗࣜνΣοΫ΍վߦͷআڈ͸΍͍ͬͯͳ͍ɻ

148. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.BJMBCMFTFOE public function send($mailer) { return $this->withLocale($this->locale, function ()

     use ($mailer) { // ུ return $mailer->send($this->buildView(), $this->buildViewData(), function ($message) { $this->buildFrom($message) ->buildRecipients($message) ->buildSubject($message) // ུ }); }); }

149. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.BJMBCMFCVJME4VCKFDU protected function buildSubject($message) { if ($this->subject) { $message->subject($this->subject);

     } else { $message- >subject(Str::title(Str::snake(class_basename($this), ' '))); } return $this; }

150. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.FTTBHFTVCKFDU public function subject($subject) { $this->message->subject($subject); return $this; }

151. ϝʔϧϔομɾΠϯδΣΫγϣϯ 4ZNGPOZa$PNQPOFOUa.JNFa&NBJMTVCKFDU public function subject(string $subject): static { return $this->setHeaderBody('Text',

     'Subject', $subject); }

152. ϝʔϧϔομɾΠϯδΣΫγϣϯ 4ZNGPOZa$PNQPOFOUa.JNFa&NBJMTFU)FBEFS#PEZ private function setHeaderBody(string $type, string $name, $body): static

     { $this->getHeaders()->setHeaderBody($type, $name, $body); return $this; }

153. ϝʔϧϔομɾΠϯδΣΫγϣϯ 4ZNGPOZa$PNQPOFOUa.JNFa)FBEFSTTFU)FBEFS#PEZ public function setHeaderBody(string $type, string $name, mixed $body):

     void { if ($this->has($name)) { $this->get($name)->setBody($body); } else { $this->{'add'.$type.'Header'}($name, $body); } }

154. ϝʔϧϔομɾΠϯδΣΫγϣϯ 4ZNGPOZa$PNQPOFOUa.JNFa)FBEFSTBEE5FYU)FBEFS public function addTextHeader(string $name, string $value): static {

     return $this->add(new UnstructuredHeader($name, $value)); }

155. ϝʔϧϔομɾΠϯδΣΫγϣϯ 4ZNGPOZa$PNQPOFOUa.JNFa)FBEFSTBEE public function add(HeaderInterface $header): static { self::checkHeaderClass($header); $header->setMaxLineLength($this->lineLength);

     $name = strtolower($header->getName()); if (\in_array($name, self::UNIQUE_HEADERS, true) && isset($this->headers[$name]) && \count($this->headers[$name]) > 0) { throw new LogicException(sprintf('Impossible to set header "%s" as it\'s already defined and must be unique.', $header->getName())); } $this->headers[$name][] = $header; return $this; } վߦΛআڈͨ͠Γྫ֎Λεϩʔͨ͠Γ͸͍ͯ͠ͳ͍ɻ

156. ϝʔϧϔομɾΠϯδΣΫγϣϯ *MMVNJOBUFa.BJMa.BJMBCMFTFOE public function send($mailer) { return $this->withLocale($this->locale, function ()

     use ($mailer) { // ུ return $mailer->send($this->buildView(), $this->buildViewData(), function ($message) { $this->buildFrom($message) ->buildRecipients($message) ->buildSubject($message) // ུ }); }); } ࢒Δ͸ίί͚ͩʹϝʔϧυϥΠόґଘ ඪ४υϥΠό (smtp) Ͱ͸ɺSubject͸ Quoted-Printable Τϯίʔυ͞ΕΔͨΊɺ ߈ܸ͸੒ཱ͠ͳ͍ɻ

157. ϝʔϧϔομɾΠϯδΣΫγϣϯ -BSBWFM
     ͕΍͍ͬͯΔ͜ͱ wϝʔϧΞυϨεؔ࿈ͷϑΟʔϧυͷܗࣜνΣοΫ
     wʢϝʔϧૹ৴ϥΠϒϥϦʹΑΓʣ໊݅ͷΤϯίʔυ

158. ϝʔϧϔομɾΠϯδΣΫγϣϯ ๻Β͕΍Δ͜ͱ wͱ͸͍͑ɺϔομؔ࿈ͷ߲໨Λෆ༻ҙʹಈతʹηοτ͠ͳ ͍ɻ

159. 
     ΫϦοΫδϟοΩϯά

160. ΫϦοΫδϟοΩϯά ֓ཁ w᠘αΠτͷϖʔδ্ʹɺ߈ܸର৅αΠτΛಁ໌Խͨ͠
     JGSBNF
     ͰॏͶͯදࣔ͠ɺϢʔβ͕ҙਤ͠ͳ͍͏ͪʹΫϦ οΫͤ͞Δ߈ܸ

161. ΫϦοΫδϟοΩϯά Ұൠతͳରࡦ wϨεϙϯεϔομͰ
     9GSBNFPQUJPOT
     Λࢦఆ͢Δ

162. ΫϦοΫδϟοΩϯά -BSBWFM
     ͷ৔߹ Կ͔΍ͬͯ͘ΕͯΔͷ͔ɾɾɾʁ

163. ΫϦοΫδϟοΩϯά *MMVNJOBUFa)UUQa.JEEMFXBSFa'SBNF(VBSE class FrameGuard { public function handle($request, Closure $next)

     { $response = $next($request); $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false); return $response; } }

164. ΫϦοΫδϟοΩϯά -BSBWFM
     ͕΍͍ͬͯΔ͜ͱ w'SBNF(VBSE
     ϛυϧ΢ΣΞ͕༻ҙ͞Ε͍ͯΔɻ
     ͨͩ͠σϑΥϧτͰ͸༗ޮԽ͞Ε͍ͯͳ͍ɻ

165. ΫϦοΫδϟοΩϯά ๻Β͕΍Δ͜ͱ w'SBNF(VBSE
     ϛυϧ΢ΣΞΛ༗ޮԽ͢Δɻ
     w·ͨ͸ɺ8FCαʔόͷઃఆͰɺશͯͷϨεϙϯεϔομʹ
     9'SBNF0QUJPO
     Λ͚ͭΔɻ

166. 
     όοϑΝΦʔόʔϑϩʔ

167. όοϑΝΦʔόʔϑϩʔ ֓ཁ wϓϩάϥϜ͕֬อͨ͠ϝϞϦྖҬ֎ͷϝϞϦΛ্ॻ͖͞ Εɺ΢ΣϒαʔόଆͰ೚ҙͷίʔυΛ࣮ߦ͞ΕͨΓɺϓϦ έʔγϣϯΛҟৗऴྃͤ͞ΒΕͨΓ͢Δ੬ऑੑɻ

168. όοϑΝΦʔόʔϑϩʔ Ұൠతͳରࡦ w1)1͸௚઀ϝϞϦΛૢ࡞Ͱ͖ͳ͍ͨΊɺ͜ͷ੬ऑੑ͕ੜ· ΕΔՄೳੑ͸௿͍ʢୠ͠աڈͷόʔδϣϯʹ͸ελοΫό οϑΝΦʔόʔϑϩʔͷ੬ऑੑ͕͋ͬͨʣɻ

169. όοϑΝΦʔόʔϑϩʔ -BSBWFM
     ͕΍͍ͬͯΔ͜ͱ wಛʹͳ͠

170. όοϑΝΦʔόʔϑϩʔ ๻Β͕΍Δ͜ͱ wಛʹͳ͠ʢ੬ऑੑͷ͋Δόʔδϣϯͷ1)1΍֦ுϞδϡʔ ϧΛ࢖༻͠ͳ͍ʣ

171. 
     ΞΫηε੍ޚ΍ೝՄ੍ޚ ͷܽམ

172. ΞΫηε੍ޚ΍ೝՄ੍ޚͷܽམ ֓ཁ wઃܭ্ͷෆඋʹΑΓɺຊདྷଞऀʢଞͷར༻ऀΛؚΉʣ͕Ξ ΫηεͰ͖ͯ͸ͳΒͳ͍σʔλʹɺଞऀ͕ΞΫηεͰ͖ͨ Γɺߋ৽Ͱ͖ͨΓͯ͠͠·͏੬ऑੑɻ
     
     ྫʣύϥϝʔλΛվ͟Μ͢Ε͹ଞਓͷσʔλ͕ӾཡͰ͖ͯ
     ɹɹ͠·͏ɻ

173. ΞΫηε੍ޚ΍ೝՄ੍ޚͷܽམ -BSBWFM
     ͕΍͍ͬͯΔ͜ͱ w"VUI
     ΍
     (BUF
     ͳͲɺ؆ศͳೝূɾೝՄػߏͷఏڙ

174. ΞΫηε੍ޚ΍ೝՄ੍ޚͷܽམ ๻Β͕΍Δ͜ͱ wਖ਼͍͠ઃܭɺ࣮૷ɺϨϏϡʔɺςετ

175. ·ͱΊ

176. ࠓճͷझࢫ ݸͷ੬ऑੑ 
     42-
     ΠϯδΣΫγϣϯ
     
     04
     ίϚϯυɾΠϯδΣΫγϣϯ
     
     ύε໊ύϥϝʔλͷະνΣοΫσΟ ϨΫτϦɾτϥόʔαϧ
     

     
     ηογϣϯ؅ཧͷෆඋ
     
     ΫϩεαΠτɾεΫϦϓςΟϯά 
     $43' ΫϩεαΠτɾϦΫΤε τɾϑΥʔδΣϦ
     
     )551
     ϔομɾΠϯδΣΫγϣϯ
     
     ϝʔϧϔομɾΠϯδΣΫγϣϯ
     
     ΫϦοΫδϟοΩϯά
     
     όοϑΝΦʔόʔϑϩʔ
     
     ΞΫηε੍ޚ΍ೝՄ੍ޚͷܽམ

177. ࠓճͷझࢫ ݸͷ੬ऑੑ 
     42-
     ΠϯδΣΫγϣϯ
     
     04
     ίϚϯυɾΠϯδΣΫγϣϯ
     
     ύε໊ύϥϝʔλͷະνΣοΫσΟ ϨΫτϦɾτϥόʔαϧ
     

     
     ηογϣϯ؅ཧͷෆඋ
     
     ΫϩεαΠτɾεΫϦϓςΟϯά 
     $43' ΫϩεαΠτɾϦΫΤε τɾϑΥʔδΣϦ
     
     )551
     ϔομɾΠϯδΣΫγϣϯ
     
     ϝʔϧϔομɾΠϯδΣΫγϣϯ
     
     ΫϦοΫδϟοΩϯά
     
     όοϑΝΦʔόʔϑϩʔ
     
     ΞΫηε੍ޚ΍ೝՄ੍ޚͷܽམ ˕ ✕ ˕ ˓ ˕ ˕  ˕ ̋  ˚

178. ૯ׅ -BSBWFM͕΍͍ͬͯΔ͜ͱ w-BSBWFM
     ͸ɺ944ɺ$43'ɺ42-ΠϯδΣΫγϣϯ౳ͷओ ཁͳ੬ऑੑʹରͯ͠ɺରࡦͷͨΊͷػߏΛ༻ҙͯ͘͠Εͯ ͍Δɻ
     w͋͘·ͰػߏͰ͋Γɺ࢖͍ํΛޡΕ͹੬ऑੑ͸ੜ·ΕΔɻ
     wશͯͷ੬ऑੑΛΧόʔ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍ɻ

179. ૯ׅ ๻Β͕΍Δ͜ͱ wਖ਼͍͠ઃܭΛ͢Δ
     wͦͷ্Ͱ
     -BSBWFM
     Λਖ਼͘͠࢖͏
     wηΩϡϦςΟࢹ఺ͷϨϏϡʔͱςετ

180. ૯ׅ ײ૝ w-BSBWFM
     ͸΍ͬͺΓΑ͘Ͱ͖ͯΔ
     wιʔείʔυϦʔσΟϯά͸΍ͬͺΓָ͍͠

181. એ఻ ϓϩδΣΫτ޻਺؅ཧɾݪՁܭࢉπʔϧʮώτºπΩʯ IJUPUTVLJOFU

182. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·͢ʂ !BEKQ