-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
$_SERVER var exposes db_name/user/password and salts #474
Comments
Update 2020-08-11: Current syntax looks like this: $repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters()
->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class)
->immutable()
->make();
$dotenv = Dotenv\Dotenv::create($repository, $root_dir); 2019-10-19: Looks like it would be a pretty straightforward change if we care to do this. /**
* Expose global env() function from oscarotero/env
*/
Env::init();
/**
* Use Dotenv to set required environment variables and load .env file in root
*/
-$dotenv = Dotenv\Dotenv::create($root_dir);
+$dotenv = Dotenv\Dotenv::create($root_dir, null, new Dotenv\Environment\DotenvFactory([
+ new Dotenv\Environment\Adapter\PutenvAdapter(),
+]));
if (file_exists($root_dir . '/.env')) {
$dotenv->load();
$dotenv->required(['WP_HOME', 'WP_SITEURL']);
if (!env('DATABASE_URL')) {
$dotenv->required(['DB_NAME', 'DB_USER', 'DB_PASSWORD']);
}
} |
Would this also do it for the WP Salts? |
+1 can also confirm when running |
Tested suggested fix and it removed the |
Any Updates on this serious issue? |
There’s code a couple comments up if you want to test it #474 (comment) |
The above does work, but it should be a change merged into the repo for those that are cloning this for projects. This way they don't have to make a note to copy this solution each time. |
Well we need a PR with this change 😄 @QWp6t want to do the honours? |
Updates to using a custom repository for `Dotenv` instead of the default which includes `ServerConstAdapter`. The new custom repository *only* includes `EnvConstAdapter`. The `$_SERVER` superglobal often gets dumped into logs or into monitoring services so it's better for security to avoid populating it with secrets contained in `.env`.
Updates to using a custom repository for `Dotenv` instead of the default which includes `ServerConstAdapter`. The new custom repository *only* includes `EnvConstAdapter`. The `$_SERVER` superglobal often gets dumped into logs or into monitoring services so it's better for security to avoid populating it with secrets contained in `.env`.
Are you all planning on closing solved issues? |
@SandiyosDev Before you accuse the maintainers of negligence, I would suggest you verify the truthfulness of your accusation. The issue will be closed automatically once the fix is merged. I would also recommend reading this page: |
Description
When working on a site, I noticed that if I was to
error_log()
the$_SERVER
variable that the following additional items would be available (name/user/password removed for bug report):Steps to reproduce
var_dump()
orerror_log()
the$_SERVER
varExpected behavior: These sensitive data shouldn't be available via that variable
Actual behavior: These sensitive data shouldn't be able to output
Reproduces how often: 100%
Versions
Bedrock Install: 1.12.8: 2019-09-05
macOS: 10.14.6
laravel/valet 2.3.3
Additional information
Basic Sage 9 with Bedrocks install on local.
The text was updated successfully, but these errors were encountered: