Fixes #474 - Don't leak env values into $_SERVER

Updates to using a custom repository for `Dotenv` instead of the default which includes `ServerConstAdapter`. The new custom repository *only* includes `EnvConstAdapter`. The `$_SERVER` superglobal often gets dumped into logs or into monitoring services so it's better for security to avoid populating it with secrets contained in `.env`.
roots · May 29, 2021 · c68c908 · c68c908
1 parent e940020
commit c68c908
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/config/application.php b/config/application.php
@@ -29,7 +29,13 @@
  * Use Dotenv to set required environment variables and load .env file in root
  * .env.local will override .env if it exists
  */
-$dotenv = Dotenv\Dotenv::createUnsafeImmutable($root_dir, ['.env', '.env.local'], false);
+$repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters()
+    ->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class)
+    ->addAdapter(Dotenv\Repository\Adapter\PutenvAdapter::class)
+    ->immutable()
+    ->make();
+
+$dotenv = Dotenv\Dotenv::create($repository, $root_dir, ['.env', '.env.local'], false);
 if (file_exists($root_dir . '/.env')) {
     $dotenv->load();
     $dotenv->required(['WP_HOME', 'WP_SITEURL']);