Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #474 - Don't leak env values into $_SERVER #598

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fixes #474 - Don't leak env values into $_SERVER #598

wants to merge 1 commit into from

Conversation

swalkinshaw
Copy link
Member

Updates to using a custom repository for Dotenv instead of the default which includes ServerConstAdapter.

The new custom repository only includes EnvConstAdapter.

The $_SERVER superglobal often gets dumped into logs or into monitoring services so it's better for security to avoid populating it with secrets contained in .env.

Note: this could be a breaking change for some users, but we at least need to ensure it's not breaking in the normal case.

@swalkinshaw swalkinshaw requested a review from QWp6t May 29, 2021 03:29
@swalkinshaw
Fixes #474 - Don't leak env values into $_SERVER
c68c908 
Updates to using a custom repository for `Dotenv` instead of the default
which includes `ServerConstAdapter`.

The new custom repository *only* includes `EnvConstAdapter`.

The `$_SERVER` superglobal often gets dumped into logs or into
monitoring services so it's better for security to avoid populating it
with secrets contained in `.env`.
@swalkinshaw swalkinshaw force-pushed the dont-load-env-values-into-server-superglobal branch from 4bf21d7 to c68c908 Compare May 29, 2021 03:39
swalkinshaw
swalkinshaw commented May 29, 2021
View reviewed changes
config/application.php
$dotenv = Dotenv\Dotenv::createUnsafeImmutable($root_dir, ['.env', '.env.local'], false);
$repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters()
->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class)
->addAdapter(Dotenv\Repository\Adapter\PutenvAdapter::class)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@QWp6t needed this as well to mirror the default behaviour and get everything working

@austinpray austinpray self-requested a review June 10, 2021 00:59
@swalkinshaw swalkinshaw mentioned this pull request Oct 28, 2021
Merged
@montchr montchr mentioned this pull request Sep 18, 2024
Open
4 tasks
@montchr
Copy link

montchr commented Sep 18, 2024

Is this still necessary to fix #474?

@retlehs
Copy link
Member

retlehs commented Sep 21, 2024

@montchr I think so! Thanks for the bump, I think this just got forgotten about 😅 will get this rebased and hopefully reviewed soon

cc @QWp6t @tangrufus

@retlehs retlehs removed the request for review from austinpray September 21, 2024 17:48
@Tofandel
Copy link

Note: this could be a breaking change for some users, but we at least need to ensure it's not breaking in the normal case.

Given that this package doesn't have an upgrade path because it's a boilerplate, I wouldn't worry about breaking changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@QWp6t QWp6t Awaiting requested review from QWp6t

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@swalkinshaw @montchr @retlehs @Tofandel