Add a "Raw string" filter, Fix possible inconsistency between constants and environment variables in the generated cache #136
Conversation
This allows secret-like environment variables such as db passwords to contain special characters and not being escaped by previous `FILTER_STRING` filter.
src/Env/WordPressEnvBridge.php
Outdated
| // For env loaded from file, dump the variable definition. | ||
| $content .= "putenv('{$key}={$slashed}');\n"; | ||
| $content .= "\$_ENV['{$key}'] = '{$slashed}';\n"; | ||
| (strpos($key, 'HTTP_') !== 0) and $content .= "\$_SERVER['{$key}'] = '{$slashed}';\n\n"; | ||
| $content .= "putenv('{$key}={$preparedValue}');\n"; | ||
| $content .= "\$_ENV['{$key}'] = '{$preparedValue}';\n"; | ||
| (strpos($key, 'HTTP_') !== 0) | ||
| and $content .= "\$_SERVER['{$key}'] = '{$preparedValue}';\n\n"; |
There was a problem hiding this comment.
This ss a different behavior than before.
Before the environment was never storing the "filtered" value. That was used only for PHP constant.
And the reason is that environemt is always expected to be a string, while filtered value could be a integer, a float, a boolean, etc.
By storing the prepared value in environment, you are going to change the original value. See https://3v4l.org/pfaoh
There was a problem hiding this comment.
Thanks a lot for the explanation 🙏
So the situation is that for an env variable like: AUTH_COOKIE=BAD&Auth<Cookie
the generated cache is:
define('AUTH_COOKIE', 'BAD&Auth');
putenv('AUTH_COOKIE=BAD&Auth<Cookie');
$_ENV['AUTH_COOKIE'] = 'BAD&Auth<Cookie';
$_SERVER['AUTH_COOKIE'] = 'BAD&Auth<Cookie';in which the values are not consistent, First question is that I'm not sure if this is expected? My assumption is that all values should be the same in the generated cache.
To get around this, does something like this on line 569 makes sense?
$preparedValue = $value !== $filtered && is_scalar($filtered)
? is_string($filtered) ? $filtered : var_export($filtered, true)
: $slashed;There was a problem hiding this comment.
As you can see, the issue is only for the constant define.
So you need to change nothing in the lines I was was mentioning in the first comment. Because those lines refers to putenv, $_ENV, and $_SERVER which do not need fixing.
So all your changes up to like 579 are fine, just leave anything blow that line alone, and it'll be fine.
There was a problem hiding this comment.
The commit introducing this change reverted since the only real other changes before line 579 was using addslashes instead of str_replace which is out of scope of this PR.
…ated cache" This reverts commit dc86bff.
Description
This PR addresses two issues:
issue 1
For environment variables like DB_PASSWORD, a
FILTER_STRINGis applied which converts some special characters to HTML entities, this can cause issues for such environments likeDB_PASSWORDor any other variable that needs to be kept in the same format.Because for example in the case of a password, if it contains a character like
&or>it will be converted to&and>and can lead to failed database connections.Issue 2The second issue is an inconsistency in the generated cached file (.env.cached.php), where the generateddefine()statement respects the filtered value, but the other 3putenv,$_ENVand$_SERVERassignments do not put the filtered value.How has this been tested?
Tests modified to consider new changes.
Types of changes
What types of changes does your code introduce?
Bug fixes (non-breaking change which fixes an issue)
For Issue 1:
To fix this issue a new
FILTER_RAW_STRINGis introduced with minimal sanitization, and the filter is applied to some of WordPress core constants that makes sense having this filter, such asDB_PASSWORD,LOGGED_IN_KEY, etc.For issue 2:Fixed by using the filtered value also forputenv,$_ENVand$_SERVERassignments, added tests to cover consistency problem.Checklist: