.env file shows db user as cleartext

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel

https://www.bookstackapp.com/

MIT License

15.46k stars 1.94k forks source link

.env file shows db user as cleartext #5150

Closed LindwehrFabian closed 3 months ago

LindwehrFabian commented 3 months ago

Attempted Debugging

[X] I have read the debugging page

Searched GitHub Issues

[X] I have searched GitHub for the issue.

Describe the Scenario

Hello, is it somehow possible to not show the db users username/password as cleartext in the .env file?

Thanks already everyone!

Greetings Fabian

Exact BookStack Version

v24.05.3

Log Content

No response

Hosting Environment

XAMPP 3.3.0 MYQL Apache

ssddanbrown commented 3 months ago

Hi @LindwehrFabian, We don't support other methods (like encryption or remote stores) to define these values. BookStack will take the same named options from the environment though, so if you can instead set environment variables for the apache/php process, that could be used instead of being defined in the .env.

Zverik commented 3 months ago

It's a common practice to store passwords as cleartext on the server, provided the configuration file is not publicly accessible. Otherwise a hacker has the access to the entire server contents, and it doesn't matter whether they got the password from that file.

LindwehrFabian commented 3 months ago

It's a common practice to store passwords as cleartext on the server, provided the configuration file is not publicly accessible. Otherwise a hacker has the access to the entire server contents, and it doesn't matter whether they got the password from that file.

I didn't actually know that, thank you very much for the information :) And thinking about it, you're absolutely right haha :)