Don't expose .env variables to $_SERVER

craftcms / craft

Composer starter project for Craft CMS.

https://craftcms.com

BSD Zero Clause License

187 stars 91 forks source link

Don't expose .env variables to $_SERVER #55

Closed leevigraham closed 4 years ago

leevigraham commented 4 years ago

This PR only sets .env variables using putenv() and does not set them on $_SERVER which could be considered a security issue if $_SERVER vars were leaked in logs etc.

brandonkelly commented 4 years ago

Ooh nice, didn’t realize that was possible.

brandonkelly commented 4 years ago

This change broke the autosuggest inputs in the control panel, which are populated with all the $_ENV values. So have reverted it.

leevigraham commented 4 years ago

Looping over get_env() could be an option… I'll have a play with my 3.5 beta install.