Open kupoback opened 4 years ago
Update 2020-08-11:
Current syntax looks like this:
$repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters()
->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class)
->immutable()
->make();
$dotenv = Dotenv\Dotenv::create($repository, $root_dir);
2019-10-19:
Looks like it would be a pretty straightforward change if we care to do this.
/**
* Expose global env() function from oscarotero/env
*/
Env::init();
/**
* Use Dotenv to set required environment variables and load .env file in root
*/
-$dotenv = Dotenv\Dotenv::create($root_dir);
+$dotenv = Dotenv\Dotenv::create($root_dir, null, new Dotenv\Environment\DotenvFactory([
+ new Dotenv\Environment\Adapter\PutenvAdapter(),
+]));
if (file_exists($root_dir . '/.env')) {
$dotenv->load();
$dotenv->required(['WP_HOME', 'WP_SITEURL']);
if (!env('DATABASE_URL')) {
$dotenv->required(['DB_NAME', 'DB_USER', 'DB_PASSWORD']);
}
}
Would this also do it for the WP Salts?
+1 can also confirm when running php -i
, the credentials are also shown.
Tested suggested fix and it removed the SALTS
from showing as well.
Any Updates on this serious issue?
There’s code a couple comments up if you want to test it https://github.com/roots/bedrock/issues/474#issuecomment-544714647
The above does work, but it should be a change merged into the repo for those that are cloning this for projects. This way they don't have to make a note to copy this solution each time.
Well we need a PR with this change 😄
@QWp6t want to do the honours?
Are you all planning on closing solved issues?
@SandiyosDev Before you accuse the maintainers of negligence, I would suggest you verify the truthfulness of your accusation. The issue will be closed automatically once the fix is merged.
I would also recommend reading this page:
Description
When working on a site, I noticed that if I was to
error_log()
the$_SERVER
variable that the following additional items would be available (name/user/password removed for bug report):Steps to reproduce
var_dump()
orerror_log()
the$_SERVER
varExpected behavior: These sensitive data shouldn't be available via that variable
Actual behavior: These sensitive data shouldn't be able to output
Reproduces how often: 100%
Versions
Bedrock Install: 1.12.8: 2019-09-05 macOS: 10.14.6 laravel/valet 2.3.3
Additional information
Basic Sage 9 with Bedrocks install on local.