For environment variables like DB_PASSWORD, a FILTER_STRING is applied which converts some special characters to HTML entities, this can cause issues for such environments like DB_PASSWORD or any other variable that needs to be kept in the same format.
Because for example in the case of a password, if it contains a character like & or > it will be converted to & and > and can lead to failed database connections.
~Issue 2~
~The second issue is an inconsistency in the generated cached file (.env.cached.php), where the generated define() statement respects the filtered value, but the other 3 putenv, $_ENV and $_SERVER assignments do not put the filtered value.~
How has this been tested?
Tests modified to consider new changes.
Types of changes
What types of changes does your code introduce?
Bug fixes (non-breaking change which fixes an issue)
For Issue 1:
To fix this issue a new FILTER_RAW_STRING is introduced with minimal sanitization, and the filter is applied to some of WordPress core constants that makes sense having this filter, such as DB_PASSWORD, LOGGED_IN_KEY, etc.
~For issue 2:~
~Fixed by using the filtered value also for putenv, $_ENV and $_SERVER assignments, added tests to cover consistency problem.~
Checklist:
[x] My code is tested
[x] My code follows the project code style
[ ] My code has documentation (for new features or changed behavior)
Description
This PR addresses two issues:
issue 1
For environment variables like DB_PASSWORD, a
FILTER_STRING
is applied which converts some special characters to HTML entities, this can cause issues for such environments likeDB_PASSWORD
or any other variable that needs to be kept in the same format. Because for example in the case of a password, if it contains a character like&
or>
it will be converted to&
and>
and can lead to failed database connections.~Issue 2~
~The second issue is an inconsistency in the generated cached file (
.env.cached.php
), where the generateddefine()
statement respects the filtered value, but the other 3putenv
,$_ENV
and$_SERVER
assignments do not put the filtered value.~How has this been tested?
Tests modified to consider new changes.
Types of changes
What types of changes does your code introduce?
Bug fixes (non-breaking change which fixes an issue)
For Issue 1:
To fix this issue a new
FILTER_RAW_STRING
is introduced with minimal sanitization, and the filter is applied to some of WordPress core constants that makes sense having this filter, such asDB_PASSWORD
,LOGGED_IN_KEY
, etc.~For issue 2:~
~Fixed by using the filtered value also for
putenv
,$_ENV
and$_SERVER
assignments, added tests to cover consistency problem.~Checklist: