-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #474 - Don't leak env values into $_SERVER #598
base: master
Are you sure you want to change the base?
Conversation
Updates to using a custom repository for `Dotenv` instead of the default which includes `ServerConstAdapter`. The new custom repository *only* includes `EnvConstAdapter`. The `$_SERVER` superglobal often gets dumped into logs or into monitoring services so it's better for security to avoid populating it with secrets contained in `.env`.
4bf21d7
to
c68c908
Compare
$dotenv = Dotenv\Dotenv::createUnsafeImmutable($root_dir, ['.env', '.env.local'], false); | ||
$repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters() | ||
->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class) | ||
->addAdapter(Dotenv\Repository\Adapter\PutenvAdapter::class) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@QWp6t needed this as well to mirror the default behaviour and get everything working
Is this still necessary to fix #474? |
@montchr I think so! Thanks for the bump, I think this just got forgotten about 😅 will get this rebased and hopefully reviewed soon cc @QWp6t @tangrufus |
Given that this package doesn't have an upgrade path because it's a boilerplate, I wouldn't worry about breaking changes |
merge? |
Updates to using a custom repository for
Dotenv
instead of the default which includesServerConstAdapter
.The new custom repository only includes
EnvConstAdapter
.The
$_SERVER
superglobal often gets dumped into logs or into monitoring services so it's better for security to avoid populating it with secrets contained in.env
.Note: this could be a breaking change for some users, but we at least need to ensure it's not breaking in the normal case.