$_SERVER should not have .env file info #3615

nyufeng · 2020-09-07T09:53:50Z

Lines 151 to 154 in 473a8f5

    
           if (empty($_SERVER[$name])) 
        
           { 
        
           	$_SERVER[$name] = $value; 
        
           }

Usually, we set the database password in the .env file, the security encryption string.
If $_SERVER have this info. It will become unsafe.
If the programmer forgets to delete the debugging information, the information will be exposed.

example:

michalsn · 2020-09-07T18:24:01Z

I'm not sure if I'm following - do we store $_SERVER variables somewhere automatically? What debugging options do you have in mind?

nyufeng · 2020-09-08T01:10:11Z

@michalsn
I mean, $_SERVER should not contain .env information.
.env often contains sensitive information.
If the system has some vulnerabilities, only need to print $_SERVER, important information such as database password will be exposed.

michalsn · 2020-09-08T14:18:41Z

These are environment variables so they should be set to $_SERVER too. If we stop setting these variables into $_SERVER it will introduce a BC change. Also, I don't really understand what type of vulnerabilities you're talking about.

Debugging with helper functions such as d() or dd() doesn't work in production. So if you somehow forgot to remove this type of call from your code, you will still be safe.

nyufeng closed this as completed Sep 9, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

$_SERVER should not have .env file info #3615

$_SERVER should not have .env file info #3615

nyufeng commented Sep 7, 2020

michalsn commented Sep 7, 2020

nyufeng commented Sep 8, 2020

michalsn commented Sep 8, 2020

$_SERVER should not have .env file info #3615

$_SERVER should not have .env file info #3615

Comments

nyufeng commented Sep 7, 2020

michalsn commented Sep 7, 2020

nyufeng commented Sep 8, 2020

michalsn commented Sep 8, 2020