[5.7] Masking the content of .env on Whoops page #26947
Conversation
wilkinsocks
changed the title
|
Why do we need to mask the variables? Surely they are useful for debugging, to see if the correct configuration is there? |
|
@GrahamCampbell It's useful for some environments which are publicly exposed. An option to hide the sensitive data from being exposed. I wanted to integrate the package for our dev and stage environments but our dev ops guy isn't agreeing to install the package because the same data is exposed. |
|
I'll just plug my package here. Let's hope Whoops fix this behaviour some day... |
|
@xylonpsl I would not recommend using debug mode on any public facing website, or even an internal facing one accessible to anyone other than the developers. |
|
Perhaps instead look at integrating with error monitoring software like https://bugsnag.com/? |
|
@GrahamCampbell the debug mode is opt-out not opt-in. It shouldn't be the default behaviour to dump database credentials when visiting I find PrettyPageHandler really useful and want to keep using it. I have no issues with random people seeing my scripts. I just don't want the public to see my ENV variables. And I don't need them dumped in the error page either. I have never needed to look at those for any debugging. |
|
I closed this because when I considered it, it isn't actually required, and probably pointless for Laravel... 😅 On a production environment, run It should also be noted that you can actually mask these variables already, if you so required. See: https://stackoverflow.com/a/46407010 |
|
@wilkinsocks You were wrong to close this! You were right in your first post. This is an easy, and potentially devastating, gotcha. Especially for those new to Laravel. As evidenced by the frequency of this issue appearing online: https://stackoverflow.com/questions/46407009/how-to-hide-env-passwords-in-laravel-whoops-output I even came across a live website with this very issue. Ironic given the content: Not revealing a database password to the public relies on the dev never forgetting to set Even the included blacklist feature is flawed because it requires you to remember to manually add any new While Ignition doesn't have these problems, it just underlines how pointless it is to have it in Whoops display all the environment variables at all. Unfortunately I believe Whoops can still display in Laravel 8 in the right conditions? Even more of a reason for you to update this PR. |
(This PR is derived from: #21336 and laravel/ideas#1236)
In this PR, the variable names from the
.envfile are loaded in and passed to the Whoops handler blacklist, which prevents displaying any data such as: database credentials, service keys, etc. I feel like most of the content from the.envshould be hidden by default due to their nature.Each time a key/value is added to the
.envyou don't have to repeat the key in the app config blacklist. You actually have to repeat it twice currently, as it appears in$_ENVand$_SERVER.Adding
debug_env_blacklist = trueto the app config automatically hides all the variables — I thought opt-in would make more sense for 5.7.The previous
debug_blacklistconfig key has been retained to allow other variables not in the.envto be hidden. Additionally, adebug_whitelistfacility has been added to allow blacklist exceptions which overrides the functionality for that key.