[5.8] Revert "[5.8] Allow retrieving env variables with getenv" #27961
Conversation
|
I am strongly against Laravel calling putenv by default, as it will cause Laravel to leak environment variables to other websites on the server due non-threadsafety of that function. This will cause security problems for anyone who isn't familiar with the details of this, and hasn't cached the config, for whatever reason. It actually looks like this will be burning a lot of people, looking at the other issue that came up - lots of people are not caching config because they want the env variables populated! |
|
The arguments about breaking third party libraries are not valid in my opinion. The 3rd party library maintainers just need to be educated to not call functions that are not thread-safe, as explained by Sebastiaan Stok on Twitter. |
GrahamCampbell
changed the title
|
Note also, that worse than just variables leaking out of Laravel apps, variables can leak in to, since if anyone is using the inline variable syntax of phpenv, they will find that if another thread has set a variable, overiding the correct one, then the bad variable will be loaded, since the putenv adapter also calls getenv. |
|
Just left a comment here about this: #27949 (comment) and even though I still think this is the right way forward, it might be better to do this in a next release and provide people with enough time to update their libraries. |
|
FWIF, I'm with @GrahamCampbell here. The change is necessary, the breaking change was done on a point release, it was documented (and improved too since then) and I, too, think this should not have been reverted. Christ, @taylorotwell was on holiday; give the men (and every wo/men on vacation) some rest! 😄 |
|
If decided to revert, shouldn't we revert also c37702c ? By the way it's a bit problematic when we call this factory in 2 completely different places and when any change is made we forget to update second place. |
|
I'm impartial to whether this gets reverted or not, however, if this does get reverted I think it needs to be highlighted in the documentation how to handle this in a production environment without config caching (Lumen). As Sebastiaan Stok has highlighted it is recommended to use the $_ENV super variable over the getenv function, which is fine, but PHP's default production settings will not populate $_ENV. If changing PHP ini settings is required to get this to work in Lumen then it needs to be documented. I think we have to remember there is a vast skillset difference in the Laravel community and some users will need guiding with this kind of stuff 😄 |
|
Also, if this does get reverted, the change will need replicating in Lumen's environment bootstrapper and env helper. |
|
I originally opened #27958 because I thought it was an accidental change, but I do think that Laravel should default to calling The README of the dotenv project Laravel is using says this (Edit: it appears this section of the README was deleted after I wrote this):
If you are using a real environment variable in production, the variable is accessible with If I understand correctly the security risk of leaking environment variables would only be an issue if you were using shared hosting and using If Laravel needs to cater to users that can't safely use environment variables it should offer an alternative way to keep secrets instead of changing the way Regarding the risk of a rouge thread calling |
| @@ -643,7 +642,7 @@ function env($key, $default = null) | |||
| static $variables; | |||
|
|
|||
| if ($variables === null) { | |||
| $variables = (new DotenvFactory([new EnvConstAdapter, new PutEnvAdapter, new ServerConstAdapter]))->createImmutable(); | |||
| $variables = (new DotenvFactory([new EnvConstAdapter, new ServerConstAdapter]))->createImmutable(); | |||
There was a problem hiding this comment.
This same line of code is duplicated in LoadEnvironmentVariables.php. You would also need to revert c37702c.
|
I see myself agreeing with both arguments made in the PR and when questioning myself why the only answer I have is context. |
|
How do they do it without changing the core? |
|
Override the bootstrapper? |
|
Yeh, you can just define your own bootstapper, by extending the one from the core, and overring the method that makes a dotenv instance. That's why I made it it's own method. |
|
I agree with GrahamCampbell about this change. Calling some functions that interacts with environment variables directly in the source code will cause dangerous risks. |
|
If we revert this, how do we fix |
I don't see how that bug is related to the getenv function? |
|
@GrahamCampbell Restoring |
|
The reason this breaks the What happens when you run
If we don't use This doesn't just affect the serve command, it will affect any spawned process. If Laravel is affected by this I can only imagine there will be plenty of third party packages that run into the same issue. Anything using the Symfony Process component will not break because the Process component explicitly adds any environment variables from |
Even if we override that method it will not change how the Can we put |
|
We can't put it in the container, because it is instianated very early in the bootstrapping process, before any service providers are called. The correct way to override it is to set your own bootstrapper in your app' two kernel classes. |
|
Too big of a breaking change to be the default. Until a large number of other PHP libraries stop using |
|
The conclusion here seemed that libraries have to gradually move away from |
Reverts #27958. People can already configure their apps to do this, without changing the core.