Support the ongoing development of Laravel.io →
stoianalexandru
posted 5 years ago
Security
Last updated 1 year ago.
0
dynamogeek
replied 5 years ago

Did they provide more information? I see no inherent issue with building a URL from a .env file. It's not really different than storing your secret keys and similar things in the .env. It's much better than storing it directly in the code. If someone has enough access to your server to get into your .env, you're pretty boned already.

If they can provide an example of what kind of risk the asset method and .env present, we can probably get it figured out. But if they're just going to make vague statements like "SECURITY RISK OMG!" I'm not sure what help they are, or what help we can be to them.

0
stoianalexandru
replied 5 years ago

Hello Justin thx for the response, After asking some more i got a message related to the the problem being DNS injection, since the asset (I needed to dig deep)ends up getting the base URL via $servers['server_name'] (request()->getBaseUrl() or $this->getBaseUrl() in the Request:class) I still don't know if its that big of a security risk.

0
dynamogeek
replied 5 years ago

I'm still having a bit of trouble following what exactly they're having trouble with.

Having looked into it, I do see now that web requests don't load the URL from a file. Laravel is getting all parts of it from the $_SERVER super global. However, when you're trying to get a URL to be displayed in the user's browser, it seems very appropriate to use the web address they say they're viewing. asset() isn't meant to be used for finding web addresses to load items onto the server. It's meant to be used to get paths for things like stlyesheets, images, and javascript files.

I'm not sure how they're using the term "DNS injection" (it doesn't fit my understanding of what that term means), but unless you're using asset() to just find a file you plan to actually do something with (call an unescaped shell_exec on, perhaps...), I'm still not understanding what they're getting at.

Did they provide an example of code they feel is exploitable? I'm not, personally, convinced that this is a vulnerability by itself. You can use asset() to cause a vulnerability, but you can do that with PHP, or an unsecured server room.

0

Sign in to participate in this thread!

Eventy

Your banner here too?

Alexandru stoianalexandru Joined 9 Nov 2018

Moderators

We'd like to thank these amazing companies for supporting us

Eventy
Fathom
Forge
Envoyer
Beyond Code
Skynet Technologies
Steadfast Collective
BairesDev
Remotely Works

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X Twitter GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2024 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise