Back

.env security


Pieterjan posted 5 days ago

I really like Laravel. I've built an open-source project based on Laravel. Yesterday, I got an email from a visitor with a very, very disturbing message.

He told me he visited a page on my website, and probably due to modifications I was making, he got an error. Since I was changing the code of my site, I had APP_DEBUG set to true, which causes the WhoopsHandler to render the response.

Apparently, the default setting in Laravel is set to spit out ALL ENVIRONMENT VARIABLES on the whoops-page.

So here's the thing: If a developer can only afford 1 server setup (hence otherwise he must update 2 environments all the time, when the php version updates, or Laravel version updates), and he forgets to set the APP_DEBUG back to false, all passwords - usernames - and other secrets are by default publicly accessible to EVERYBODY.

Security should be a big thing for framework builders. Outputing all passwords and other secrets on a webpage in ANY FASHION is very, very against the basic rules.

I can understand that there's a teeny-tiny punchbowl of developers who are lazy and don't want to open up there environment-file to check out their SQL-password. But the 95% of developers who think security is very important should not be set back for the 5% lazy people that are too lazy to check out the location of their .env-file and see what's in it.

I can see that since laravel 5.5.13 there's a new "feature" that allows you to obscure some of these variables, but IN ANY WAY it should not be a default setting to blindly output all environment variables when an error occurs. Not even when APP_DEBUG is set to true. This is absolutely UNACCEPTABLE.

Let the developer just open the file, it's super-duper-easy.

After all, in normal circumstances you only need to consult the .env-file only twice in the lifetime of your project.

Looking forward to your reaction

Tobias van Beek replied 5 days ago

The developer should have set the debug to true explicit to have it displayed, the default is false. See: https://github.com/laravel/laravel/blob/master/config/app.php#L42

So by default it is save and only if you change it you can expose this. For me that makes a big different.

The debug option is to help you with debugging, then you sometimes need to have the environment variables. But if correct you never use this in production.

Pieterjan replied 5 days ago

The fact that you only THINK about putting secret variables in a HTTP response IN ANY WAY, suggests you don't wear high priority on security.

It shouldn't even be this way by default. You don't even warn developers that secret passwords are exposed on the WhoopsPage.

You really can't expect a small organisation to setup 2 environments. 2 environments to update Linux, Apache, PHP5-7-7.2-7.3..., mysql-server, and so on and so on.

If someone wants to know the environment variables he just needs to open the damn file. It's even easier than opening the electric lock of your car.

I'm not mad, I just think this is a wrong default configuration that leads to pownes when server-admins overlook just 1 teeny-tiny setting. I hope sincerly that this will be changed in future releases.

When developers read that this is only just possible, it would be enough to drive them right into the arms of Microsoft with ASP.NET. It would be a shame since Laravel is way, way more performant than ASP.NET.

Tobias van Beek replied 5 days ago

It isn't by default. By default it doesn't show the environment variables. And you are warned about it, see: https://laravel.com/docs/5.7/errors#configuration

I'm not mad, I just think this is a wrong default configuration that leads to pownes when server-admins overlook just 1 teeny-tiny setting. I hope sincerly that this will be changed in future releases.

It isn't a tiny setting to overlook. It is a tinny setting that doesn't need to change. A server admin that change the default without knowing is someone I don't want to have.

For me this is the same as using the debugbar and complaining that you see it in production. If you change the config without knowing what you do you shouldn't be allowed to change the config.

Nick Abousselam replied 3 days ago

You really can't expect a small organisation to setup 2 environments. 2 environments to update Linux, Apache, PHP5-7-7.2-7.3..., mysql-server, and so on and so on.

With respect, it's the least you can expect from any responsible developer to restrict debugging to a non-prod environment, for instance Homestead which takes minutes to set up. There shouldn't ever be an excuse for enabling debug on your prod server, even if its for a few minutes. Consider that you might expose vulnerabilities in your code that could be exploited by a hacker and lead to an even greater security breach!

Pieterjan replied 3 days ago

I have been using homestead for a while. But some features you want to add to your site aren't possible in homestead/vagrantbox.


Sign in to participate in this thread!



We'd like to thank these amazing companies for supporting us