Fixes #474 - Don't leak env values into $_SERVER

Updates to using a custom repository for `Dotenv` instead of the default which includes `ServerConstAdapter`. The new custom repository *only* includes `EnvConstAdapter`. The `$_SERVER` superglobal often gets dumped into logs or into monitoring services so it's better for security to avoid populating it with secrets contained in `.env`.
roots · May 29, 2021 · 4bf21d7 · 4bf21d7
1 parent e940020
commit 4bf21d7
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/config/application.php b/config/application.php
@@ -29,7 +29,12 @@
  * Use Dotenv to set required environment variables and load .env file in root
  * .env.local will override .env if it exists
  */
-$dotenv = Dotenv\Dotenv::createUnsafeImmutable($root_dir, ['.env', '.env.local'], false);
+$repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters()
+ ->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class)
+ ->immutable()
+ ->make();
+
+$dotenv = Dotenv\Dotenv::create($repository, $root_dir, ['.env', '.env.local'], false);
 if (file_exists($root_dir . '/.env')) {
  $dotenv->load();
  $dotenv->required(['WP_HOME', 'WP_SITEURL']);