From 4bf21d7609753cb5499b24169c2d452b8d5572c6 Mon Sep 17 00:00:00 2001
From: Scott Walkinshaw <scott.walkinshaw@gmail.com>
Date: Fri, 28 May 2021 23:24:27 -0400
Subject: [PATCH] Fixes #474 - Don't leak env values into $_SERVER

Updates to using a custom repository for `Dotenv` instead of the default
which includes `ServerConstAdapter`.

The new custom repository *only* includes `EnvConstAdapter`.

The `$_SERVER` superglobal often gets dumped into logs or into
monitoring services so it's better for security to avoid populating it
with secrets contained in `.env`.
---
 config/application.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/application.php b/config/application.php
index d5d74acc3d..7a445fd329 100644
--- a/config/application.php
+++ b/config/application.php
@@ -29,7 +29,12 @@
  * Use Dotenv to set required environment variables and load .env file in root
  * .env.local will override .env if it exists
  */
-$dotenv = Dotenv\Dotenv::createUnsafeImmutable($root_dir, ['.env', '.env.local'], false);
+$repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters()
+    ->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class)
+    ->immutable()
+    ->make();
+
+$dotenv = Dotenv\Dotenv::create($repository, $root_dir, ['.env', '.env.local'], false);
 if (file_exists($root_dir . '/.env')) {
     $dotenv->load();
     $dotenv->required(['WP_HOME', 'WP_SITEURL']);