-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a "Raw string" filter, Fix possible inconsistency between constants and environment variables in the generated cache #136
Conversation
This allows secret-like environment variables such as db passwords to contain special characters and not being escaped by previous `FILTER_STRING` filter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks!
src/Env/WordPressEnvBridge.php
Outdated
// For env loaded from file, dump the variable definition. | ||
$content .= "putenv('{$key}={$slashed}');\n"; | ||
$content .= "\$_ENV['{$key}'] = '{$slashed}';\n"; | ||
(strpos($key, 'HTTP_') !== 0) and $content .= "\$_SERVER['{$key}'] = '{$slashed}';\n\n"; | ||
$content .= "putenv('{$key}={$preparedValue}');\n"; | ||
$content .= "\$_ENV['{$key}'] = '{$preparedValue}';\n"; | ||
(strpos($key, 'HTTP_') !== 0) | ||
and $content .= "\$_SERVER['{$key}'] = '{$preparedValue}';\n\n"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ss a different behavior than before.
Before the environment was never storing the "filtered" value. That was used only for PHP constant.
And the reason is that environemt is always expected to be a string, while filtered value could be a integer, a float, a boolean, etc.
By storing the prepared value in environment, you are going to change the original value. See https://3v4l.org/pfaoh
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for the explanation 🙏
So the situation is that for an env variable like: AUTH_COOKIE=BAD&Auth<Cookie
the generated cache is:
define('AUTH_COOKIE', 'BAD&Auth');
putenv('AUTH_COOKIE=BAD&Auth<Cookie');
$_ENV['AUTH_COOKIE'] = 'BAD&Auth<Cookie';
$_SERVER['AUTH_COOKIE'] = 'BAD&Auth<Cookie';
in which the values are not consistent, First question is that I'm not sure if this is expected? My assumption is that all values should be the same in the generated cache.
To get around this, does something like this on line 569 makes sense?
$preparedValue = $value !== $filtered && is_scalar($filtered)
? is_string($filtered) ? $filtered : var_export($filtered, true)
: $slashed;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As you can see, the issue is only for the constant define
.
So you need to change nothing in the lines I was was mentioning in the first comment. Because those lines refers to putenv
, $_ENV
, and $_SERVER
which do not need fixing.
So all your changes up to like 579 are fine, just leave anything blow that line alone, and it'll be fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit introducing this change reverted since the only real other changes before line 579 was using addslashes
instead of str_replace
which is out of scope of this PR.
…ated cache" This reverts commit dc86bff.
Description
This PR addresses two issues:
issue 1
For environment variables like DB_PASSWORD, a
FILTER_STRING
is applied which converts some special characters to HTML entities, this can cause issues for such environments likeDB_PASSWORD
or any other variable that needs to be kept in the same format.Because for example in the case of a password, if it contains a character like
&
or>
it will be converted to&
and>
and can lead to failed database connections.Issue 2The second issue is an inconsistency in the generated cached file (.env.cached.php
), where the generateddefine()
statement respects the filtered value, but the other 3putenv
,$_ENV
and$_SERVER
assignments do not put the filtered value.How has this been tested?
Tests modified to consider new changes.
Types of changes
What types of changes does your code introduce?
Bug fixes (non-breaking change which fixes an issue)
For Issue 1:
To fix this issue a new
FILTER_RAW_STRING
is introduced with minimal sanitization, and the filter is applied to some of WordPress core constants that makes sense having this filter, such asDB_PASSWORD
,LOGGED_IN_KEY
, etc.For issue 2:Fixed by using the filtered value also forputenv
,$_ENV
and$_SERVER
assignments, added tests to cover consistency problem.Checklist: