Putenv exploit

Hello,

I have a problem with shared hosting providers to enable putenv function for me, they say it is a great security threat. I guess they might be right? See this for example.

I have removed the putenv function from disabled_functions on my own virutal server, but now I’m a little scared about the security issues.

Is it somehow possible to run the bedrock without the need of putenv enabled? It is part of this composer package.

Bedrock uses Dotenv::createUnsafeImmutable which uses putenv under the hood.

Do you mind investigate what are the potential issues of switching to Dotenv::createImmutable send PRs?

See:

• https://github.com/vlucas/phpdotenv#putenv-and-getenv
• https://github.com/roots/bedrock/blob/e615da360ceb496ac5a7f9b2fe9b062181d64596/config/application.php#L31

This topic was automatically closed after 42 days. New replies are no longer allowed.