From 23c6881980c707d775ab5f654d17f234284e38b1 Mon Sep 17 00:00:00 2001 From: Toto Date: Thu, 10 Jul 2025 13:35:35 +0700 Subject: [PATCH 1/5] feat: add environment directory to load .env file --- app/Config/Paths.php | 10 ++++++++++ system/Boot.php | 2 +- system/Commands/Encryption/GenerateKey.php | 5 +++-- system/Commands/Utilities/Environment.php | 5 +++-- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/app/Config/Paths.php b/app/Config/Paths.php index 3dc9c5d93951..16dc37068660 100644 --- a/app/Config/Paths.php +++ b/app/Config/Paths.php @@ -75,4 +75,14 @@ class Paths * is used when no value is provided to `Services::renderer()`. */ public string $viewDirectory = __DIR__ . '/../Views'; + + /** + * --------------------------------------------------------------- + * ENVIRONMENT DIRECTORY NAME + * --------------------------------------------------------------- + * + * This variable must contain the name of the directory for + * environment files. + */ + public string $environmentDirectory = __DIR__ . '/../../'; } diff --git a/system/Boot.php b/system/Boot.php index ba3675516b16..283a61bd4769 100644 --- a/system/Boot.php +++ b/system/Boot.php @@ -170,7 +170,7 @@ public static function preload(Paths $paths): void protected static function loadDotEnv(Paths $paths): void { require_once $paths->systemDirectory . '/Config/DotEnv.php'; - (new DotEnv($paths->appDirectory . '/../'))->load(); + (new DotEnv($paths->environmentDirectory))->load(); } protected static function defineEnvironment(): void diff --git a/system/Commands/Encryption/GenerateKey.php b/system/Commands/Encryption/GenerateKey.php index a3fdbd4393a9..3f90203c7d9c 100644 --- a/system/Commands/Encryption/GenerateKey.php +++ b/system/Commands/Encryption/GenerateKey.php @@ -17,6 +17,7 @@ use CodeIgniter\CLI\CLI; use CodeIgniter\Config\DotEnv; use CodeIgniter\Encryption\Encryption; +use Config\Paths; /** * Generates a new encryption key. @@ -101,7 +102,7 @@ public function run(array $params) // force DotEnv to reload the new env vars putenv('encryption.key'); unset($_ENV['encryption.key'], $_SERVER['encryption.key']); - $dotenv = new DotEnv(ROOTPATH); + $dotenv = new DotEnv((new Paths())->environmentDirectory); $dotenv->load(); CLI::write('Application\'s new encryption key was successfully set.', 'green'); @@ -155,7 +156,7 @@ protected function confirmOverwrite(array $params): bool protected function writeNewEncryptionKeyToFile(string $oldKey, string $newKey): bool { $baseEnv = ROOTPATH . 'env'; - $envFile = ROOTPATH . '.env'; + $envFile = (new Paths())->environmentDirectory . '.env'; if (! is_file($envFile)) { if (! is_file($baseEnv)) { diff --git a/system/Commands/Utilities/Environment.php b/system/Commands/Utilities/Environment.php index 22794fe9d51d..f5caad4ba3f4 100644 --- a/system/Commands/Utilities/Environment.php +++ b/system/Commands/Utilities/Environment.php @@ -16,6 +16,7 @@ use CodeIgniter\CLI\BaseCommand; use CodeIgniter\CLI\CLI; use CodeIgniter\Config\DotEnv; +use Config\Paths; /** * Command to display the current environment, @@ -119,7 +120,7 @@ public function run(array $params) // however we cannot redefine the ENVIRONMENT constant putenv('CI_ENVIRONMENT'); unset($_ENV['CI_ENVIRONMENT'], $_SERVER['CI_ENVIRONMENT']); - (new DotEnv(ROOTPATH))->load(); + (new DotEnv((new Paths())->environmentDirectory))->load(); CLI::write(sprintf('Environment is successfully changed to "%s".', $env), 'green'); CLI::write('The ENVIRONMENT constant will be changed in the next script execution.'); @@ -134,7 +135,7 @@ public function run(array $params) private function writeNewEnvironmentToEnvFile(string $newEnv): bool { $baseEnv = ROOTPATH . 'env'; - $envFile = ROOTPATH . '.env'; + $envFile = (new Paths())->environmentDirectory . '.env'; if (! is_file($envFile)) { if (! is_file($baseEnv)) { From fb4e4118e9f703386d03ae56e6aa913e2c551d3a Mon Sep 17 00:00:00 2001 From: Toto Date: Tue, 15 Jul 2025 08:33:06 +0700 Subject: [PATCH 2/5] fix: rename environment directory variable from environmentDirectory to envDirectory Co-authored-by: Michal Sniatala --- app/Config/Paths.php | 2 +- system/Boot.php | 2 +- system/Commands/Encryption/GenerateKey.php | 4 ++-- system/Commands/Utilities/Environment.php | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/Config/Paths.php b/app/Config/Paths.php index 16dc37068660..cf2fcfca880b 100644 --- a/app/Config/Paths.php +++ b/app/Config/Paths.php @@ -84,5 +84,5 @@ class Paths * This variable must contain the name of the directory for * environment files. */ - public string $environmentDirectory = __DIR__ . '/../../'; + public string $envDirectory = __DIR__ . '/../../'; } diff --git a/system/Boot.php b/system/Boot.php index 283a61bd4769..4b8292796a97 100644 --- a/system/Boot.php +++ b/system/Boot.php @@ -170,7 +170,7 @@ public static function preload(Paths $paths): void protected static function loadDotEnv(Paths $paths): void { require_once $paths->systemDirectory . '/Config/DotEnv.php'; - (new DotEnv($paths->environmentDirectory))->load(); + (new DotEnv($paths->envDirectory))->load(); } protected static function defineEnvironment(): void diff --git a/system/Commands/Encryption/GenerateKey.php b/system/Commands/Encryption/GenerateKey.php index 3f90203c7d9c..4c7beda0095d 100644 --- a/system/Commands/Encryption/GenerateKey.php +++ b/system/Commands/Encryption/GenerateKey.php @@ -102,7 +102,7 @@ public function run(array $params) // force DotEnv to reload the new env vars putenv('encryption.key'); unset($_ENV['encryption.key'], $_SERVER['encryption.key']); - $dotenv = new DotEnv((new Paths())->environmentDirectory); + $dotenv = new DotEnv((new Paths())->envDirectory); $dotenv->load(); CLI::write('Application\'s new encryption key was successfully set.', 'green'); @@ -156,7 +156,7 @@ protected function confirmOverwrite(array $params): bool protected function writeNewEncryptionKeyToFile(string $oldKey, string $newKey): bool { $baseEnv = ROOTPATH . 'env'; - $envFile = (new Paths())->environmentDirectory . '.env'; + $envFile = (new Paths())->envDirectory . '.env'; if (! is_file($envFile)) { if (! is_file($baseEnv)) { diff --git a/system/Commands/Utilities/Environment.php b/system/Commands/Utilities/Environment.php index f5caad4ba3f4..5e063de357e8 100644 --- a/system/Commands/Utilities/Environment.php +++ b/system/Commands/Utilities/Environment.php @@ -120,7 +120,7 @@ public function run(array $params) // however we cannot redefine the ENVIRONMENT constant putenv('CI_ENVIRONMENT'); unset($_ENV['CI_ENVIRONMENT'], $_SERVER['CI_ENVIRONMENT']); - (new DotEnv((new Paths())->environmentDirectory))->load(); + (new DotEnv((new Paths())->envDirectory))->load(); CLI::write(sprintf('Environment is successfully changed to "%s".', $env), 'green'); CLI::write('The ENVIRONMENT constant will be changed in the next script execution.'); @@ -135,7 +135,7 @@ public function run(array $params) private function writeNewEnvironmentToEnvFile(string $newEnv): bool { $baseEnv = ROOTPATH . 'env'; - $envFile = (new Paths())->environmentDirectory . '.env'; + $envFile = (new Paths())->envDirectory . '.env'; if (! is_file($envFile)) { if (! is_file($baseEnv)) { From 7d66f4b72bf666c89bbe1ab2d7f839d4c7f57936 Mon Sep 17 00:00:00 2001 From: Toto Date: Tue, 15 Jul 2025 08:41:27 +0700 Subject: [PATCH 3/5] docs: add information about changing .env file location Co-authored-by: Michal Sniatala --- .../source/general/managing_apps.rst | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/user_guide_src/source/general/managing_apps.rst b/user_guide_src/source/general/managing_apps.rst index 35a30153d034..6b847889bb4b 100644 --- a/user_guide_src/source/general/managing_apps.rst +++ b/user_guide_src/source/general/managing_apps.rst @@ -97,3 +97,26 @@ of those: .. literalinclude:: managing_apps/004.php Only when you change the Application Directory, see :ref:`renaming-app-directory` and modify the paths in the **index.php** and **spark**. + +Changing the Location of the .env File +====================================== + +If necessary, you can change the location of the ``.env`` file by adjusting the ``$envDirectory`` +property in ``app/Config/Paths.php``. + +By default, the framework loads environment settings from a ``.env`` file located one level above +the ``app/`` directory (in the ``ROOTPATH``). This is a safe location when your domain is correctly +pointed to the ``public/`` directory, as recommended. + +In practice, however, some applications are served from a subdirectory (e.g., ``http://example.com/myapp``) +rather than from the main domain. In such cases, placing the ``.env`` file within the ``ROOTPATH`` may expose +sensitive configuration if ``.htaccess`` or other protections are misconfigured. + +To avoid this risk in such setups, it is recommended to ensure the ``.env`` file is located outside any +web-accessible directories. + +.. warning:: + + If you change the location of the ``.env`` file, make absolutely sure it is not publicly accessible. + Exposure of this file could lead to compromised credentials and access to critical services, such as your + database, mail server, or third-party APIs. From 92bfc1e1de1f926385901c834f0916fe136f3b70 Mon Sep 17 00:00:00 2001 From: Toto Date: Tue, 15 Jul 2025 08:49:35 +0700 Subject: [PATCH 4/5] fix: improve environment variable loading with fallback to ROOTPATH --- system/Boot.php | 3 ++- system/Commands/Encryption/GenerateKey.php | 4 ++-- system/Commands/Utilities/Environment.php | 4 ++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/system/Boot.php b/system/Boot.php index 4b8292796a97..5b228664146f 100644 --- a/system/Boot.php +++ b/system/Boot.php @@ -170,7 +170,8 @@ public static function preload(Paths $paths): void protected static function loadDotEnv(Paths $paths): void { require_once $paths->systemDirectory . '/Config/DotEnv.php'; - (new DotEnv($paths->envDirectory))->load(); + $envDirectory = $paths->envDirectory ?? $paths->appDirectory . '/../'; + (new DotEnv($envDirectory))->load(); } protected static function defineEnvironment(): void diff --git a/system/Commands/Encryption/GenerateKey.php b/system/Commands/Encryption/GenerateKey.php index 4c7beda0095d..b34b422f7bfe 100644 --- a/system/Commands/Encryption/GenerateKey.php +++ b/system/Commands/Encryption/GenerateKey.php @@ -102,7 +102,7 @@ public function run(array $params) // force DotEnv to reload the new env vars putenv('encryption.key'); unset($_ENV['encryption.key'], $_SERVER['encryption.key']); - $dotenv = new DotEnv((new Paths())->envDirectory); + $dotenv = new DotEnv((new Paths())->envDirectory ?? ROOTPATH); $dotenv->load(); CLI::write('Application\'s new encryption key was successfully set.', 'green'); @@ -156,7 +156,7 @@ protected function confirmOverwrite(array $params): bool protected function writeNewEncryptionKeyToFile(string $oldKey, string $newKey): bool { $baseEnv = ROOTPATH . 'env'; - $envFile = (new Paths())->envDirectory . '.env'; + $envFile = ((new Paths())->envDirectory ?? ROOTPATH) . '.env'; if (! is_file($envFile)) { if (! is_file($baseEnv)) { diff --git a/system/Commands/Utilities/Environment.php b/system/Commands/Utilities/Environment.php index 5e063de357e8..0c3730631f42 100644 --- a/system/Commands/Utilities/Environment.php +++ b/system/Commands/Utilities/Environment.php @@ -120,7 +120,7 @@ public function run(array $params) // however we cannot redefine the ENVIRONMENT constant putenv('CI_ENVIRONMENT'); unset($_ENV['CI_ENVIRONMENT'], $_SERVER['CI_ENVIRONMENT']); - (new DotEnv((new Paths())->envDirectory))->load(); + (new DotEnv((new Paths())->envDirectory ?? ROOTPATH))->load(); CLI::write(sprintf('Environment is successfully changed to "%s".', $env), 'green'); CLI::write('The ENVIRONMENT constant will be changed in the next script execution.'); @@ -135,7 +135,7 @@ public function run(array $params) private function writeNewEnvironmentToEnvFile(string $newEnv): bool { $baseEnv = ROOTPATH . 'env'; - $envFile = (new Paths())->envDirectory . '.env'; + $envFile = (new Paths())->envDirectory ?? ROOTPATH . '.env'; if (! is_file($envFile)) { if (! is_file($baseEnv)) { From 2592dbbc9324dc454778f3057d488030b69cb02d Mon Sep 17 00:00:00 2001 From: Toto Date: Tue, 15 Jul 2025 13:26:12 +0700 Subject: [PATCH 5/5] fix: dynamic path for .env file Co-authored-by: Michal Sniatala --- system/Commands/Utilities/Environment.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/Commands/Utilities/Environment.php b/system/Commands/Utilities/Environment.php index 0c3730631f42..99a90415ceea 100644 --- a/system/Commands/Utilities/Environment.php +++ b/system/Commands/Utilities/Environment.php @@ -135,7 +135,7 @@ public function run(array $params) private function writeNewEnvironmentToEnvFile(string $newEnv): bool { $baseEnv = ROOTPATH . 'env'; - $envFile = (new Paths())->envDirectory ?? ROOTPATH . '.env'; + $envFile = ((new Paths())->envDirectory ?? ROOTPATH) . '.env'; if (! is_file($envFile)) { if (! is_file($baseEnv)) {