🔒️ Don't leak env values into $_SERVER (#598)

Updates to using a custom repository for `Dotenv` instead of the default which includes `ServerConstAdapter`. The new custom repository *only* includes `EnvConstAdapter`. The `$_SERVER` superglobal often gets dumped into logs or into monitoring services so it's better for security to avoid populating it with secrets contained in `.env`. Co-authored-by: Ben Word <[email protected]>
roots · Dec 14, 2024 · d1704f7 · d1704f7
1 parent dd56b83
commit d1704f7
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/config/application.php b/config/application.php
@@ -39,8 +39,13 @@
         ? ['.env', '.env.local']
         : ['.env'];
 
-    $dotenv = Dotenv\Dotenv::createImmutable($root_dir, $env_files, false);
+    $repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters()
+        ->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class)
+        ->addAdapter(Dotenv\Repository\Adapter\PutenvAdapter::class)
+        ->immutable()
+        ->make();
 
+    $dotenv = Dotenv\Dotenv::create($repository, $root_dir, $env_files, false);
     $dotenv->load();
 
     $dotenv->required(['WP_HOME', 'WP_SITEURL']);