2018-05-03 15:29 GMT-03:00 Tom Van Looy <t...@ctors.net>:
> Hi
...
> The problem I see with this practice is that it is so easy to leak
> environment variables. Like if you are running a phpinfo() page somewhere
> that is not a very big deal until it contains all your passwords and API
> keys in plain text. Jikes!
...
> The main intention is to get the credentials out of the environment
> variables. You need to setup a connection to a database or API? Get a
> password from the secure storage, make the connection and get rid of the
> password.
Wouldn't it be more feasible to assign the environment variables locally
then clear them from the environment for the rest of the process?
$password = getenv("PASSWORD");
var_dump($password);
putenv("PASSWORD=");
$password = getenv("PASSWORD");
var_dump($password);
phpinfo();
The manual of getenv() does warn that "If PHP is running in a SAPI such
as Fast CGI, this function will always return the value of an
environment variable set by the SAPI, even if putenv() has been used to
set a local environment variable of the same name." And there's also
apache_getenv() and apache_setenv() to worry about.
But if the point is to avoid accidental leaks, you may want to tackle
the problem from this perspective instead of using a new env mechanism.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
