Sensitive Information displayed in stack trace

[rhulshof]

I'm using the following technique to store my database password and such: http://laravel.com/docs/configuration#protecting-sensitive-configuration

These special variables however, are interpreted as Environmental Variables and therefore included in stack-traces. Displaying sensitive information in stack traces like that, should not happen, right?

Even in production it might sometimes be useful to temporarily enable debug mode for bugtracing purposes. But in this case the database password is compromised instantly.

[barryvdh]

No, don't ever enable it in production, unless you protect it by IP/Auth etc.
And see #3914

[rhulshof]

When there is a variable missing in the .env.php file, the stack trace pops up, even when 'debug' => false. Besides that, mistakes are easily made. Especially when working in a team.

I think the consequences are too big. Therefore I'll go for the DEFINE method as mentioned in #3914.

PS: In case of an error while debug mode is set to false, I send my self the stack trace by email. A commonly used technique. In this case the error reports contain passwords. Not desired.

[taylorotwell]

This issue should probably be raised at the Whoops level. I don't have any control over whether the environment variables are shown on the debug page or not, unfortunately.