Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[Process] Be able to not inherit ENV var #24397
Nowadays, symfony recommend using env var to configure the application.
If an application is using the Process composant some information can leak via the env variables.
So I would like to be able to NOT inherit from the parent process to be as safe as possible.
For now the solution to disable the propagation is to use this code:
$process = new Symfony\Component\Process\Process('env'); $env = array_combine(array_keys($_SERVER), array_fill(0, count($_SERVER), false)); $process->run(null, $env); echo $process->getOutput();
It's not really easy :/
And if you need a use case: https://twitter.com/o_cee/status/892306836199800836 (yeah NPM drama inside, but anyway it could happens with composer too !)
Finally here I'm just asking for a way to not inherit env var. But Ideally Symfony, by default, should not inherit env var (but it's another story)
The issue with not inheriting env vars by default is that some of them are required to perform correctly.
About the CWD, I disagree because a script should not rely on the cwd. That's why in Symfony we are using
But again, here I just would like a way to disable this propagation.
And if we disable all propagation by default, Symfony could have a white list of legit env var (PATH, HTTP_PROXY ...)
1/ Here is the list of default env var on ubuntu (in docker)
Do you have any pointer for that?
Because according to https://12factor.net/config =>
So, IMHO, password and co. should go to env var.
Symfony reads the conf (param.yml) file only once per deploy (except if you clear cache). So if you want to change the twitter secret key (for exemple) you have to rewrite the file, clear the cache and so slow down the application.
With an env var, you can do that very smoothly without slow request. And clearing the cache when there are lot of traffic is not really possible. So basically you need a new deploy :/
@lyrixx docker does not recommend putting secrets in env anymore, but in special files (that are managed by Docker itself in a special place as it manages the secrets for you).
Offtopic about Symfony + env