Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upCorrects level of 'env' key/value for default/unknown project app configuration to prevent leaking of technical information #1956
Conversation
SoftwareEngineerChris
changed the title
everyx
added a commit
to fengsi-io/api
that referenced
this pull request
Oct 24, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
I noticed that the ping app and "unknown" project app configurations always fell back to a
developmentconfiguration. So when hitting an unknown endpoint (e.g. example.com/test) which would be routed via the unknown-project app, the response would contain details that should probably be kept private, such as PHP file paths and such. This is since these apps still use the regular error handlers, which return more information when indevelopmentconfiguration.It looks like it was the intention for these two apps to default to a
productionconfiguration, but because theenvhad been placed in an object calledappinstead of the root, the error handling code couldn't find it where it expected it, and therefore defaulted to "development".As a side note, it looks like there are a few places in the codebase that default to
developmente.g.->get('env', 'development'). Perhaps these should default toproductionto be on the safer side?Before fix:
After fix:
