TwigBridge icon indicating copy to clipboard operation
TwigBridge copied to clipboard

Published 20 hours ago verified publisher icon rcrowe

Prevent {{ config() }} from exposing DB_PASSWORD

Open bilogic opened this issue 6 years ago • 5 comments

Hi,

Is there a way to make {{ config("database.connections.mysql.password") }} not expose .env's DB_PASSWORD and other sensitive infomation? Thank you.

bilogic avatar Oct 23 '19 07:10 bilogic

Yeah you can just not echo that?

barryvdh avatar Oct 27 '19 18:10 barryvdh

Hi,

I'm coming along the lines that a template system is supposed to limit itself to only "safe" code so that it is end user editable (think shopify's liquid).

While I could disable config() entirely, APIs such as recaptcha still needs to expose their public key in templates.

I was wondering if you would consider adding something similiar to Laravel's debug_blacklist for config? Thank you.

bilogic avatar Oct 27 '19 22:10 bilogic

In that case you can use the sandbox, but by default Twig has access to al lot of functions and the global app variable.

barryvdh avatar Oct 28 '19 06:10 barryvdh

@barryvdh Can't we just disable / blacklist config() and then if I need some config info I'll create a custom function for that specific data and make it available for twig ? I think config(), app() and other sensitive data must not be available for the front end developer .. any idea ?

Thanks.

onemoreahmad avatar Nov 24 '19 03:11 onemoreahmad

Cool, I was able to disable config() from twigbridge.php conifg file, totally missed that!

onemoreahmad avatar Nov 24 '19 03:11 onemoreahmad