production icon indicating copy to clipboard operation
production copied to clipboard

Published 20 hours ago verified publisher icon shopware

putenv is not thread safe so it should be removed to avoid leaking dot env variable to other applications

Open AndreasA opened this issue 2 years ago • 1 comments

PHP Version

8.1

Shopware Version

6.4.8.1

Expected behaviour

putEnv should not be used as it isn't thread safe and therefore could leak variables like database URL to other applications which doesn't sound like a good idea (especially in shared hosting environments).

Actual behaviour

remove putenv and getenv calls. getenv if it is anywhere still should be replaced with EnvironmentHelper like e.g. \Shopware\Core\Framework\Api\Controller\CacheController::info or as that is part of dependency injection already, just add%env(...) or the parameter as arguments.

How to reproduce

See above.

AndreasA avatar Mar 02 '22 08:03 AndreasA

@shyim I think this should be fixed sooner rather than later as due to not being thread safe this could have unintentional side effects on e.g. shared hosting. Though most likely if the server setup is done correctly it shouldn't be that big an issue but it would still be better if it is fixed and I think except for the tests it is not needed anymore in the latest version. Though the user can just remove usePutEnv in their templates.

AndreasA avatar Apr 20 '22 14:04 AndreasA