Prevent public access to env file

2019-03-16 19:44发布

问题:

I just found that Laravel 5 may output sensitive data and can lead to further exploitation of many hosts:

https://www.google.com/search?q=intext%3ADB_PASSWORD+ext%3Aenv&gws_rd=ssl

I want to know the way to secure my .env file. Can I use below code in .htaccess file to protect my .env file from browser view?

# Protect .env
<Files .env>
Order Allow,Deny
Deny from all
</Files>

Will my above code in .htaccess work and protect my .env file?

回答1:

This isn't a vulnerability, and isn't even remotely an issue provided someone installs Laravel correctly - the webroot is the public folder, not the repository/project root.

The config files and .env file in laravel are not contained in the webroot, therefore you only need to ensure your webroot is path/to/project/public.

The google query you provided is literally just a bunch of people who didn't read the documentation before installing Laravel.



回答2:

IMHO best way to protect a config file from browsing is to put it outside of the public dir. Protecting it via .htaccess could be deceptive, if something fails your file will become publicly available.



回答3:

I'd like to point out your solution only helps on shielding the actual .env file. When enabling debug mode, while using the Whoops handler (and other error handlers possibly as well), the environment variables will also be shown to the visitor when an error occurs (this can even be a 404).

To sum up what others have said in this thread. An .env file is a security issue if:

  • You've installed laravel inside the publicly available directory, this can be public, www or public_html for instance. Make sure the folder public, contained in the laravel installation is the only folder made public through the webserver. Alternatively you can protect the .env file using .htaccess; but that's not an actual solution.
  • You've enabled debug mode and the error handler shows a debug mode with all environment variables. Disable debug mode or configure it so it will only be enabled for specific users or ips. This prevents sharing environment variables on debug pages.