Prevent {{ config() }} from exposing DB_PASSWORD

Question

Prevent {{ config() }} from exposing DB_PASSWORD

bilogic opened this issue 5 years ago · 5 comments

Hi,

Is there a way to make {{ config("database.connections.mysql.password") }} not expose .env's DB_PASSWORD and other sensitive infomation? Thank you.

Answer 1 · 2019-10-27T18:57:30.000Z

Yeah you can just not echo that?

Answer 2 · 2019-10-27T22:55:35.000Z

Hi,

I'm coming along the lines that a template system is supposed to limit itself to only "safe" code so that it is end user editable (think shopify's liquid).

While I could disable config() entirely, APIs such as recaptcha still needs to expose their public key in templates.

I was wondering if you would consider adding something similiar to Laravel's debug_blacklist for config? Thank you.

Answer 3 · 2019-10-28T06:18:00.000Z

In that case you can use the sandbox, but by default Twig has access to al lot of functions and the global app variable.

Answer 4 · 2019-11-24T03:26:30.000Z

@barryvdh Can't we just disable / blacklist config() and then if I need some config info I'll create a custom function for that specific data and make it available for twig ? I think config(), app() and other sensitive data must not be available for the front end developer .. any idea ?

Thanks.

Answer 5 · 2019-11-24T03:42:17.000Z

Cool, I was able to disable config() from twigbridge.php conifg file, totally missed that!