From 4f776944b72a88a2a63e9479c3d4275bd42216ef Mon Sep 17 00:00:00 2001
From: Ben Word <ben@benword.com>
Date: Sat, 14 Dec 2024 10:55:48 -0500
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Don't=20leak=20env=20va?=
 =?UTF-8?q?lues=20into=20`$=5FSERVER`?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updates to using a custom repository for `Dotenv` instead of the default
which includes `ServerConstAdapter`.

The new custom repository *only* includes `EnvConstAdapter`.

The `$_SERVER` superglobal often gets dumped into logs or into
monitoring services so it's better for security to avoid populating it
with secrets contained in `.env`.

Co-authored-by: Ben Word <ben@benword.com>
---
 config/application.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/application.php b/config/application.php
index f0954cf34..230039a00 100644
--- a/config/application.php
+++ b/config/application.php
@@ -39,8 +39,13 @@
         ? ['.env', '.env.local']
         : ['.env'];
 
-    $dotenv = Dotenv\Dotenv::createImmutable($root_dir, $env_files, false);
+    $repository = Dotenv\Repository\RepositoryBuilder::createWithNoAdapters()
+        ->addAdapter(Dotenv\Repository\Adapter\EnvConstAdapter::class)
+        ->addAdapter(Dotenv\Repository\Adapter\PutenvAdapter::class)
+        ->immutable()
+        ->make();
 
+    $dotenv = Dotenv\Dotenv::create($repository, $root_dir, $env_files, false);
     $dotenv->load();
 
     $dotenv->required(['WP_HOME', 'WP_SITEURL']);