Comments (11)
Sorry, but I think that this is critical security issue, also I think that this is very bad practice to share all source code under doc root. So...
from php-console-laravel.
I know this is a critical securty issue. But i dont think there is us any harm in enabling it when debug mode is enabled.
One could argue that whole PHP console is a security issue. But we have an option to disable it in production.
from php-console-laravel.
One could argue that whole PHP console is a security issue.
Why?
from php-console-laravel.
Because it will leave important debug info exposed to user. You will be supposed to remove all the debug messages before pusing your app to production which will be very time consuming and not at all helpful for a developer.
Then there is ability to execute PHP code on server though the console. It is password protected but you cannot rely security of your application on a plaintext password.
Even in laravel, the error detail is security issue because it gives the whole stack trace and env vars in old versions But the point is it ia meant only for development and is disbled in production.
from php-console-laravel.
you cannot rely security of your application on a plaintext password
Why?
from php-console-laravel.
Because the password is stored in plain test format in the config file. it gets committed with code unless env vars are used. even so, it still is insecure because in a sense it is giving too much access to the server side.
from php-console-laravel.
You can say the same about DB passwords? About any external API passwords? And about SSH passwords, until you don't use public/private keys protected by password that can be either hooked by any trojan?
from php-console-laravel.
Giving access to DB and giving access to running any script on your computer are two different things. Anyway, I am not here to make you understand security best practices. I just made a suggestion. Its your package so ultimately decision is yours.
from php-console-laravel.
Just try to understand: I don't see the problem that some developer will get Exception like you get, check source code and fix it. But I see potential problem that somebody will use php-console under DOC ROOT on web-server with enabled indexes option, so anybody can list his file, and so anybody grab php-console postponed data.
For me security is more important than 1-5min that developer will spend fixing this problem in code.
from php-console-laravel.
I understand what you want to say. But, someone will need to edit code of your library (library's default config file) in vendors folder to fix this because that config file is loaded first and in config file you are creating a PhpConsole\Storage\File object. Even if you allowed user to load their config file first, it will work.
When this error occurs Laravel has not initialized completely. So, you do not even get a laravel error. It just gives Class log not found. It took me 3-4 days to identify what the problem was.
I am not saying you to allow this by default. But, at least allow user to override this and allow it if they want, and that too without changing library code.
from php-console-laravel.
I'm not sure why you can't handle exception, may be you should try to enable debug mode in or update your php.ini settings. But there is an option that can be used to override default storage https://github.com/barbushin/php-console-laravel/blob/master/src/PhpConsole/Laravel/ServiceProvider.php#L50
so I think you can just pass 'dataStorage' => new PhpConsole\Storage\File(storage_path('php-console.dat'), false),
to config and it will work fine for your application.
Anyway I think that is really bad idea to share storage_path
of Laravel in doc root.
from php-console-laravel.
Related Issues (9)
- Problem with phpunit HOT 1
- Cannot cache config because of dataStorage closure created
- Service provider doesn't work on Laravel 7.*
- [Proposal] Integrate with Laravel Debugbar HOT 2
- Local configuration not being loaded HOT 1
- Laravel 5 support HOT 3
- Disabling library has no effect if someone is using a helper. HOT 4
- Examples of php-console-laravel HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from php-console-laravel.