Path is under DOCUMENT_ROOT error about php-console-laravel HOT 11 CLOSED

Sorry, but I think that this is critical security issue, also I think that this is very bad practice to share all source code under doc root. So...

from php-console-laravel.

I know this is a critical securty issue. But i dont think there is us any harm in enabling it when debug mode is enabled.

One could argue that whole PHP console is a security issue. But we have an option to disable it in production.

from php-console-laravel.

One could argue that whole PHP console is a security issue.

Why?

from php-console-laravel.

Because it will leave important debug info exposed to user. You will be supposed to remove all the debug messages before pusing your app to production which will be very time consuming and not at all helpful for a developer.

Then there is ability to execute PHP code on server though the console. It is password protected but you cannot rely security of your application on a plaintext password.

Even in laravel, the error detail is security issue because it gives the whole stack trace and env vars in old versions But the point is it ia meant only for development and is disbled in production.

from php-console-laravel.

you cannot rely security of your application on a plaintext password

Why?

from php-console-laravel.

Because the password is stored in plain test format in the config file. it gets committed with code unless env vars are used. even so, it still is insecure because in a sense it is giving too much access to the server side.

from php-console-laravel.

You can say the same about DB passwords? About any external API passwords? And about SSH passwords, until you don't use public/private keys protected by password that can be either hooked by any trojan?

from php-console-laravel.

Giving access to DB and giving access to running any script on your computer are two different things. Anyway, I am not here to make you understand security best practices. I just made a suggestion. Its your package so ultimately decision is yours.

from php-console-laravel.

Just try to understand: I don't see the problem that some developer will get Exception like you get, check source code and fix it. But I see potential problem that somebody will use php-console under DOC ROOT on web-server with enabled indexes option, so anybody can list his file, and so anybody grab php-console postponed data.

For me security is more important than 1-5min that developer will spend fixing this problem in code.

from php-console-laravel.

I understand what you want to say. But, someone will need to edit code of your library (library's default config file) in vendors folder to fix this because that config file is loaded first and in config file you are creating a PhpConsole\Storage\File object. Even if you allowed user to load their config file first, it will work.

When this error occurs Laravel has not initialized completely. So, you do not even get a laravel error. It just gives Class log not found. It took me 3-4 days to identify what the problem was.

I am not saying you to allow this by default. But, at least allow user to override this and allow it if they want, and that too without changing library code.

from php-console-laravel.

I'm not sure why you can't handle exception, may be you should try to enable debug mode in or update your php.ini settings. But there is an option that can be used to override default storage https://github.com/barbushin/php-console-laravel/blob/master/src/PhpConsole/Laravel/ServiceProvider.php#L50

so I think you can just pass 'dataStorage' => new PhpConsole\Storage\File(storage_path('php-console.dat'), false), to config and it will work fine for your application.

Anyway I think that is really bad idea to share storage_path of Laravel in doc root.

from php-console-laravel.