loading...

.env file in public folder is a security risk

ewnx01 profile image Drunken Dev ・1 min read

Unfortunately I must use Typo3 at work, I know stupid idea, and they store the whole application in the web servers document root, so everything is public by default.

There's an extension to use a .env file for the configuration, but this extension also want this file in the root of the public folder. That's a very high security risk.
If you forget to disallow the access to it in the .htaccess or server configuration everyone can see your credentials and whatever else you store there.

Some time ago exactly this happens in my company. Purely accidental I found this security break and fixed it quickly. I can just hope it was not online for a long time, because inside the .env file where also hints where to find other scripts, password/user hints and other credentials.
But this shows why you should never put your .env file in a public accessable folder and it is highly risky to implement an extension (or library) that expects this file in the public folder by default.

Of course you can say it was the admin mistake to not forbid the access to this file. But this can happen very easily and your application should not rely on this, especially not for such a risky file. If you do it, that's a really bad design flaw and you should refactor it as soon possible.

I know that the Typo3 developers are not following modern development or design rules and uses a lot of old coding styles, but I'll try an issue for this.

Discussion

pic
Editor guide
Collapse
pixelbrackets profile image
Dan

Unfortunately I must use Typo3 at work, I know stupid idea, and they store the whole application in the web servers document root, so everything is public by default.

Well, then you configured it to do so.

The application is stored in public, but has htaccess rules to prevent any access to them. It is possible to do some access protection checks within the “Install Tool“, which may also re-generate some of those htaccess files for you, in case they are missing.

The vendor folder and .env file are supposed to be saved outside of the document root. TYPO3 encourages this and gives a pretty clear example on how accomplish this using Composer. See composer.typo3.org/ (“extra“ section in the composer.json example file).

In cases when you have a webpackage without access above document root, then you might need to store these files in the document root. Same conditions apply to all other PHP frameworks, like Symfony etc. However, even then TYPO3 denies any access to these files, using htaccess rules yet again. See
github.com/TYPO3/TYPO3.CMS/blob/ma... (line 292, deny access to dot files).

There's an extension to use a .env file for the configuration, but this extension also want this file in the root of the public folder. That's a very high security risk.

It is true, that a .env file in a public folder with public access would be a very large security risk. So please don't do this. Instead move it outside of the public folder or use other security measurements provided by TYPO3 instead.

I know that the Typo3 developers are not following modern development or design rules and uses a lot of old coding styles, but I'll try an issue for this.

Argumentum ad ignorantiam.

Collapse
jrock2004 profile image
John Costanzo

If supported, I would use something like an htaccess file to protect that file

# Disable index view
Options -Indexes

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>
Collapse
cedricziel profile image
Cedric Ziel

So you're essentially blaming TYPO3 for a mistake your team made when setting up the project or did you just skip reading the README (github.com/helhum/dotenv-connector...) file?

How nice of you.

Collapse
abdrmdn profile image
Abidul

I think just securing your file isn't enough, what I would do is store env in aws or other key management platforma and then allow that server only to access those keys.
I explained this a bit in here medium.com/@abidul.rmdn/move-env-k... .

Collapse
eduardort profile image
Eduardo Reyes

This is so incredibly obvious that anyone making this mistake shouldn't be in a position where he's able to do so.