.env file in public folder is a security risk

Drunken Dev — Sun, 08 Apr 2018 14:20:52 +0000

Unfortunately I must use Typo3 at work, I know stupid idea, and they store the whole application in the web servers document root, so everything is public by default.

There's an extension to use a .env file for the configuration, but this extension also want this file in the root of the public folder. That's a very high security risk.
If you forget to disallow the access to it in the .htaccess or server configuration everyone can see your credentials and whatever else you store there.

Some time ago exactly this happens in my company. Purely accidental I found this security break and fixed it quickly. I can just hope it was not online for a long time, because inside the .env file where also hints where to find other scripts, password/user hints and other credentials.
But this shows why you should never put your .env file in a public accessable folder and it is highly risky to implement an extension (or library) that expects this file in the public folder by default.

Of course you can say it was the admin mistake to not forbid the access to this file. But this can happen very easily and your application should not rely on this, especially not for such a risky file. If you do it, that's a really bad design flaw and you should refactor it as soon possible.

I know that the Typo3 developers are not following modern development or design rules and uses a lot of old coding styles, but I'll try an issue for this.

Hi, I'm ew

Drunken Dev — Thu, 23 Feb 2017 09:46:55 +0000

I have been coding for 10 years.

You can find me on Twitter as @ewnx01

I live in Berlin.

I mostly program in these languages: Symfony, PHP
Some of my project can be found at http://www.bitbucket.org/dknx01/ and I help improving https://github.com/MarlonSchultz/jeopardy

Nice to meet you.

DEV Community: Drunken Dev

.env file in public folder is a security risk

Hi, I'm ew