如何在Laravel输出中隐藏.env密码?

时间:2022-10-18 17:19:05

How can I hide my passwords and other sensitive environment variables on-screen in Laravel's whoops output?

如何在Laravel的whoops输出中隐藏我的密码和其他敏感环境变量?

Sometimes other people are looking at my development work. I don't want them to see these secrets if an exception is thrown, but I also don't want to have to keep toggling debug on and off, or spin up a dedicated site just for a quick preview.

有时其他人正在研究我的开发工作。如果抛出异常,我不希望他们看到这些秘密,但我也不想继续打开和关闭调试,或者只是为了快速预览而启动专用站点。

如何在Laravel输出中隐藏.env密码?

4 个解决方案

#1

38  

As of Laravel 5.5.13, there's a new feature that allows you to blacklist certain variables in config/app.php under the key debug_blacklist. When an exception is thrown, whoops will mask these values with asterisks * for each character.

从Laravel 5.5.13开始,有一个新功能允许您将密钥debug_blacklist下的config / app.php中的某些变量列入黑名单。抛出异常时,whoops会为每个字符用星号*掩盖这些值。

For example, given this config/app.php

例如,给定此config / app.php

return [

    // ...

    'debug_blacklist' => [
        '_ENV' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_SERVER' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_POST' => [
            'password',
        ],
    ],
];

Results in this output:

结果输出:

如何在Laravel输出中隐藏.env密码?

#2

18  

First of all, love the solution by Jeff above.

首先,热爱Jeff的解决方案。

2nd, if like me you wanna hide all the env variables while still use whoops, here is a solution:

2,如果像我一样你想隐藏所有的env变量,同时仍然使用whoops,这是一个解决方案:

'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV),        
    ],

Output:

输出:

如何在Laravel输出中隐藏.env密码?

#3

0  

Thanks Jeff and Raheel for helping out, but I just found a little gotcha:

谢谢Jeff和Raheel的帮忙,但我刚发现了一点问题:

Even if I clear out all environment keys from _ENV, the same keys are STILL exposed through the _SERVER variables listed.

即使我清除了_ENV中的所有环境键,也会通过列出的_SERVER变量显示相同的键。

Adding the code below in config/app.php would hide all environment variables from the whoops page:

在config / app.php中添加以下代码会隐藏whoops页面中的所有环境变量:

'debug_blacklist' => [
        '_SERVER' => array_keys($_ENV),
        '_ENV' => array_keys($_ENV),        
],

#4

0  

Laravel 5.6 not works for my. but this works:

Laravel 5.6不适用于我的。但这有效:

$envKeys = [];
$serverKeys = [];
$cookieKeys = [];
foreach ( $_ENV as $key => $value ) { if(is_string($value)) $envKeys[] = $key; }
foreach ( $_SERVER as $key => $value ) { if(is_string($value)) $serverKeys[] = $key; }
foreach ( $_COOKIE as $key => $value ) { if(is_string($value)) $cookieKeys[] = $key; }

return [

    // ...

    'debug_blacklist' => [
        '_COOKIE'   => $cookieKeys,
        '_SERVER'   => $serverKeys,
        '_ENV'      => $envKeys,
    ],
];

I would be grateful for a better solution.

我会很感激能有更好的解决方案。

#1

38  

As of Laravel 5.5.13, there's a new feature that allows you to blacklist certain variables in config/app.php under the key debug_blacklist. When an exception is thrown, whoops will mask these values with asterisks * for each character.

从Laravel 5.5.13开始,有一个新功能允许您将密钥debug_blacklist下的config / app.php中的某些变量列入黑名单。抛出异常时,whoops会为每个字符用星号*掩盖这些值。

For example, given this config/app.php

例如,给定此config / app.php

return [

    // ...

    'debug_blacklist' => [
        '_ENV' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_SERVER' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_POST' => [
            'password',
        ],
    ],
];

Results in this output:

结果输出:

如何在Laravel输出中隐藏.env密码?

#2

18  

First of all, love the solution by Jeff above.

首先,热爱Jeff的解决方案。

2nd, if like me you wanna hide all the env variables while still use whoops, here is a solution:

2,如果像我一样你想隐藏所有的env变量,同时仍然使用whoops,这是一个解决方案:

'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV),        
    ],

Output:

输出:

如何在Laravel输出中隐藏.env密码?

#3

0  

Thanks Jeff and Raheel for helping out, but I just found a little gotcha:

谢谢Jeff和Raheel的帮忙,但我刚发现了一点问题:

Even if I clear out all environment keys from _ENV, the same keys are STILL exposed through the _SERVER variables listed.

即使我清除了_ENV中的所有环境键,也会通过列出的_SERVER变量显示相同的键。

Adding the code below in config/app.php would hide all environment variables from the whoops page:

在config / app.php中添加以下代码会隐藏whoops页面中的所有环境变量:

'debug_blacklist' => [
        '_SERVER' => array_keys($_ENV),
        '_ENV' => array_keys($_ENV),        
],

#4

0  

Laravel 5.6 not works for my. but this works:

Laravel 5.6不适用于我的。但这有效:

$envKeys = [];
$serverKeys = [];
$cookieKeys = [];
foreach ( $_ENV as $key => $value ) { if(is_string($value)) $envKeys[] = $key; }
foreach ( $_SERVER as $key => $value ) { if(is_string($value)) $serverKeys[] = $key; }
foreach ( $_COOKIE as $key => $value ) { if(is_string($value)) $cookieKeys[] = $key; }

return [

    // ...

    'debug_blacklist' => [
        '_COOKIE'   => $cookieKeys,
        '_SERVER'   => $serverKeys,
        '_ENV'      => $envKeys,
    ],
];

I would be grateful for a better solution.

我会很感激能有更好的解决方案。

标签:

相关文章