如何在 Laravel whoops 输出中隐藏 .env 密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/46407009/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to hide .env passwords in Laravel whoops output?
提问by Jeff Puckett
How can I hide my passwords and other sensitive environment variables on-screen in Laravel's whoops output?
如何在 Laravel 的 whoops 输出中在屏幕上隐藏我的密码和其他敏感环境变量?
Sometimes other people are looking at my development work. I don't want them to see these secrets if an exception is thrown, but I also don't want to have to keep toggling debug on and off, or spin up a dedicated site just for a quick preview.
有时其他人正在查看我的开发工作。如果抛出异常,我不希望他们看到这些秘密,但我也不想一直打开和关闭调试,或者为了快速预览而启动专用站点。
回答by Jeff Puckett
As of Laravel 5.5.13, there's a new featurethat allows you to blacklist certain variables in config/app.phpunder the key debug_blacklist. When an exception is thrown, whoops will mask these values with asterisks *for each character.
由于Laravel 5.5.13的,还有一个新的功能,使您可以黑名单某些变量中config/app.php的项下debug_blacklist。当抛出异常时,whoops 将为*每个字符用星号屏蔽这些值。
For example, given this config/app.php
例如,鉴于这个 config/app.php
return [
// ...
'debug_blacklist' => [
'_ENV' => [
'APP_KEY',
'DB_PASSWORD',
'REDIS_PASSWORD',
'MAIL_PASSWORD',
'PUSHER_APP_KEY',
'PUSHER_APP_SECRET',
],
'_SERVER' => [
'APP_KEY',
'DB_PASSWORD',
'REDIS_PASSWORD',
'MAIL_PASSWORD',
'PUSHER_APP_KEY',
'PUSHER_APP_SECRET',
],
'_POST' => [
'password',
],
],
];
Results in this output:
此输出中的结果:
回答by Raheel Hasan
First of all, love the solution by Jeff above.
首先,喜欢上面 Jeff 的解决方案。
2nd, if like me you wanna hide all the env variableswhile still use whoops, here is a solution:
第二,如果像我一样你想一直隐藏env variables仍然使用 whoops,这里有一个解决方案:
'debug_blacklist' => [
'_COOKIE' => array_keys($_COOKIE),
'_SERVER' => array_keys($_SERVER),
'_ENV' => array_keys($_ENV),
],
Output:
输出:
回答by erlangsec
Thanks Jeff and Raheel for helping out, but I just found a little gotcha:
感谢 Jeff 和 Raheel 提供帮助,但我发现了一个小问题:
Even if I clear out all environment keys from _ENV, the same keys are STILL exposed through the _SERVERvariables listed.
即使我从 中清除了所有环境键_ENV,相同的键仍会通过_SERVER列出的变量公开。
Adding the code below in config/app.phpwould hide all environment variables from the whoops page:
添加下面的代码config/app.php将隐藏 whoops 页面中的所有环境变量:
'debug_blacklist' => [
'_SERVER' => array_keys($_ENV),
'_ENV' => array_keys($_ENV),
],
回答by Benjamin Listwon
The solution by @jeff + @raheel is great!!! On a project recently we found we sometimes wanted to whitelist a property or two, so building on the above, you can whitelist specific properties you want to debug with something like:
@jeff + @raheel 的解决方案很棒!!!在最近的一个项目中,我们发现我们有时想将一两个属性列入白名单,因此在上述基础上,您可以使用以下内容将要调试的特定属性列入白名单:
'debug_blacklist' => [
'_COOKIE' => array_diff(array_keys($_COOKIE), array()),
'_SERVER' => array_diff(array_keys($_SERVER), array('APP_URL', 'QUERY_STRING')),
'_ENV' => array_diff(array_keys($_ENV), array()),
],
If you want to allow that list to be configured via .env, you can do something like:
如果您想允许通过 .env 配置该列表,您可以执行以下操作:
'debug_blacklist' => [
'_COOKIE' => array_diff(
array_keys($_COOKIE),
explode(",", env('DEBUG_COOKIE_WHITELIST', ""))
),
'_SERVER' => array_diff(
array_keys($_SERVER),
explode(",", env('DEBUG_SERVER_WHITELIST', ""))
),
'_ENV' => array_diff(
array_keys($_ENV),
explode(",", env('DEBUG_ENV_WHITELIST', ""))
),
],
Then in your .env, do something like:
然后在您的 .env 中,执行以下操作:
DEBUG_SERVER_WHITELIST="APP_URL,QUERY_STRING"
Cheers!
干杯!
回答by D?uris
I've made a packageto solve this problem.
我做了一个包来解决这个问题。
Just install it using
只需使用安装它
composer require glaivepro/hidevara
Most of the server and all the env variables will be removed. Any password-like fields in $_POSTwill have their values hidden.
大多数服务器和所有 env 变量都将被删除。中的任何类似密码的字段都$_POST将隐藏其值。
You can also customize it in either blacklist or whitelist approach to show/obfuscate/remove fields however you like.
您还可以使用黑名单或白名单方法对其进行自定义,以根据需要显示/混淆/删除字段。
回答by Ohne Not Silas
Laravel 5.6 not works for my. but this works:
Laravel 5.6 不适用于我的。但这有效:
$envKeys = [];
$serverKeys = [];
$cookieKeys = [];
foreach ( $_ENV as $key => $value ) { if(is_string($value)) $envKeys[] = $key; }
foreach ( $_SERVER as $key => $value ) { if(is_string($value)) $serverKeys[] = $key; }
foreach ( $_COOKIE as $key => $value ) { if(is_string($value)) $cookieKeys[] = $key; }
return [
// ...
'debug_blacklist' => [
'_COOKIE' => $cookieKeys,
'_SERVER' => $serverKeys,
'_ENV' => $envKeys,
],
];
I would be grateful for a better solution.
如果有更好的解决方案,我将不胜感激。
回答by Test Check
Just Change
只是改变
APP_DEBUG=true
To:
到:
APP_DEBUG=false
In the .env file.
在 .env 文件中。
回答by user1576840
For Laravel 5.6-5.8:
对于 Laravel 5.6-5.8:
'debug_blacklist' => [
'_COOKIE' => array_keys(array_filter($_COOKIE, function($value) {return is_string($value);})),
'_SERVER' => array_keys(array_filter($_SERVER, function($value) {return is_string($value);})),
'_ENV' => array_keys(array_filter($_ENV, function($value) {return is_string($value);})),
],
