禁止公共访问env文件 [英] Prevent public access to env file
问题描述
我刚刚发现Laravel 5可能会输出敏感数据,并可能导致对许多主机的进一步利用:
I just found that Laravel 5 may output sensitive data and can lead to further exploitation of many hosts:
https://www.google.com/search?q = intext%3ADB_PASSWORD + ext%3Aenv& gws_rd = ssl
我想知道保护我的.env
文件的方法.我可以使用.htaccess
文件中的以下代码来保护我的.env
文件不受浏览器视图的攻击吗?
I want to know the way to secure my .env
file. Can I use below code in .htaccess
file to protect my .env
file from browser view?
# Protect .env
<Files .env>
Order Allow,Deny
Deny from all
</Files>
我在.htaccess
中的上述代码可以正常工作并保护我的.env
文件吗?
Will my above code in .htaccess
work and protect my .env
file?
推荐答案
这不是漏洞,并且即使有人正确安装了Laravel,也不是一个远程问题-webroot是public
文件夹,而不是存储库/项目根目录.
This isn't a vulnerability, and isn't even remotely an issue provided someone installs Laravel correctly - the webroot is the public
folder, not the repository/project root.
laravel中的配置文件和.env
文件不包含在webroot中,因此您只需要确保您的webroot为path/to/project/public
.
The config files and .env
file in laravel are not contained in the webroot, therefore you only need to ensure your webroot is path/to/project/public
.
您提供的google查询实际上只是一群在安装Laravel之前没有阅读过文档的人.
The google query you provided is literally just a bunch of people who didn't read the documentation before installing Laravel.
这篇关于禁止公共访问env文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!