[M-5] .env writer allows $ in APP_NAME (phpdotenv variable expansion)

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AdminBrandingController.php:248

Bug: Double-quote / CRLF stripped, but $ still allowed.

Fix: Strip or reject $ in addition to existing strips.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:46pm

Resolved.

AdminBrandingController::updateEnvAppName now also strips $ from the site name before writing to .env (src/Controllers/AdminBrandingController.php). Prevents phpdotenv variable-expansion behaviour from interpreting a crafted site name as a reference to another env var.

Locking this thread.

Related Discussions

[M-13] Bulk upload allows top-level area (files invisible in UI)
Security Issues · 0 replies · 2 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy