Environment & server variables are available in all templates

[dsazup]

Because decrement tag uses $_SERVER to store values, it is possible to get any variable from it. We store some environment variables in $_SERVER and user could do {{ DB_PASSWORD }} or any other server variable and he would be able to see that value. Is this not considered a security issue ?Should decrement really touch $_SERVER? could it not store data in registers or assigns?

[sanmai]

Care to provide an example for the issue? Thanks.

[dsazup]

Sure,

lets say we have this code in a file named test.php

<?php

require __DIR__ . '/vendor/autoload.php';

$liquid = new \Liquid\Template();
$liquid->parse('{{ MY_VARIABLE }}');

echo $liquid->render();

Now run this in your terminal. This is how we expose environment variables in our system, for example this could be DB_PASSWORD or other sensitive data such as GITHUB_API_KEY etc.

export MY_VARIABLE="this is an environment variable"

run php test.php and your should see this is an environment variable text. Notice we have not passed any data into render method, however this still works and shows the variable we exported in the terminal session.

[sanmai]

This looks very similar to this issue. I'll look into it. It is hard to tell why there's a need to pass $_SERVER in the context, but I guess we can safely pass a some subset of it.

[dsazup]

Yes looks very similar. The last time I looked into this was quite a while ago, but as far as I can remember this is because increment and decrement tags are using $_SERVER for storing data. And I guess this is because template class is not a singleton so it wants to retain the data in every instance?

We do not use these tags so I have just removed them from our fork (and the environments property), but it would be nice to fix this in the upstream.

[sanmai]

I believe they're using only the first element of that array, but later I'll see if anything breaks if I remove $_SERVER from there.

[dsazup]

Ah yes you are right, the exposed variables must come from here then https://github.com/harrydeluxe/php-liquid/blob/master/src/Liquid/Context.php#L210