What are the Slack Archives?
It’s a history of our time together in the Slack Community! There’s a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.
Because this space is not active, you won’t be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..
Hi all, I am looking at the commit regarding the security issue in `spryker/http` specifically thi
Hi all,
I am looking at the commit regarding the security issue in spryker/http
specifically this part
shouldn’t we return at line 35? The environment variable must have higher priority right? If not, why don’t we just start by reading the config:
$uriSignerSecret = $this->get( HttpConstants::URI_SIGNER_SECRET_KEY, $uriSignerSecret, );
Because in the config we can set it to read the environment and return null if the env is not set. In that case the configuration will return null and the error will be triggered.
Something like this:
$config[HttpConstants::URI_SIGNER_SECRET_KEY] = getenv('SPRYKER_ZED_REQUEST_TOKEN') ?: null;
Comments
-
First solution was revoked, with 1.7.1 you don´t have to add the constant to config
0 -
sorry I did not get it
0 -
Just remove the entries in config related to the secret, do the composer update and make sure spryker/http it is 1.7.1
0 -
by doing this we make hard dependency on an external environment variable
0 -
you meant removing the config constants and depending on the env vars only… did I get you right?
0 -
Are you in Spryker PaaS or different setup?
0 -
not in PaaS
0 -
ah, sorry (was talking about the PaaS). During error evaluation, I added the SPRYKER_ZED_REQUEST_TOKEN to my deploy file to pass the issue. But it was with 1.7.0
0 -
Is this already public or taken from email?
Since:The information contained in this document is strictly confidential. It is intended only for the respective addressee and may not be disclosed and/or distributed without the prior consent of Spryker Systems GmbH
0 -
The code discussed here is public on GitHub
0 -
@U01F7P3D9NH You do still have to add a config variable. In the 1.7.0 version the config entry was pulling its value from the env variable. In 1.7.1 it wants you to set a random value on the config entry as well as a random entry for the env variable.
The error message below it still mentions the "old" way of doing it tho, which is just confusing but thats probably just a leftover.
If you completely remove the
$config[HttpConstants::URI_SIGNER_SECRET_KEY]
it wont even work.This is also mentioned explicitly in the aforementioned secret email
0 -
But I agree with @UM9F81RCP. Why is the $default the environment variable and the config value is the one usually used, I would prefer not having this "secret" checked into git...
0 -
@U01TZ93MPSQ With 1.7.1. I don´t have to add it. In PaaS/AWS you can store secrets in a Parameter store which is referenced to the enviroment secrets in the containers
0 -
Ah I see where the confusion comes from then. We are on-Prem
0
Categories
- All Categories
- 42 Getting Started & Guidelines
- 7 Getting Started in the Community
- 8 Additional Resources
- 7 Community Ideas and Feedback
- 76 Spryker News
- 929 Developer Corner
- 787 Spryker Development
- 89 Spryker Dev Environment
- 362 Spryker Releases
- 3 Oryx frontend framework
- 35 Propel ORM
- 68 Community Projects
- 3 Community Ideation Board
- 30 Hackathon
- 3 PHP Bridge
- 6 Gacela Project
- 26 Job Opportunities
- 3.2K 📜 Slack Archives
- 116 Academy
- 5 Business Users
- 370 Docker
- 551 Slack General
- 2K Help
- 75 Knowledge Sharing
- 6 Random Stuff
- 4 Code Testing
- 32 Product & Business Questions
- 70 Spryker Safari Questions
- 50 Random