Merge branch '6.4' into 7.4

nicolas-grekas · nicolas-grekas · commit 82e9b1355c68 · 2026-05-11T15:02:51.000+02:00
* 6.4:
  [Scheduler] Make debug:scheduler test independent of terminal width
  [Messenger] Fix ErrorDetailsStampTest after dropping trace args from normalization
  [Scheduler] Use stored checkpoint as base date for debug:scheduler
  [Messenger] Drop trace args from FlattenException normalization
  [HttpKernel] Use backend-handled request for terminate listeners in HttpCache
  [WebProfilerBundle] Don’t try to access `RawMessage::$headers`
  [Security] Clarify AbstractToken's role-name decoupling and simplify ContextListener
  [Dotenv] Don't truncate OS env vars containing $ when $_ENV is unpopulated
diff --git a/Dotenv.php b/Dotenv.php
@@ -672,10 +672,11 @@ private function doLoad(bool $overrideExistingVars, array $paths): void
             unset($loadedVars['']);
 
             foreach ($values as $name => $_) {
-                if (!isset($this->overriddenValues[$name]) && isset($_ENV[$name])) {
-                    $this->overriddenValues[$name] = $_ENV[$name];
+                $alreadyExternal = isset($_ENV[$name]) || isset($_SERVER[$name]) && !str_starts_with($name, 'HTTP_');
+                if (!isset($this->overriddenValues[$name]) && $alreadyExternal) {
+                    $this->overriddenValues[$name] = $_ENV[$name] ?? $_SERVER[$name];
                 }
-                if (isset($loadedVars[$name]) || $overrideExistingVars || !isset($_ENV[$name])) {
+                if (isset($loadedVars[$name]) || $overrideExistingVars || !$alreadyExternal) {
                     $this->loadedRawVars[$name] = true;
                 }
             }
diff --git a/Tests/DotenvTest.php b/Tests/DotenvTest.php
@@ -270,6 +270,36 @@ public function testLoadDoesNotReResolveAlreadyLoadedVars()
         }
     }
 
+    public function testLoadDoesNotResolveExternalEnvVarsOnlyPresentInServer()
+    {
+        // Mimics PHP's default `variables_order = "GPCS"` (no `E`) where
+        // OS-provided environment variables (e.g. from Kubernetes envFrom or
+        // Docker) are placed in $_SERVER but not in $_ENV when PHP starts.
+        // Such values must be left untouched by Dotenv even when the same key
+        // has a default value in the loaded .env file.
+        unset($_ENV['FOO'], $_SERVER['FOO'], $_ENV['SYMFONY_DOTENV_VARS'], $_SERVER['SYMFONY_DOTENV_VARS']);
+        putenv('FOO');
+        putenv('SYMFONY_DOTENV_VARS');
+
+        $_SERVER['FOO'] = 'abc$def';
+
+        @mkdir($tmpdir = sys_get_temp_dir().'/dotenv');
+        $path = tempnam($tmpdir, 'sf-');
+        file_put_contents($path, "FOO=default\n");
+
+        try {
+            (new Dotenv())->loadEnv($path, defaultEnv: 'prod');
+            $this->assertSame('abc$def', $_ENV['FOO']);
+            $this->assertSame('abc$def', $_SERVER['FOO']);
+        } finally {
+            unset($_ENV['FOO'], $_SERVER['FOO'], $_ENV['SYMFONY_DOTENV_VARS'], $_SERVER['SYMFONY_DOTENV_VARS']);
+            putenv('FOO');
+            putenv('SYMFONY_DOTENV_VARS');
+            unlink($path);
+            @rmdir($tmpdir);
+        }
+    }
+
     public function testLoadEnv()
     {
         $resetContext = static function (): void {

Original file line number	Diff line number	Diff line change
`@@ -672,10 +672,11 @@ private function doLoad(bool $overrideExistingVars, array $paths): void`
`672`	`672`	`unset($loadedVars['']);`
`673`	`673`
`674`	`674`	`foreach ($values as $name => $_) {`
`675`		`- if (!isset($this->overriddenValues[$name]) && isset($_ENV[$name])) {`
`676`		`- $this->overriddenValues[$name] = $_ENV[$name];`
	`675`	`+ $alreadyExternal = isset($_ENV[$name]) \|\| isset($_SERVER[$name]) && !str_starts_with($name, 'HTTP_');`
	`676`	`+ if (!isset($this->overriddenValues[$name]) && $alreadyExternal) {`
	`677`	`+ $this->overriddenValues[$name] = $_ENV[$name] ?? $_SERVER[$name];`
`677`	`678`	`}`
`678`		`- if (isset($loadedVars[$name]) \|\| $overrideExistingVars \|\| !isset($_ENV[$name])) {`
	`679`	`+ if (isset($loadedVars[$name]) \|\| $overrideExistingVars \|\| !$alreadyExternal) {`
`679`	`680`	`$this->loadedRawVars[$name] = true;`
`680`	`681`	`}`
`681`	`682`	`}`