[Dotenv] Don't truncate OS env vars containing $ when $_ENV is unpopulated

HMAZonderland · HMAZonderland · commit e25b00497fe7 · 2026-05-06T16:07:03.000+02:00
PR #63955 introduced `loadedRawVars` tracking in `doLoad()`. Its check
`!isset($_ENV[$name])` was meant to protect host-provided environment
variables from being processed by `resolveLoadedVars()`. However, with
PHP's default `variables_order = "GPCS"` (no `E`), OS-provided env vars
are placed in $_SERVER but not in $_ENV when PHP starts.

As a result, an externally provided value like `abc$def` was added to
`loadedRawVars`, and then `resolveLoadedVars()` interpreted the literal
`$` as a variable reference and truncated the value to `abc`.

Mirror the existing behavior of `populate()` which already considers
$_SERVER as a source of pre-existing env vars, so externally provided
values are correctly recognized regardless of `variables_order`.
diff --git a/Dotenv.php b/Dotenv.php
@@ -673,10 +673,11 @@ private function doLoad(bool $overrideExistingVars, array $paths): void
             unset($loadedVars['']);
 
             foreach ($values as $name => $_) {
-                if (!isset($this->overriddenValues[$name]) && isset($_ENV[$name])) {
-                    $this->overriddenValues[$name] = $_ENV[$name];
+                $alreadyExternal = isset($_ENV[$name]) || isset($_SERVER[$name]) && !str_starts_with($name, 'HTTP_');
+                if (!isset($this->overriddenValues[$name]) && $alreadyExternal) {
+                    $this->overriddenValues[$name] = $_ENV[$name] ?? $_SERVER[$name];
                 }
-                if (isset($loadedVars[$name]) || $overrideExistingVars || !isset($_ENV[$name])) {
+                if (isset($loadedVars[$name]) || $overrideExistingVars || !$alreadyExternal) {
                     $this->loadedRawVars[$name] = true;
                 }
             }
diff --git a/Tests/DotenvTest.php b/Tests/DotenvTest.php
@@ -273,6 +273,36 @@ public function testLoadDoesNotReResolveAlreadyLoadedVars()
         }
     }
 
+    public function testLoadDoesNotResolveExternalEnvVarsOnlyPresentInServer()
+    {
+        // Mimics PHP's default `variables_order = "GPCS"` (no `E`) where
+        // OS-provided environment variables (e.g. from Kubernetes envFrom or
+        // Docker) are placed in $_SERVER but not in $_ENV when PHP starts.
+        // Such values must be left untouched by Dotenv even when the same key
+        // has a default value in the loaded .env file.
+        unset($_ENV['FOO'], $_SERVER['FOO'], $_ENV['SYMFONY_DOTENV_VARS'], $_SERVER['SYMFONY_DOTENV_VARS']);
+        putenv('FOO');
+        putenv('SYMFONY_DOTENV_VARS');
+
+        $_SERVER['FOO'] = 'abc$def';
+
+        @mkdir($tmpdir = sys_get_temp_dir().'/dotenv');
+        $path = tempnam($tmpdir, 'sf-');
+        file_put_contents($path, "FOO=default\n");
+
+        try {
+            (new Dotenv())->loadEnv($path, defaultEnv: 'prod');
+            $this->assertSame('abc$def', $_ENV['FOO']);
+            $this->assertSame('abc$def', $_SERVER['FOO']);
+        } finally {
+            unset($_ENV['FOO'], $_SERVER['FOO'], $_ENV['SYMFONY_DOTENV_VARS'], $_SERVER['SYMFONY_DOTENV_VARS']);
+            putenv('FOO');
+            putenv('SYMFONY_DOTENV_VARS');
+            unlink($path);
+            @rmdir($tmpdir);
+        }
+    }
+
     public function testLoadEnv()
     {
         $resetContext = static function (): void {

Original file line number	Diff line number	Diff line change
`@@ -673,10 +673,11 @@ private function doLoad(bool $overrideExistingVars, array $paths): void`
`673`	`673`	`unset($loadedVars['']);`
`674`	`674`
`675`	`675`	`foreach ($values as $name => $_) {`
`676`		`- if (!isset($this->overriddenValues[$name]) && isset($_ENV[$name])) {`
`677`		`- $this->overriddenValues[$name] = $_ENV[$name];`
	`676`	`+ $alreadyExternal = isset($_ENV[$name]) \|\| isset($_SERVER[$name]) && !str_starts_with($name, 'HTTP_');`
	`677`	`+ if (!isset($this->overriddenValues[$name]) && $alreadyExternal) {`
	`678`	`+ $this->overriddenValues[$name] = $_ENV[$name] ?? $_SERVER[$name];`
`678`	`679`	`}`
`679`		`- if (isset($loadedVars[$name]) \|\| $overrideExistingVars \|\| !isset($_ENV[$name])) {`
	`680`	`+ if (isset($loadedVars[$name]) \|\| $overrideExistingVars \|\| !$alreadyExternal) {`
`680`	`681`	`$this->loadedRawVars[$name] = true;`
`681`	`682`	`}`
`682`	`683`	`}`