This anonymise filter is used in the system check page where the user can copy an anonymised version of the system report.
I noticed for example should the DB prefix be
matomo_ and the DB user be
matomo, then the system check would actually say
DB Prefix: $DB_USERNAME_ and thus exposing that the DB username is
matomo. In a similar way if say the DB host is
localhost, and some value in the system check page includes
localhost when this would be replaced with
$DB_HOST and therefore exposing the host.
I now changed it to an equals so
$DB_HOST will only be shown when the value matches, not contains. This can be still an issue though eg when the DB prefix is
matomo or a value in the system check page is
localhost. So maybe we should actually just remove the replacement of these DB related variables to not accidentally leak any information. Will change this in the following commit to no longer do any such replacement.
I guess it was there just in case someone would add print DB User in a system check entry or through some kind of backtrace or something but thinking about it, it should not be an issue.