This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/19749] Filter duplicate environment variables
- From: "stephane.chazelas+sourceware at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 01 Mar 2016 22:09:31 +0000
- Subject: [Bug libc/19749] Filter duplicate environment variables
- Auto-submitted: auto-generated
- References: <bug-19749-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=19749
Stephane Chazelas <stephane.chazelas+sourceware at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |stephane.chazelas+sourcewar
| |e at gmail dot com
--- Comment #1 from Stephane Chazelas <stephane.chazelas+sourceware at gmail dot com> ---
To add a bit of context, in:
setenv("PATH", "sane-value", 1);
system("some-cmd");
in an executable (like a setuid/setgid executable) that has been called with
envp[] having both "PATH=whatever" and "PATH=evil-path", setenv() will update
the first "PATH" entry, but leave the other ones untouched and system() will
execute sh with both "PATH=sane-value" and "PATH=evil-path" in its envp[].
Some sh implementations like ksh93 or zsh will consider the first env entry
when there are duplicates, some like bash, dash, yash, mksh will consider the
last. Some will remove duplicates, some will not. perl used to get the last
when filling in %ENV upon initialisation but set the first upon assigning %ENV
entries (also fooling taint-mode safeguards) and has now been fixed.
When discussed privately among shell and perl maintainers (and
Debian/Redhat/Suse seclists), bash, mksh and dash maintainers have declined
changing their shell so they get the first env var entry, arguing that the
issue should be fixed at the libc or kernel level. ksh93 and zsh are not
affected.
--
You are receiving this mail because:
You are on the CC list for the bug.