2015-10-25 17:03 GMT+01:00 Stefan Sperling <s...@stsp.name>: > On Sun, Oct 25, 2015 at 04:36:29PM +0100, Vadim Zhukov wrote: >> This patch restricts characters you could use in environment variable >> names passed via execve(2). Note that values are not affected, you're >> still allowed to pass anything there. >> >> Everything starts fine like before for me as of now, including >> a couple of daemons and Iridium browser. >> >> okay? Or we do want environment variables named in UTF-8? >> >> -- >> WBR, >> Vadim Zhukov > > It seems POSIX gives us a good hint as to how restrictive we could be: > > http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html > > """ > Environment variable names used by the utilities in the Shell and > Utilities volume of POSIX.1-2008 consist solely of uppercase letters, > digits, and the <underscore> ( '_' ) from the characters defined in > Portable Character Set and do not begin with a digit. > [...] > The name space of environment variable names containing lowercase > letters is reserved for applications. > """
Yeah, but we have a lot of exotic names in the wild already. :( naddy@ just shown what bash does, for example, and I'm still feeling shocked. All I wanted, was to apply a big filter for harmful data. But now I see that ps -e allows you to view the _current_ values of envvars, not the passed ones. So a hacked program could provide anything it wants to the admin looking at the ps output. So, please, disregard that patch, I'll have to find a better solution. -- WBR, Vadim Zhukov
