You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If duplicate environment variables appear in envp, fish currently uses the value implied by the last one, while getenv returns the first one. "This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking."
fish should follow Perl and others in using the first, not last, environment variable.
ridiculousfish
changed the title
fish to use first environment variable, not last
Use first environment variable, not last, when there are duplicates
Mar 1, 2016
If duplicate environment variables appear in envp, fish currently uses the value implied by the last one, while getenv returns the first one. "This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking."
fish should follow Perl and others in using the first, not last, environment variable.
Related CVE-2016-2381, https://lists.debian.org/debian-security-announce/2016/msg00072.html
The text was updated successfully, but these errors were encountered: