Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use first environment variable, not last, when there are duplicates #2784

Closed
ridiculousfish opened this issue Mar 1, 2016 · 1 comment
Closed

Use first environment variable, not last, when there are duplicates #2784

ridiculousfish opened this issue Mar 1, 2016 · 1 comment
Assignees
@ridiculousfish
Milestone
fish 2.3.0

Comments

@ridiculousfish
Copy link
Member

If duplicate environment variables appear in envp, fish currently uses the value implied by the last one, while getenv returns the first one. "This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking."

fish should follow Perl and others in using the first, not last, environment variable.

Related CVE-2016-2381, https://lists.debian.org/debian-security-announce/2016/msg00072.html
@ridiculousfish ridiculousfish self-assigned this Mar 1, 2016
@ridiculousfish ridiculousfish added this to the next-2.x milestone Mar 1, 2016
@ridiculousfish ridiculousfish changed the title fish to use first environment variable, not last Use first environment variable, not last, when there are duplicates Mar 1, 2016
@ridiculousfish ridiculousfish mentioned this issue Mar 5, 2016
Closed
@zanchey
Copy link
Member

zanchey commented Mar 6, 2016

👏 I don't think there's necessarily a vulnerability in fish here but this is a good fix.

floam pushed a commit to floam/fish-shell that referenced this issue Mar 15, 2016
@ridiculousfish @floam
Prefer the first, not last, of any env var duplicates
79f0423 
If envp contains duplicate environment variables, use the
first value, not the last value. Fixes fish-shell#2784.
floam pushed a commit to floam/fish-shell that referenced this issue Apr 3, 2016
@ridiculousfish @floam
Prefer the first, not last, of any env var duplicates
42b34f6 
If envp contains duplicate environment variables, use the
first value, not the last value. Fixes fish-shell#2784.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ridiculousfish ridiculousfish

Labels
None yet
Projects
None yet
Milestone
fish 2.3.0
Development

No branches or pull requests
2 participants
@zanchey @ridiculousfish