[sudo-users] security bug -- sudo undefines functions in environment
Todd C. Miller
Todd.Miller at courtesan.com
Wed Aug 6 08:04:18 MDT 2014
On Wed, 06 Aug 2014 13:56:45 +0100, Tim Bradshaw wrote:
> Although its pathological (and I suspect may not be compliant with
> whatever) at least some platforms allow '=' in environment variable
> names. I am not sure if this matters.
POSIX doesn't allow '=' in environment variable names. While BSD
setenv() has traditionally allowed a '=' in the name, it is treated
like the end of string and is not actually stored.
- todd
More information about the sudo-users
mailing list