Skip to content

init: do not print environment variable value#3850

Merged
AkihiroSuda merged 1 commit intoopencontainers:mainfrom
cyphar:env-nul-byte
Apr 29, 2023
Merged

init: do not print environment variable value#3850
AkihiroSuda merged 1 commit intoopencontainers:mainfrom
cyphar:env-nul-byte

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Apr 28, 2023
edited
Loading

When given an environment variable that is invalid, it's not a good idea to output the contents in case they are supposed to be private (though such a container wouldn't start anyway so it seems unlikely there's a real way to use this to exfiltrate environment variables you didn't already know).

Reported-by: Carl Henrik Lunde chlunde@ifi.uio.no
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

/cc @chlunde

@cyphar
Copy link
Member Author

cyphar commented Apr 28, 2023

I'm still not sure what to do with environment variables that don't have an = -- there isn't an obvious thing to output in this case. We could output a hash of the environment variable but that's probably less useful than just giving a generic error saying that all environment variables must contain a =.

@cyphar
init: do not print environment variable value
20e38fb 
When given an environment variable that is invalid, it's not a good idea
to output the contents in case they are supposed to be private (though
such a container wouldn't start anyway so it seems unlikely there's a
real way to use this to exfiltrate environment variables you didn't
already know).

Reported-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
kolyshkin
kolyshkin approved these changes Apr 28, 2023
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@AkihiroSuda AkihiroSuda merged commit 253707d into opencontainers:main Apr 29, 2023
@AkihiroSuda AkihiroSuda added the backport/1.1-todo A PR in main branch which needs to be backported to release-1.1 label Apr 29, 2023
@cyphar cyphar deleted the env-nul-byte branch April 29, 2023 10:10
@kolyshkin kolyshkin mentioned this pull request May 22, 2023
Merged
@kolyshkin
Copy link
Contributor

kolyshkin commented May 22, 2023

1.1 backport: #3879

@kolyshkin kolyshkin added backport/1.1-done A PR in main branch which has been backported to release-1.1 and removed backport/1.1-todo A PR in main branch which needs to be backported to release-1.1 labels May 22, 2023
@kolyshkin kolyshkin mentioned this pull request Sep 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

backport/1.1-done A PR in main branch which has been backported to release-1.1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cyphar @kolyshkin @AkihiroSuda