coreutils: Protect against env -a for security by oech3 · Pull Request #10773 · uutils/coreutils

oech3 · 2026-02-06T18:18:53Z

env -a false ls does not fail. Works under masked /proc.
Closes #10135

github-actions · 2026-02-06T18:53:12Z

GNU testsuite comparison:

Skip an intermittent issue tests/tty/tty-eof (fails in this run but passes in the 'main' branch)
Skipping an intermittent issue tests/misc/usage_vs_getopt (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/shuf/shuf-reservoir (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/sort/sort-stale-thread-mem (passes in this run but fails in the 'main' branch)
Note: The gnu test tests/basenc/bounded-memory is now being skipped but was previously passing.

github-actions · 2026-02-07T08:03:06Z

GNU testsuite comparison:

Skip an intermittent issue tests/shuf/shuf-reservoir (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/sort/sort-stale-thread-mem (fails in this run but passes in the 'main' branch)

codspeed-hq · 2026-02-07T17:34:51Z

Merging this PR will not alter performance

✅ 35 untouched benchmarks
⏩ 287 skipped benchmarks¹

_{Comparing oech3:auxval (40581ee) with main (194d980)}

287 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

github-actions · 2026-02-08T16:59:29Z

GNU testsuite comparison:

GNU test failed: tests/cut/bounded-memory. tests/cut/bounded-memory is passing on 'main'. Maybe you have to rebase?
Congrats! The gnu test tests/pr/bounded-memory is no longer failing!

ChrisDryden · 2026-02-08T20:50:51Z

I think it would make sense for this code to go into the validation.rs file instead of in the main.rs, then you don't have to worry about importing libc.

It would be good to have an additional integration test that shows the env -a working

oech3 · 2026-02-08T20:52:59Z

It would be good to have an additional integration test that shows the env -a working

Did you mean coreutils is protected against env -a?

oech3 · 2026-02-08T21:04:48Z

coreutils/src/common/validation.rs

Lines 69 to 77 in 194d980

    
           /// Gets the binary path from command line arguments 
        
           /// # Panics 
        
           /// Panics if the binary path cannot be determined 
        
           pub fn binary_path(args: &mut impl Iterator<Item = OsString>) -> PathBuf { 
        
               match args.next() { 
        
                   Some(ref s) if !s.is_empty() => PathBuf::from(s), 
        
                   _ => std::env::current_exe().unwrap(), 
        
               } 
        
           }

Wait! Why are we using std::env::current_exe at here which depends on /proc?
cc: @Ecordonnier

oech3 · 2026-02-08T21:13:32Z

So should I imprement fn binary_path on Linux by auxval only?

github-actions · 2026-02-08T22:13:02Z

GNU testsuite comparison:

Congrats! The gnu test tests/tail/tail-n0f is now passing!

oech3 marked this pull request as ready for review February 6, 2026 19:18

oech3 force-pushed the auxval branch 3 times, most recently from 01b6655 to 753f86c Compare February 7, 2026 07:47

oech3 force-pushed the auxval branch from 753f86c to 94ee016 Compare February 7, 2026 16:20

This comment was marked as resolved.

Sign in to view

oech3 force-pushed the auxval branch 2 times, most recently from 59e307c to ac75ff7 Compare February 8, 2026 15:58

oech3 force-pushed the auxval branch 2 times, most recently from e3320d4 to 1337cbc Compare February 8, 2026 21:43

coreutils: Protect against env -a for security

40581ee

oech3 force-pushed the auxval branch from 1337cbc to 40581ee Compare February 8, 2026 21:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

coreutils: Protect against env -a for security#10773

coreutils: Protect against env -a for security#10773
oech3 wants to merge 1 commit intouutils:mainfrom
oech3:auxval

oech3 commented Feb 6, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 6, 2026

Uh oh!

github-actions bot commented Feb 7, 2026

Uh oh!

This comment was marked as resolved.

codspeed-hq bot commented Feb 7, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 8, 2026

Uh oh!

ChrisDryden commented Feb 8, 2026

Uh oh!

oech3 commented Feb 8, 2026

Uh oh!

oech3 commented Feb 8, 2026

Uh oh!

oech3 commented Feb 8, 2026

Uh oh!

github-actions bot commented Feb 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

oech3 commented Feb 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 6, 2026

Uh oh!

github-actions bot commented Feb 7, 2026

Uh oh!

This comment was marked as resolved.

codspeed-hq bot commented Feb 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Merging this PR will not alter performance

Footnotes

Uh oh!

github-actions bot commented Feb 8, 2026

Uh oh!

ChrisDryden commented Feb 8, 2026

Uh oh!

oech3 commented Feb 8, 2026

Uh oh!

oech3 commented Feb 8, 2026

Uh oh!

oech3 commented Feb 8, 2026

Uh oh!

github-actions bot commented Feb 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

oech3 commented Feb 6, 2026 •

edited

Loading

codspeed-hq bot commented Feb 7, 2026 •

edited

Loading