On 10/10/2014 02:16 AM, Eric Wong wrote:
> shyouhei / ruby-lang.org wrote:
>> This patch does not add a new feature, nor delete anything.  It just
>> changes the default behaviour when ruby spawns subprocesses.
>>
>>     Process.spawn('/usr/bin/printenv') # -> prints nothing
> 
> The potential for breakage is way too high.

I understand this.

> Losing some envs (e.g.
> PATH, TMPDIR, SHELL or HOME) can be disastrous and introduce new
> security problems.

After shellshock I started thinking that every environment variables shall be inspected before passing to another process.  There can be various ways, like introducing "the value is sane" flag to each env vars (default false) and let programms check them explicitly, for instance.  The approach in this patch is to force programmers write what to pass.  For instance if you think PATH shall not be clobbered you should add {'PATH'=ENV['PATH']}.

> Right now, everybody knows about shellshock and patching bash.

(I know at least one example who doesn't... the problem is that machine will not update ruby either)

> This is an over-reaction which causes needless breakage.
> 
> (Especially since your example never even spawns a shell)

What if the spawned subprocess then spawns its own shell?  Like I said ruby itself is immune to shellshock.  That doesn't mean all the subprocess that we spawn are.  Same discussion goes to our subprocesses as well.  When they are not shells, that doesn't always mean they don't spawn a shell.