I guess, how to move this forward: Basically there should be, for every instance, a reasoned argument why passing that variable is safe, ideally verifiable by third parties (you can assume that I know about nothing about KDE, and we can’t assume anything about future maintainers).
That reasoned argument may have various forms, the only requirement is that it exists and that it is credible. For example:
- Longstanding practice of passing that value around through privilege escalation points (like the `LC_` variables)
- Explicit documentation by (the only plausible) user that the variable is safe to pass from untrusted sources (I can’t think of an example).
- Manual verification of all relevant users and some argument that they won’t change.
- Limiting the values to a strict range of clearly safe values.
In particular that last one could be attractive because it makes the research very localized and trivial to verify. For example, limiting KDE_SESSION_VERSION to only three values "", "3" and "4" would be, I guess, obviously safe, and sufficient?
Similarly COLUMNS/LINES limited to integers in range 10-200, with no leading zeroes or any funky formatting, could be fine.
The PLATFORMTHEME/STYLE_OVERRIDE are worse, in that just limiting them to known theme names is alone not enough to demonstrate that plugins can’t be loaded from untrusted directories. Perhaps there is a simple way to ensure that?
I guess, how to move this forward: Basically there should be, for every instance, a reasoned argument why passing that variable is safe, ideally verifiable by third parties (you can assume that I know about nothing about KDE, and we can’t assume anything about future maintainers).
That reasoned argument may have various forms, the only requirement is that it exists and that it is credible. For example:
- Longstanding practice of passing that value around through privilege escalation points (like the `LC_` variables)
- Explicit documentation by (the only plausible) user that the variable is safe to pass from untrusted sources (I can’t think of an example).
- Manual verification of all relevant users and some argument that they won’t change.
- Limiting the values to a strict range of clearly safe values.
In particular that last one could be attractive because it makes the research very localized and trivial to verify. For example, limiting KDE_SESSION_VERSION to only three values "", "3" and "4" would be, I guess, obviously safe, and sufficient?
Similarly COLUMNS/LINES limited to integers in range 10-200, with no leading zeroes or any funky formatting, could be fine.
The PLATFORMTHEME/ STYLE_OVERRIDE are worse, in that just limiting them to known theme names is alone not enough to demonstrate that plugins can’t be loaded from untrusted directories. Perhaps there is a simple way to ensure that?