From: Alessandro Astone <ales.astone@gmail.com>
Date: Tue, 24 Jun 2025 09:14:11 +0000 (+0200)
Subject: shell: Filter imported environment
X-Git-Tag: 1.5.4~2
X-Git-Url: https://glassweightruler.freedombox.rocks/gitweb/waydroid.git/commitdiff_plain/edb21c713bfd0fd26c87651efd212f2de59a792c?ds=sidebyside

shell: Filter imported environment

The classpath environment file might be user-writable, so we don't want the
user to be able to inject any variable in the container root shell.
---

diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py
index b8c0485..dc3011b 100644
--- a/tools/helpers/lxc.py
+++ b/tools/helpers/lxc.py
@@ -434,13 +434,15 @@ def android_env_attach_options(args):
     command = ["lxc-attach", "-P", tools.config.defaults["lxc"],
                "-n", "waydroid", "--clear-env", "--",
                "/system/bin/cat" ,"/data/system/environ/classpath"]
+    allowed = ["CLASSPATH", "SYSTEMSERVER"]
     try:
         p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
         out, _ = p.communicate()
         if p.returncode == 0:
             for line in out.decode().splitlines():
                 _, k, v = line.split(' ', 2)
-                local_env[k] = v
+                if any(pattern in k for pattern in allowed):
+                    local_env[k] = v
     except:
         pass
     env = [k + "=" + v for k, v in local_env.items()]