From: Zac Medico <zmedico@gentoo.org>
Date: Fri, 7 Dec 2007 22:21:24 +0000 (-0000)
Subject: Bug #189417 - Comment on how the whitelist and BASH_ENV are used to
X-Git-Tag: v2.2_pre1~208
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=224b56c64db83e444da6e2cab20b35659bcae854;p=portage.git

Bug #189417 - Comment on how the whitelist and BASH_ENV are used to
prevent environment leakage.

svn path=/main/trunk/; revision=8867
---

diff --git a/pym/portage/__init__.py b/pym/portage/__init__.py
index dbbe97e3a..711355e01 100644
--- a/pym/portage/__init__.py
+++ b/pym/portage/__init__.py
@@ -860,9 +860,14 @@ class config(object):
 
 	_environ_whitelist = []
 
-	# Preserve backupenv values that are initialized in the config
-	# constructor. Also, preserve XARGS since it is set by the
-	# portage.data module.
+	# Whitelisted variables are always allowed to enter the ebuild
+	# environment. Generally, this only includes special portage
+	# variables. Ebuilds can unset variables that are not whitelisted
+	# and rely on them remaining unset for future phases, without them
+	# leaking back in from various locations (bug #189417). It's very
+	# important to set our special BASH_ENV variable in the ebuild
+	# environment in order to prevent sandbox from sourcing /etc/profile
+	# in it's bashrc (causing major leakage).
 	_environ_whitelist += [
 		"BASH_ENV", "BUILD_PREFIX", "D",
 		"DISTDIR", "DOC_SYMLINKS_DIR", "EBUILD_EXIT_STATUS_FILE",