ssh/tailssh: filter accepted environment variables

Noted by @danderson Updates #3802 Change-Id: Iac70717ed57f11726209ac1ea93ddc6696605f94 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-14 06:57:31 +00:00 · 2022-04-21 14:40:32 -07:00
parent 89832c1a95
commit 8ac4d52b59
2 changed files with 35 additions and 1 deletions
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@@ -220,7 +220,11 @@ func (ss *sshSession) launchProcess() error {
 	cmd := ss.cmd
 	cmd.Dir = ss.conn.localUser.HomeDir
 	cmd.Env = append(cmd.Env, envForUser(ss.conn.localUser)...)
-	cmd.Env = append(cmd.Env, ss.Environ()...)
+	for _, kv := range ss.Environ() {
+		if acceptEnvPair(kv) {
+			cmd.Env = append(cmd.Env, kv)
+		}
+	}

 	ci := ss.conn.info
 	cmd.Env = append(cmd.Env,
@@ -493,3 +497,14 @@ func updateStringInSlice(ss []string, a, b string) {
 		}
 	}
 }
+
+// acceptEnvPair reports whether the environment variable key=value pair
+// should be accepted from the client. It uses the same default as OpenSSH
+// AcceptEnv.
+func acceptEnvPair(kv string) bool {
+	k, _, ok := strings.Cut(kv, "=")
+	if !ok {
+		return false
+	}
+	return k == "TERM" || k == "LANG" || strings.HasPrefix(k, "LC_")
+}