Component

printenv

Description

The implementation silently ignores environment variables containing invalid UTF-8 bytes, while GNU printenv displays them and exits successfully. This breaks compatibility with tools that rely on environment inspection.

The problem is using env::var() and env::vars() instead of their _os() variants. These functions skip non-UTF-8 variables without any indication.

Reproduction

# GNU printenv shows it
LD_PRELOAD=$'/tmp/lib.so\xff' printenv LD_PRELOAD 2>/dev/null | od -An -tx1
# Output: 2f 74 6d 70 2f 6c 69 62 2e 73 6f ff 0a
# Exit: 0

# uutils printenv hides it
LD_PRELOAD=$'/tmp/lib.so\xff' printenv LD_PRELOAD 2>/dev/null | wc -c
# Output: 0
# Exit: 1

Impact

POSIX allows arbitrary bytes in environment strings.

Environment variables with invalid UTF-8 are occasionally found in real systems (corrupted configs, binary data in CGI environments, etc.).

The severity is dependent on the context but, for instance, it can be used to stealthly hide entries in the LD_PRELOAD from the user.