* QT_STYLE_OVERRIDE: Apparently this can dynamically load plugins? Why is it safe? It might be, but the path lookup stack is too deep for a quick inspection or to be confident that it doesn’t pull from the current directory or so.
* QT_QPA_PLATFORMTHEME: Similar, and there is even an explicit -platformpluginpath
I’m sorry but this does not look all that obviously safe and I probably won’t have time to do a week-long research on this. Colin, if you know more, feel free to merge.
From an one-minute look:
* KDE_SESSION_ VERSION: /userbase. kde.org/ KDE_System_ Administration/ Environment_ Variables: SESSION_ VERSION} -onfig.
https:/
> This allows one to know which kde?-config to run: kde${KDE_
explicitly recommending to use the variable in an unsafe way. (and /usr/bin/xdg-* programs really do that!)
* GNOME_DESKTOP_ SESSION_ ID: Reportedly deprecated since 2009 ( https:/ /bugzilla. redhat. com/show_ bug.cgi? id=529287 )
* QT_STYLE_OVERRIDE: Apparently this can dynamically load plugins? Why is it safe? It might be, but the path lookup stack is too deep for a quick inspection or to be confident that it doesn’t pull from the current directory or so.
* QT_QPA_ PLATFORMTHEME: Similar, and there is even an explicit -platformpluginpath
I’m sorry but this does not look all that obviously safe and I probably won’t have time to do a week-long research on this. Colin, if you know more, feel free to merge.