Comment 9 for bug 1500307

From an one-minute look:

* KDE_SESSION_VERSION:
https://userbase.kde.org/KDE_System_Administration/Environment_Variables:
 > This allows one to know which kde?-config to run: kde${KDE_SESSION_VERSION}-onfig.

explicitly recommending to use the variable in an unsafe way. (and /usr/bin/xdg-* programs really do that!)

* GNOME_DESKTOP_SESSION_ID: Reportedly deprecated since 2009 ( https://bugzilla.redhat.com/show_bug.cgi?id=529287 )

* QT_STYLE_OVERRIDE: Apparently this can dynamically load plugins? Why is it safe? It might be, but the path lookup stack is too deep for a quick inspection or to be confident that it doesn’t pull from the current directory or so.

* QT_QPA_PLATFORMTHEME: Similar, and there is even an explicit -platformpluginpath

I’m sorry but this does not look all that obviously safe and I probably won’t have time to do a week-long research on this. Colin, if you know more, feel free to merge.