Introduce unsafe methods for mutating environment

jhpratt · jhpratt · commit 4c6e77c4a727 · 2022-03-05T23:36:27.000-05:00
diff --git a/library/std/src/env.rs b/library/std/src/env.rs
@@ -338,10 +338,43 @@ impl Error for VarError {
 /// ```
 #[stable(feature = "env", since = "1.0.0")]
 pub fn set_var<K: AsRef<OsStr>, V: AsRef<OsStr>>(key: K, value: V) {
+    // Safety: This isn't sound. See #27970 for details.
+    unsafe { _set_var(key.as_ref(), value.as_ref()) }
+}
+
+/// Sets the environment variable `key` to the value `value` for the currently running
+/// process.
+///
+/// # Panics
+///
+/// This function may panic if `key` is empty, contains an ASCII equals sign `'='`
+/// or the NUL character `'\0'`, or when `value` contains the NUL character.
+///
+/// # Safety
+///
+/// Some platforms only expose non-threadsafe APIs for altering the environment.
+/// On these platforms, you must ensure this method is not called when the
+/// program is multithreaded and any other thread could be reading or writing
+/// the environment.
+///
+/// # Examples
+///
+/// ```no_run
+/// #![feature(unsafe_env)]
+/// use std::env;
+///
+/// let key = "KEY";
+/// unsafe { env::set(key, "VALUE"); } // Make sure you're single-threaded!
+/// assert_eq!(env::var(key), Ok("VALUE".to_string()));
+/// ```
+#[unstable(feature = "unsafe_env", issue = "none")]
+pub unsafe fn set<K: AsRef<OsStr>, V: AsRef<OsStr>>(key: K, value: V) {
     _set_var(key.as_ref(), value.as_ref())
 }
 
-fn _set_var(key: &OsStr, value: &OsStr) {
+// Safety: This can only be called when the program is single-threaded or when
+// no other thread touches the environment.
+unsafe fn _set_var(key: &OsStr, value: &OsStr) {
     os_imp::setenv(key, value).unwrap_or_else(|e| {
         panic!("failed to set environment variable `{:?}` to `{:?}`: {}", key, value, e)
     })
@@ -380,10 +413,46 @@ fn _set_var(key: &OsStr, value: &OsStr) {
 /// ```
 #[stable(feature = "env", since = "1.0.0")]
 pub fn remove_var<K: AsRef<OsStr>>(key: K) {
+    // Safety: This isn't sound. See #27970 for details.
+    unsafe { _remove_var(key.as_ref()) }
+}
+
+/// Removes an environment variable from the environment of the currently running process.
+///
+/// # Panics
+///
+/// This function may panic if `key` is empty, contains an ASCII equals sign
+/// `'='` or the NUL character `'\0'`, or when the value contains the NUL
+/// character.
+///
+/// # Safety
+///
+/// Some platforms only expose non-threadsafe APIs for altering the environment.
+/// On these platforms, you must ensure this method is not called when the
+/// program is multithreaded and any other thread could be reading or writing
+/// the environment.
+///
+/// # Examples
+///
+/// ```no_run
+/// #![feature(unsafe_env)]
+/// use std::env;
+///
+/// let key = "KEY";
+/// unsafe { env::set(key, "VALUE"); } // Make sure you're single-threaded!
+/// assert_eq!(env::var(key), Ok("VALUE".to_string()));
+///
+/// unsafe { env::unset(key); } // Make sure you're single-threaded!
+/// assert!(env::var(key).is_err());
+/// ```
+#[unstable(feature = "unsafe_env", issue = "none")]
+pub unsafe fn unset<K: AsRef<OsStr>>(key: K) {
     _remove_var(key.as_ref())
 }
 
-fn _remove_var(key: &OsStr) {
+// Safety: This can only be called when the program is single-threaded or when
+// no other thread touches the environment.
+unsafe fn _remove_var(key: &OsStr) {
     os_imp::unsetenv(key)
         .unwrap_or_else(|e| panic!("failed to remove environment variable `{:?}`: {}", key, e))
 }
diff --git a/library/std/src/sys/hermit/os.rs b/library/std/src/sys/hermit/os.rs
@@ -144,18 +144,14 @@ pub fn getenv(k: &OsStr) -> Option<OsString> {
     unsafe { ENV.as_ref().unwrap().lock().unwrap().get_mut(k).cloned() }
 }
 
-pub fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
-    unsafe {
-        let (k, v) = (k.to_owned(), v.to_owned());
-        ENV.as_ref().unwrap().lock().unwrap().insert(k, v);
-    }
+pub unsafe fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
+    let (k, v) = (k.to_owned(), v.to_owned());
+    ENV.as_ref().unwrap().lock().unwrap().insert(k, v);
     Ok(())
 }
 
-pub fn unsetenv(k: &OsStr) -> io::Result<()> {
-    unsafe {
-        ENV.as_ref().unwrap().lock().unwrap().remove(k);
-    }
+pub unsafe fn unsetenv(k: &OsStr) -> io::Result<()> {
+    ENV.as_ref().unwrap().lock().unwrap().remove(k);
     Ok(())
 }
 
diff --git a/library/std/src/sys/sgx/os.rs b/library/std/src/sys/sgx/os.rs
@@ -110,13 +110,13 @@ pub fn getenv(k: &OsStr) -> Option<OsString> {
     get_env_store().and_then(|s| s.lock().unwrap().get(k).cloned())
 }
 
-pub fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
+pub unsafe fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
     let (k, v) = (k.to_owned(), v.to_owned());
     create_env_store().lock().unwrap().insert(k, v);
     Ok(())
 }
 
-pub fn unsetenv(k: &OsStr) -> io::Result<()> {
+pub unsafe fn unsetenv(k: &OsStr) -> io::Result<()> {
     if let Some(env) = get_env_store() {
         env.lock().unwrap().remove(k);
     }
diff --git a/library/std/src/sys/solid/os.rs b/library/std/src/sys/solid/os.rs
@@ -151,23 +151,19 @@ pub fn getenv(k: &OsStr) -> Option<OsString> {
     }
 }
 
-pub fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
+pub unsafe fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
     let k = CString::new(k.as_bytes())?;
     let v = CString::new(v.as_bytes())?;
 
-    unsafe {
-        let _guard = ENV_LOCK.write();
-        cvt_env(libc::setenv(k.as_ptr(), v.as_ptr(), 1)).map(drop)
-    }
+    let _guard = ENV_LOCK.write();
+    cvt_env(libc::setenv(k.as_ptr(), v.as_ptr(), 1)).map(drop)
 }
 
-pub fn unsetenv(n: &OsStr) -> io::Result<()> {
+pub unsafe fn unsetenv(n: &OsStr) -> io::Result<()> {
     let nbuf = CString::new(n.as_bytes())?;
 
-    unsafe {
-        let _guard = ENV_LOCK.write();
-        cvt_env(libc::unsetenv(nbuf.as_ptr())).map(drop)
-    }
+    let _guard = ENV_LOCK.write();
+    cvt_env(libc::unsetenv(nbuf.as_ptr())).map(drop)
 }
 
 /// In kmclib, `setenv` and `unsetenv` don't always set `errno`, so this
diff --git a/library/std/src/sys/unix/os.rs b/library/std/src/sys/unix/os.rs
@@ -538,23 +538,21 @@ pub fn getenv(k: &OsStr) -> Option<OsString> {
     }
 }
 
-pub fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
+// Safety: This can only be called when the program is single-threaded.
+pub unsafe fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
     let k = CString::new(k.as_bytes())?;
     let v = CString::new(v.as_bytes())?;
 
-    unsafe {
-        let _guard = ENV_LOCK.write();
-        cvt(libc::setenv(k.as_ptr(), v.as_ptr(), 1)).map(drop)
-    }
+    let _guard = ENV_LOCK.write();
+    cvt(libc::setenv(k.as_ptr(), v.as_ptr(), 1)).map(drop)
 }
 
-pub fn unsetenv(n: &OsStr) -> io::Result<()> {
+// Safety: This can only be called when the program is single-threaded.
+pub unsafe fn unsetenv(n: &OsStr) -> io::Result<()> {
     let nbuf = CString::new(n.as_bytes())?;
 
-    unsafe {
-        let _guard = ENV_LOCK.write();
-        cvt(libc::unsetenv(nbuf.as_ptr())).map(drop)
-    }
+    let _guard = ENV_LOCK.write();
+    cvt(libc::unsetenv(nbuf.as_ptr())).map(drop)
 }
 
 #[cfg(not(target_os = "espidf"))]
diff --git a/library/std/src/sys/unsupported/os.rs b/library/std/src/sys/unsupported/os.rs
@@ -80,11 +80,11 @@ pub fn getenv(_: &OsStr) -> Option<OsString> {
     None
 }
 
-pub fn setenv(_: &OsStr, _: &OsStr) -> io::Result<()> {
+pub unsafe fn setenv(_: &OsStr, _: &OsStr) -> io::Result<()> {
     Err(io::const_io_error!(io::ErrorKind::Unsupported, "cannot set env vars on this platform"))
 }
 
-pub fn unsetenv(_: &OsStr) -> io::Result<()> {
+pub unsafe fn unsetenv(_: &OsStr) -> io::Result<()> {
     Err(io::const_io_error!(io::ErrorKind::Unsupported, "cannot unset env vars on this platform"))
 }
 
diff --git a/library/std/src/sys/wasi/os.rs b/library/std/src/sys/wasi/os.rs
@@ -188,23 +188,19 @@ pub fn getenv(k: &OsStr) -> Option<OsString> {
     }
 }
 
-pub fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
+pub unsafe fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
     let k = CString::new(k.as_bytes())?;
     let v = CString::new(v.as_bytes())?;
 
-    unsafe {
-        let _guard = env_lock();
-        cvt(libc::setenv(k.as_ptr(), v.as_ptr(), 1)).map(drop)
-    }
+    let _guard = env_lock();
+    cvt(libc::setenv(k.as_ptr(), v.as_ptr(), 1)).map(drop)
 }
 
-pub fn unsetenv(n: &OsStr) -> io::Result<()> {
+pub unsafe fn unsetenv(n: &OsStr) -> io::Result<()> {
     let nbuf = CString::new(n.as_bytes())?;
 
-    unsafe {
-        let _guard = env_lock();
-        cvt(libc::unsetenv(nbuf.as_ptr())).map(drop)
-    }
+    let _guard = env_lock();
+    cvt(libc::unsetenv(nbuf.as_ptr())).map(drop)
 }
 
 pub fn temp_dir() -> PathBuf {
diff --git a/library/std/src/sys/windows/os.rs b/library/std/src/sys/windows/os.rs
@@ -262,16 +262,16 @@ pub fn getenv(k: &OsStr) -> Option<OsString> {
     .ok()
 }
 
-pub fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
+pub unsafe fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {
     let k = to_u16s(k)?;
     let v = to_u16s(v)?;
 
-    cvt(unsafe { c::SetEnvironmentVariableW(k.as_ptr(), v.as_ptr()) }).map(drop)
+    cvt(c::SetEnvironmentVariableW(k.as_ptr(), v.as_ptr())).map(drop)
 }
 
-pub fn unsetenv(n: &OsStr) -> io::Result<()> {
+pub unsafe fn unsetenv(n: &OsStr) -> io::Result<()> {
     let v = to_u16s(n)?;
-    cvt(unsafe { c::SetEnvironmentVariableW(v.as_ptr(), ptr::null()) }).map(drop)
+    cvt(c::SetEnvironmentVariableW(v.as_ptr(), ptr::null())).map(drop)
 }
 
 pub fn temp_dir() -> PathBuf {

Original file line number	Diff line number	Diff line change
`@@ -110,13 +110,13 @@ pub fn getenv(k: &OsStr) -> Option<OsString> {`
`110`	`110`	`get_env_store().and_then(\|s\| s.lock().unwrap().get(k).cloned())`
`111`	`111`	`}`
`112`	`112`
`113`		`-pub fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {`
	`113`	`+pub unsafe fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {`
`114`	`114`	`let (k, v) = (k.to_owned(), v.to_owned());`
`115`	`115`	`create_env_store().lock().unwrap().insert(k, v);`
`116`	`116`	`Ok(())`
`117`	`117`	`}`
`118`	`118`
`119`		`-pub fn unsetenv(k: &OsStr) -> io::Result<()> {`
	`119`	`+pub unsafe fn unsetenv(k: &OsStr) -> io::Result<()> {`
`120`	`120`	`if let Some(env) = get_env_store() {`
`121`	`121`	`env.lock().unwrap().remove(k);`
`122`	`122`	`}`
Original file line number	Diff line number	Diff line change
`@@ -80,11 +80,11 @@ pub fn getenv(_: &OsStr) -> Option<OsString> {`
`80`	`80`	`None`
`81`	`81`	`}`
`82`	`82`
`83`		`-pub fn setenv(_: &OsStr, _: &OsStr) -> io::Result<()> {`
	`83`	`+pub unsafe fn setenv(_: &OsStr, _: &OsStr) -> io::Result<()> {`
`84`	`84`	`Err(io::const_io_error!(io::ErrorKind::Unsupported, "cannot set env vars on this platform"))`
`85`	`85`	`}`
`86`	`86`
`87`		`-pub fn unsetenv(_: &OsStr) -> io::Result<()> {`
	`87`	`+pub unsafe fn unsetenv(_: &OsStr) -> io::Result<()> {`
`88`	`88`	`Err(io::const_io_error!(io::ErrorKind::Unsupported, "cannot unset env vars on this platform"))`
`89`	`89`	`}`
`90`	`90`
Original file line number	Diff line number	Diff line change
`@@ -262,16 +262,16 @@ pub fn getenv(k: &OsStr) -> Option<OsString> {`
`262`	`262`	`.ok()`
`263`	`263`	`}`
`264`	`264`
`265`		`-pub fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {`
	`265`	`+pub unsafe fn setenv(k: &OsStr, v: &OsStr) -> io::Result<()> {`
`266`	`266`	`let k = to_u16s(k)?;`
`267`	`267`	`let v = to_u16s(v)?;`
`268`	`268`
`269`		`- cvt(unsafe { c::SetEnvironmentVariableW(k.as_ptr(), v.as_ptr()) }).map(drop)`
	`269`	`+ cvt(c::SetEnvironmentVariableW(k.as_ptr(), v.as_ptr())).map(drop)`
`270`	`270`	`}`
`271`	`271`
`272`		`-pub fn unsetenv(n: &OsStr) -> io::Result<()> {`
	`272`	`+pub unsafe fn unsetenv(n: &OsStr) -> io::Result<()> {`
`273`	`273`	`let v = to_u16s(n)?;`
`274`		`- cvt(unsafe { c::SetEnvironmentVariableW(v.as_ptr(), ptr::null()) }).map(drop)`
	`274`	`+ cvt(c::SetEnvironmentVariableW(v.as_ptr(), ptr::null())).map(drop)`
`275`	`275`	`}`
`276`	`276`
`277`	`277`	`pub fn temp_dir() -> PathBuf {`