From a930f8f46b484d66cb4c2a62ff802cc16da04080 Mon Sep 17 00:00:00 2001
From: j4n <j4n@systemli.org>
Date: Mon, 16 Feb 2026 19:59:55 +0100
Subject: [PATCH] docker: whitelist env vars in entrypoint, quote $@ and paths

Instead of forwarding ALL environment variables into systemd's
PassEnvironment, only forward a whitelist of variables to prevent
leaking of environment variables.
---
 docker/files/entrypoint.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/docker/files/entrypoint.sh b/docker/files/entrypoint.sh
index bce52a56..8c1e825f 100755
--- a/docker/files/entrypoint.sh
+++ b/docker/files/entrypoint.sh
@@ -5,7 +5,10 @@ unlink /etc/nginx/sites-enabled/default || true
 
 SETUP_CHATMAIL_SERVICE_PATH="${SETUP_CHATMAIL_SERVICE_PATH:-/lib/systemd/system/setup_chatmail.service}"
 
-env_vars=$(printenv | cut -d= -f1 | xargs)
-sed -i "s|<envs_list>|$env_vars|g" $SETUP_CHATMAIL_SERVICE_PATH
+# Whitelist only the env vars needed by setup_chatmail_docker.sh.
+# Forwarding all env vars (via printenv) would leak Docker internals,
+# orchestrator secrets, and other unrelated variables into systemd.
+env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI CHATMAIL_NOSYSCTL CHATMAIL_NOPORTCHECK ENABLE_CERTS_MONITORING CERTS_MONITORING_TIMEOUT PATH_TO_SSL PATH USE_FOREIGN_CERT_MANAGER"
+sed -i "s|<envs_list>|$env_vars|g" "$SETUP_CHATMAIL_SERVICE_PATH"
 
-exec /lib/systemd/systemd $@
+exec /lib/systemd/systemd "$@"