From a2d38bc7fc271ca5452ec3fd057bca3f737aa9ae Mon Sep 17 00:00:00 2001
From: Profpatsch <mail@profpatsch.de>
Date: Sat, 23 Apr 2016 17:55:20 +0200
Subject: [PATCH] doc/stdenv.xml document substitution env variables

The filtering of environment variables that start with an uppercase
letter is documented in the manual.
---
 doc/stdenv.xml                                   | 10 +++++++++-
 pkgs/build-support/substitute/substitute-all.nix |  1 +
 pkgs/stdenv/generic/setup.sh                     |  2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/doc/stdenv.xml b/doc/stdenv.xml
index 136e83ee0cd..8129dda5a37 100644
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -1169,7 +1169,15 @@ PATH=/nix/store/68afga4khv0w...-coreutils-6.12/bin
 echo @foo@
 </programlisting>
 
-    That is, no substitution is performed for undefined variables.</para></listitem>
+    That is, no substitution is performed for undefined variables.</para>
+
+    <para>Environment variables that start with an uppercase letter are filtered out,
+    to prevent global variables (like <literal>HOME</literal>) from accidentally
+    getting substituted.
+    The variables also have to be valid bash “names”, as
+    defined in the bash manpage (alphanumeric or <literal>_</literal>, must not
+    start with a number).</para>
+  </listitem>
   </varlistentry>
 
 
diff --git a/pkgs/build-support/substitute/substitute-all.nix b/pkgs/build-support/substitute/substitute-all.nix
index fb26894661d..1022b25c4c9 100644
--- a/pkgs/build-support/substitute/substitute-all.nix
+++ b/pkgs/build-support/substitute/substitute-all.nix
@@ -2,6 +2,7 @@
 
 args:
 
+# see the substituteAll in the nixpkgs documentation for usage and constaints
 stdenv.mkDerivation ({
   name = if args ? name then args.name else baseNameOf (toString args.src);
   builder = ./substitute-all.sh;
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index f7f9cd533c1..a183aabed0e 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -445,7 +445,7 @@ substituteAll() {
 
     # Select all environment variables that start with a lowercase character.
     # Will not work with nix attribute names (and thus env variables) containing '\n'.
-    for envVar in $(env | sed -e $'s/^\([a-z][^=]*\)=.*/\\1/; t \n d'); do
+    for envVar in $(set | sed -e $'s/^\([a-z][^=]*\)=.*/\\1/; t \n d'); do
         if [ "$NIX_DEBUG" = "1" ]; then
             echo "$envVar -> ${!envVar}"
         fi