At the time they hadn't and I'm fed up of the jumping to conclusions that env vars are the cause of any security issue. This is blaming poor code from poor devs on expert features from UNIX all to often.
Worrying when said person has authored a widely used security product(!). This is a bad trend in the industry that needs to stop.
I'm talking about this comment. Are you talking about this comment? From what knowledge I have, it looks like a good explanation of the problem and why it's not an environment variable problem.
I'll say it again - environment variables or pam_env aren't expert features - they're primitive. They were a contributing factor in the first privilege escalation.
Worrying when said person has authored a widely used security product(!). This is a bad trend in the industry that needs to stop.