Explicitly unset QREXEC_ variables

QREXEC_SERVICE_ARGUMENT, QREXEC_REQUESTED_TARGET and
QREXEC_REQUESTED_TARGET_KEYWORD should not be in the environment of the
child process unless explicitly set by the qrexec call.  Explicitly
unset them.

Also avoid relying on QREXEC_SERVICE_ARGUMENT not containing glob
characters or characters in $IFS.  Commands sent from a VM cannot have
them due to the sanitization in qrexec-daemon, but commands sent from
dom0 could.

Fixes: QubesOS/qubes-issues#9091

Author: DemiMarie

lib/qubes-rpc-multiplexer

@@ -22,6 +22,8 @@ if ! [ $# = 2 -o $# = 4 ] ; then
 	echo "$0: bad argument count, usage: $0 SERVICE-NAME REMOTE-DOMAIN-NAME [REQUESTED_TARGET_TYPE REQUESTED_TARGET]" >&2
 	exit 1
 fi
+# Avoid inheriting these from the environment
+unset QREXEC_REQUESTED_TARGET QREXEC_REQUESTED_TARGET_KEYWORD QREXEC_SERVICE_ARGUMENT
 export QREXEC_REQUESTED_TARGET_TYPE="$3"
 if [ "$QREXEC_REQUESTED_TARGET_TYPE" = "name" ]; then
     export QREXEC_REQUESTED_TARGET="$4"
@@ -51,7 +53,6 @@ for DIR in $QREXEC_SERVICE_PATH; do
 done
 IFS=$ifs
 
-# shellcheck disable=SC2086
-exec "$CFG_FILE" ${QREXEC_SERVICE_ARGUMENT}
+exec "$CFG_FILE" ${QREXEC_SERVICE_ARGUMENT:+"$QREXEC_SERVICE_ARGUMENT"}
 echo "$0: failed to execute handler for $1" >&2
 exit 1

qrexec/tests/socket/agent.py

@@ -344,7 +344,6 @@ def test_exec_service(self):
             ],
         )
 
-    @unittest.expectedFailure
     def test_exec_service_keyword(self):
         util.make_executable_service(
             self.tempdir,