Many programs and libraries, including the shared library loader on both UNIX and Windows systems, depend on environment variable settings. Because environment variables are inherited from the parent process when a program is executed, an attacker can easily sabotage variables, causing a program to behave in an unexpected and insecure manner [Viega 2003].
All programs, particularly those running with higher privileges than the caller (such as those with
setuid/setgid flags), should treat their environment as untrusted user input. Because the environment is inherited by processes spawned by calls to the
exec() functions, it is important to verify that the environment does not contain any values that can lead to unexpected behavior.
The best practice for such programs is to
- Drop privileges once they are no longer necessary. (See POS02-C. Follow the principle of least privilege.)
- Avoid calling
system(). (See ENV33-C. Do not call system().)
- Clear the environment and fill it with trusted or default values.
This recommendation is a more specific instance of STR02-C. Sanitize data passed to complex subsystems.
Subclause 22.214.171.124 of the C Standard states that "the set of environment names and the method for altering the environment list are implementation-defined." Consequently, it is important to understand which functions are available for clearing, modifying, and looking up default values for environment variables. Because some programs may behave in unexpected ways when certain environment variables are not set, it is important to understand which variables are necessary on your system and what are safe values for them.
Noncompliant Code Example (POSIX,
This noncompliant code example invokes the C
system() function to execute the
/bin/ls program. The
system() function passes a string to the command processor in the host environment to be executed.
IFS does not affect the command portion of this string,
/bin/ls, it does determine how the argument is built after calling
date. If the default shell does not ignore the incoming value of the
IFS environment value, and an attacker sets
".", the intended directory will not be found.
Compliant Solution (POSIX,
The nonstandard function
clearenv() may be used to clear out the environment where available: otherwise, the environment can be cleared by obtaining the environment variable names from
environ and removing each one using
In this compliant solution, the environment is cleared by
clearenv(), and then the
IFS variables are set to safe values before
system() is invoked. Sanitizing shell commands can be difficult, and doing so can adversely affect the power and flexibility associated with them.
POSIX also specifies the
confstr() function, which can be used to look up default values for environment variables [IEEE Std 1003.1:2013]. The
_CS_V7_ENV argument to
confstr() retrieves a list of environment variable settings required for a default conforming environment [IEEE Std 1003.1:2013]. A space-separated list of
variable=value pairs is returned, with variable names guaranteed not to contain equal signs (=), and
variable=value pairs guaranteed not to contain spaces. Used together with the
_CS_PATH request, this completely describes the minimum environment variable settings required to obtain a clean, conforming environment. On systems conforming to the POSIX.1-2008 standard, this should be used to create a sanitized environment.
On systems that have no
clearenv() function, the following implementation can be used:
Compliant Solution (Windows)
There is no portable or guaranteed way to clear out the environment under Windows. Following ENV33-C. Do not call system(), care should be taken to use
_execvpe() instead of
system(), because they allow the environment to be explicitly specified.
If it is explicitly known which environment variables need to be kept, Secure Programming Cookbook for C and C++ [Viega 2003] defines a function,
spc_sanitize_environment(), that will remove everything else.
Invoking an external program in an attacker-controlled environment is inherently dangerous.
|LDRA tool suite|
|588 S||Partially implemented|
|SEI CERT C++ Coding Standard||VOID ENV01-CPP. Sanitize the environment when invoking external programs|
|CERT Oracle Secure Coding Standard for Java||IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method|
|ISO/IEC TR 24772:2013||Executing or Loading Untrusted Code [XYS]|
|MITRE CWE||CWE-78, Failure to sanitize data into an OS command (aka "OS command injection")|
CWE-88, Argument injection or modification
CWE-426, Untrusted search path
CWE-471, Modification of Assumed-Immutable Data (MAID)
CWE-807, Reliance on intrusted inputs in a security decision
|[CA-1995-14]||"Telnetd Environment Vulnerability"|
|[Dowd 2006]||Chapter 10, "UNIX II: Processes"|
|[IEEE Std 1003.1:2013]||Chapter 8, "Environment Variables"|
XSH, System Interfaces,
|[ISO/IEC 9899:2011]||Subclause 7.22.4, "Communication with the Environment"|
|[Viega 2003]||Section 1.1, "Sanitizing the Environment"|
|[Wheeler 2003]||Section 5.2, "Environment Variables"|