SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 95

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 96

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot (jp)

Wiki Markup
Many programs and libraries, including the shared library loader on both UNIX and Windows systems, depend on environment variable settings. Because environment variables are inherited from the parent process when a program is executed, an attacker can easily sabotage variables, causing a program to behave in an unexpected and insecure manner \[[Viega 03|AA. C References#Viega 03]\].

All programs, particularly those running with higher privileges than the caller (such as those with setuid/setgid flags), should treat their environment as untrusted user input. Because the environment is inherited by processes spawned by calls to the fork(), system(), or exec() functions, it is important to verify that the environment does not contain any values that can lead to unexpected behavior.

...

Wiki Markup
POSIX also specifies the {{confstr()}} function, which can then be used to look up default values for environment variables \[[Open Group 04|AA. C References#Open Group 04]\]. POSIX.1-2008 defines a new {{\_CS_V7_ENV}} argument to {{confstr()}} to retrieve a list of environment variable settings required for a default conforming environment \[[Austin Group 08|AA. C References#Austin Group 08]\]. A space-separated list of {{variable=value}} pairs is returned, with variable names guaranteed not to contain equal signs (=), and {{variable=value}} pairs guaranteed not to contain spaces. Used together with the {{\_CS_PATH}} request, this completely describes the minimum environment variable settings required to obtain a clean, conforming environment. On systems conforming to the POSIX.1-2008 standard, this should be used to create a sanitized environment.

...

Wiki Markup
If it is explicitly known which environment variables need to be kept, \[[Viega 03|AA. C References#Viega 03]\] defines a function, {{spc_sanitize_environment()}}, that will remove everything else.

...

Wiki Markup
\[[Austin Group 08|AA. C References#Austin Group 08]\] Vol. 2, System Interfaces, {{confstr()}}
\[[CA-1995-14|http://www.cert.org/advisories/CA-1995-14.html]\] "Telnetd Environment Vulnerability"
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 10, "UNIX II: Processes"
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYS Executing or Loading Untrusted Code"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 426|http://cwe.mitre.org/data/definitions/426.html], "Untrusted Search Path," [CWE ID 88|http://cwe.mitre.org/data/definitions/88.html], "Argument Injection or Modification," and [CWE ID 78|http://cwe.mitre.org/data/definitions/78.html], "Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')"
\[[Open Group 04|AA. C References#Open Group 04]\] Chapter 8, "Environment Variables", and [{{confstr()}}|http://www.opengroup.org/onlinepubs/009695399/functions/confstr.html]
\[[Viega 03|AA. C References#Viega 03]\] Section 1.1, "Sanitizing the Environment"
\[[Wheeler 03|AA. C References#Wheeler 03]\] [Section 5.2, "Environment Variables"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/environment-variables.html]

...