...
| Code Block |
|---|
|
if (system("/bin/ls dir.`date +%Y%m%d`") == -1) {
/* handleHandle error */
}
|
Although IFS does not affect the command portion of this string, /bin/ls, it does determine how the argument is built after calling date. If the default shell does not ignore the incoming value of the IFS environment value, and an attacker sets IFS to ".", the intended directory will not be found.
...
| Code Block |
|---|
|
char *pathbuf;
size_t n;
if (clearenv() != 0) {
/* Handle Errorerror */
}
n = confstr(_CS_PATH, NULL, 0);
if (n == 0) {
/* Handle Errorerror */
}
if ((pathbuf = malloc(n)) == NULL) {
/* Handle Errorerror */
}
if (confstr(_CS_PATH, pathbuf, n) == 0) {
/* Handle Errorerror */
}
if (setenv("PATH", pathbuf, 1) == -1) {
/* Handle Errorerror */
}
if (setenv("IFS", " \t\n", 1) == -1) {
/* Handle Errorerror */
}
if (system("ls dir.`date +%Y%m%d`") == -1) {
/* Handle Errorerror */
}
|
On systems which have no clearenv() function, the following implementation can be used.
| Code Block |
|---|
|
extern char **environ;
int clearenv(void)
{
static char *namebuf = NULL;
static size_t lastlen = 0;
while (environ != NULL && environ[0] != NULL) {
size_t len = strcspn(environ[0], "=");
if (len == 0) {
/* Handle empty variable name (corrupted environ[]) */
}
if (len > lastlen) {
namebuf = realloc(namebuf, len+1);
if (namebuf == NULL) {
/* Handle Errorerror */
}
lastlen = len;
}
memcpy(namebuf, environ[0], len);
namebuf[len] = '\0';
if (unsetenv(namebuf) == -1) {
/* Handle Errorerror */
}
}
return 0;
}
|
Compliant Solution (Windows)
...
