Many programs and libraries, including the shared library loader on both Unix and Windows systems, depend on environment variable settings. Because environment variables are inherited from the parent process when a program is executed, an attacker can easily sabotage variables, causing a program to behave in an unexpected and insecure manner [[Viega 03]].
Certain variables can cause insecure program behavior if they are missing from the environment or improperly set. As a result, the environment cannot be fully purged. Instead, variables that should exist should be set to safe values or treated as untrusted data and examined closely before being used. Remove any unknown variables from the environment altogether.
Non-Compliant Coding Example
This non-compliant code invokes the C99 system() function without first sanitizing the environment.
system(argv[1]);
Compliant Solution (POSIX)
Sanitize the environment by setting required variables to safe values and removing extraneous environment variables.
Risk Assessment
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
ENV03-A |
2 (high) |
2 (probable) |
2 (medium) |
P8 |
L2 |
References
[[ISO/IEC 9899-1999]] Section 7.20.4, "Communication with the environment"
[[Wheeler 03]] Section 5.2, "Environment Variables"
[[Viega 03]] Section 1.1, "Sanitizing the Environment"