This seciton identifies reles and recommendations related to the functions defined in C99 Section 7.20.4, "Communication with the environment".
Recommendations
ENV00-A. Immediately make a copy of the string returned by getenv()
ENV01-A. Do not make assumptions about the size or value of an environment variable
ENV02-A. Beware of multiple environment variables with the same name
ENV03-A. Sanitize the environment before invoking external programs
ENV04-A. Do not call the system() function
Rules
ENV30-C. Do not modify the string returned by getenv()
ENV31-C. Do not rely on an environment pointer following an operation that may invalidate it
ENV32-C. Do not call the exit() function more than once
ENV33-C. Do not call the longjmp function to terminate a call to a function registered by atexit()
POSIX
ENV80-C. Don't call putenv() with an automatic variable as the argument
Risk Assessment Summary
Recommendations
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
ENV01-A |
3 (high) |
2 (likely) |
1 (high) |
P6 |
L2 |
ENV02-A |
3 (high) |
1 (unlikely) |
1 (high) |
P3 |
L3 |
ENV03-A |
3 (high) |
2 (probable) |
1 (high) |
P6 |
L2 |
ENV04-A |
2 (medium) |
2 (probable) |
1 (high) |
P4 |
L3 |
ENV05-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
ENV06-A |
2 (high) |
2 (probable) |
2 (medium) |
P8 |
L2 |
Rules
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
ENV30-C |
3 (high) |
3 (probable) |
3 (low) |
P27 |
L1 |
ENV32-C |
3 (high) |
2 (probable) |
1 (medium) |
P6 |
L2 |
ENV33-C |
1 (low) |
1 (low) |
3 (medium) |
P3 |
L3 |
ENV34-C |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
ENV35-C |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
ENV36-A |
1 (low) |
1 (unlikely) |
3 (low) |
P3 |
L3 |