The getenv() function searches an environment list for a string that matches a specified name and returns a pointer to a string associated with the matched list member.
Section 7.20.4.5 of C99 states that \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] |
The set of environment names and the method for altering the environment list are implementation-defined.
Depending on the implementation, multiple environment variables with the same name may be allowed and can cause unexpected results if a program cannot consistently choose the same value. The GNU glibc library addresses this issue in getenv() and setenv() by always using the first variable it encounters and ignoring the rest. However, it is unwise to rely on this.
One common difference between implementations is whether or not environment variables are case sensitive. While UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP" \[[MSDN|AA. Bibliography#MSDN]\]. |
The following code defines a function that uses the POSIX environ array to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, so the program immediately terminates if a duplicate is detected.
extern char **environ;
int main(void) {
if (multiple_vars_with_same_name()) {
printf("Someone may be tampering.\n");
return 1;
}
/* ... */
return 0;
}
int multiple_vars_with_same_name(void) {
size_t i;
size_t j;
size_t k;
size_t l;
size_t len_i;
size_t len_j;
for(size_t i = 0; environ[i] != NULL; i++) {
for(size_t j = i; environ[j] != NULL; j++) {
if (i != j) {
k = 0;
l = 0;
len_i = strlen(environ[i]);
len_j = strlen(environ[j]);
while (k < len_i && l < len_j) {
if (environ[i][k] != environ[j][l])
break;
if (environ[i][k] == '=')
return 1;
k++;
l++;
}
}
}
}
return 0;
}
|
The following noncompliant code behaves differently when compiled and run on Linux and Microsoft Windows platforms.
if (putenv("TEST_ENV=foo") != 0) {
/* Handle error */
}
if (putenv("Test_ENV=bar") != 0) {
/* Handle error */
}
const char *temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle error */
}
printf("%s\n", temp);
|
On an IA-32 Linux machine with GCC Compiler Version 3.4.4, this code prints
foo |
whereas, on an IA-32 Windows XP machine with Microsoft Visual C++ 2008 Express, it prints
bar |
Portable code should use environment variables that differ by more than capitalization.
if (putenv("TEST_ENV=foo") != 0) {
/* Handle error */
}
if (putenv("OTHER_ENV=bar") != 0) {
/* Handle error */
}
const char *temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle error */
}
printf("%s\n", temp);
|
An attacker can create multiple environment variables with (for example, by using the POSIX execve() function). If the program checks one copy but uses another, security checks may be circumvented.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
ENV02-C |
low |
unlikely |
medium |
P2 |
L3 |
Tool |
Version |
Checker |
Description |
|
|---|---|---|---|---|
|
|
|
|
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
CERT C++ Secure Coding Standard: ENV02-CPP. Beware of multiple environment variables with the same effective name
ISO/IEC 9899:1999 Section 7.20.4, "Communication with the Environment"
ISO/IEC TR 24772 "XYS Executing or Loading Untrusted Code"
MITRE CWE: CWE-462, "Duplicate Key in Associative List (Alist)"
MITRE CWE: CWE-807, "Reliance on Untrusted Inputs in a Security Decision"
\[[MSDN|AA. Bibliography#MSDN]\] [{{getenv()}}|http://msdn.microsoft.com/en-us/library/tehxacec(VS.71).aspx] |
void ENV05-J. Do not grant RuntimePermission with target createClassLoader 15. Runtime Environment (ENV) ENV07-J. Do not deploy an application that can be accessed using the Java Platform Debugger Architecture