SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 82

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 83

changes.mady.by.user Arthur Hicken

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: font

...

An attacker can create multiple environment variables with the same name (for example, by using the POSIX execve() function). If the program checks one copy but uses another, security checks may be circumvented.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV02-C

Low

Unlikely

Medium

P2

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

 

 

 




Parasoft C/C++test
Include Page
c:
Parasoft_V
c:
Parasoft_V
SECURITY-03
 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID ENV00-CPP. Beware of multiple environment variables with the same effective name
ISO/IEC TR 24772:2013Executing or Loading Untrusted Code [XYS]
MITRE CWECWE-462, Duplicate key in associative list (Alist)
CWE-807, Reliance on untrusted inputs in a security decision

Bibliography

[ISO/IEC 9899:2011]Section 7.22.4, "Communication with the Environment"
[MSDN]getenv()

 

...