Page History

Do not make any assumptions about the size of environment variables because an adversary might have full control over the environment. If the environment variable needs to be stored, then the length of the associated string should be calculated , and the storage dynamically allocated. (See rule STR31-C. Guarantee that storage for strings has sufficient space for character data and the NULL null terminator.)

Noncompliant Code Example

...

void f() {
  char path[PATH_MAX]; /* requires PATH_MAX to be defined */
  strcpy(path, getenv("PATH"));
  /* use path */
}

Even if your platform assumes that $PATH is defined, defines PATH_MAX, and enforces that paths not have more than PATH_MAX characters, there is still no requirement that the $PATH environment variable still is not required to have less than PATH_MAX chars. And if it has more than PATH_MAX chars, a buffer overflow will result. Also, if $PATH is not defined, then strcpy() will attempt to dereference a null pointer.

...

void f() {
  char *path = NULL;
  /* avoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("PATH");
  if (temp != NULL) {
    path = (char*) malloc(strlen(temp) + 1);
    if (path == NULL) {
      /* Handle error condition */
    } else {
      strcpy(path, temp);
    }
    /* use path */
  }
}

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C++ Secure Coding Standard: ENV01-CPP. Do not make assumptions about the size of an environment variable

ISO/IEC 9899:1999] 2011 Section 7.2022.4, "Communication with the environment"

MITRE CWE: CWE-119, "Failure to Constrain Operations constrain operations within the Bounds bounds of an Allocated Memory Bufferallocated memory buffer"

Bibliography

[Open Group 2004] Chapter 8, "Environment Variables"
[Viega 2003] Section 3.6, "Using Environment Variables Securelyenvironment variables securely"

...