...
The following code defines a function that uses the POSIX environ array to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, so the program immediately terminates if a duplicate is detected.
| Code Block | ||||
|---|---|---|---|---|
| ||||
extern char **environ;
int main(void) {
if (multiple_vars_with_same_name()) {
printf("Someone may be tampering.\n");
return 1;
}
/* ... */
return 0;
}
int multiple_vars_with_same_name(void) {
size_t i;
size_t j;
size_t k;
size_t l;
size_t len_i;
size_t len_j;
for(size_t i = 0; environ[i] != NULL; i++) {
for(size_t j = i; environ[j] != NULL; j++) {
if (i != j) {
k = 0;
l = 0;
len_i = strlen(environ[i]);
len_j = strlen(environ[j]);
while (k < len_i && l < len_j) {
if (environ[i][k] != environ[j][l])
break;
if (environ[i][k] == '=')
return 1;
k++;
l++;
}
}
}
}
return 0;
}
|
...
The following noncompliant code behaves differently when compiled and run on Linux and Microsoft Windows platforms.
| Code Block | ||||
|---|---|---|---|---|
| ||||
if (putenv("TEST_ENV=foo") != 0) {
/* Handle error */
}
if (putenv("Test_ENV=bar") != 0) {
/* Handle error */
}
const char *temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle error */
}
printf("%s\n", temp);
|
...
Portable code should use environment variables that differ by more than capitalization.
| Code Block | ||||
|---|---|---|---|---|
| ||||
if (putenv("TEST_ENV=foo") != 0) {
/* Handle error */
}
if (putenv("OTHER_ENV=bar") != 0) {
/* Handle error */
}
const char *temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle error */
}
printf("%s\n", temp);
|
...