...
Section 7.22.4.6 of the C standard Standard [ISO/IEC 9899:2011] states that
...
Depending on the implementation, multiple environment variables with the same name may be allowed and can cause unexpected results if a program cannot consistently choose the same value. The GNU glibc library addresses this issue in getenv() and setenv() by always using the first variable it encounters and ignoring the rest. However, it is unwise to rely on this behavior.
One common difference between implementations is whether or not environment variables are case sensitive. While Although UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP" [MSDN].
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
| TR 24772:2013 | Executing or loading untrusted code |
...
| [XYS] |
| MITRE CWE |
...
...
| Duplicate key in associative list (Alist) |
...
...
...
| Reliance on untrusted inputs in a security decision |
...
Bibliography
| [ISO/IEC 9899:2011] | Section 7.22.4, "Communication with the Environment" |
| [MSDN] | getenv() |
...