Do not make any assumptions about the size of environment variables, as an adversary could might have full control over the environment. Calculate the length of the strings yourself, and dynamically allocate memory for your copies (see STR31-C. Guarantee that storage for strings has sufficient space for character data and the NULL terminator).
...
Making assumptions about the size of an environmental variable could can result in a buffer overflow attack.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV01-A | high | likely | medium | P18 | L1 |
...