...
The getenv() function searches an environment list for a string that matches a specified name, and returns a pointer to a string associated with the matched list member. Depending on the implementation, multiple environment variables with the same name may be allowed and can cause unexpected results if a program cannot consistently choose the same value. The GNU glibc library addresses this issue in getenv() and setenv() by always using the first variable it encounters and ignoring the rest. Other implementations are following suit, although it is unwise to rely on this.
Inadvertently running a program with duplicate environment variables is an easy error to make because the execve() function has the signature:
| Code Block |
|---|
int execve(const char *filename, char *const argv[], char *const envp[]);
|
and makes no guarantees with regard to duplicate variables in its envp argument.
| Wiki Markup |
|---|
One common difference between implementations is whether or not environment variables are case sensitive. While UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP" \[[MSDN|AA. C References#MSDN]\]. |
...
An adversary can create multiple environment variables with the same name by using the POSIX execve() function, for example. If the program checks one copy but uses another, security checks may be circumvented.
...