| Wiki Markup |
|---|
Section 7.20.4.5 of C99 states: \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] says that: |
The set of environment names and the method for altering the environment list are implementation-defined.
...
| Wiki Markup |
|---|
One common difference between implementations is whether or not environment variables are case sensitive. While UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP". \[[MSDN|AA. C References#MSDN]\]. |
Duplicate Environment Variable Detection (POSIX)
The following code defines a function that uses the POSIX environ array (specified in POSIX) to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, so the program immediately terminates if a duplicate is detected.
| Code Block | ||
|---|---|---|
| ||
extern char ** environ;
int main(void) {
if (multiple_vars_with_same_name()) {
printf("Someone may be tampering.\n");
return 1;
}
/* ... */
return 0;
}
int multiple_vars_with_same_name(void) {
size_t i;
size_t j;
size_t k;
size_t l;
size_t len_i;
size_t len_j;
for(i = 0; environ[i] != NULL; i++) {
for(j = i; environ[j] != NULL; j++) {
if (i != j) {
k = 0;
l = 0;
len_i = strlen(environ[i]);
len_j = strlen(environ[j]);
while (k < len_i && l < len_j) {
if (environ[i][k] != environ[j][l])
break;
if (environ[i][k] == '=')
return 1;
k++;
l++;
}
}
}
}
return 0;
}
|
...