SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 53

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 54

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
C99 definessays {{getenv()}} to havehas the following behavior: \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]:

The getenv function returns a pointer to a string associated with the matched list member. The string pointed to shall not be modified by the program but may be overwritten by a subsequent call to the getenv function.

Consequently, it is best not to store this pointer, as it may be overwritten by a subsequent call to the getenv() function or invalidated as a result of changes made to the environment list through calls to putenv(), setenv(), or other means. Storing the pointer for later use can result in a dangling pointer or a pointer to incorrect data. This string should be referenced immediately and discarded; if later use is anticipated, the string should be copied, so the copy can be safetly referenced as needed.

...

The _dupenv_s() function searches the list of environment variables for a specified name. If the name is found, a buffer is allocated, ; the variable's value is copied into the buffer, and the buffer's address and number of elements are returned. By allocating the buffer itself, _dupenv_s() and _wdupenv_s() provide a more convenient alternative to getenv_s() and _wgetenv_s().

...

Wiki Markup
POSIX provides the [{{strdup()}}|http://www.opengroup.org/onlinepubs/009695399/functions/strdup.html] function, which can make a copy of the environment variable string \[[Open Group 042004|AA. Bibliography#Open Group 04]\].  The {{strdup()}} function is also included in ISO/IEC PDTR 24731-2 \[[ISO/IEC PDTR 24731-2|AA. Bibliography#ISO/IEC ISO/IEC PDTR 24731-2]\].

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

Tool

Version

Checker

Description

Section

Compass/ROSE

...

 

 

 

Related Guidelines

CERT

Other Languages

This rule appears in the C++ Secure Coding Standard as : ENV00-CPP. Do not store the pointer to the string returned by getenv().

...

Wiki Markup\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment" \[[

ISO/IEC PDTR 24731-2

Bibliography

Wiki Markup
|AA. Bibliography#ISO/IEC PDTR 24731-2-2007]\]
\[[MSDN|AA. Bibliography#MSDN]\] [{{\_dupenv_s()}} and {{\_wdupenv_s()}}|http://msdn.microsoft.com/en-us/library/ms175774.aspx], [{{getenv_s()}}, {{\_wgetenv_s()}}|http://msdn.microsoft.com/en-us/library/tb2sfw2z(VS.80).aspx]
\[[Open Group 042004|AA. Bibliography#Open Group 04]\] Chapter 8, and "Environment Variables", [{{strdup}}|http://www.opengroup.org/onlinepubs/009695399/functions/strdup.html]
\[[Viega 032003|AA. Bibliography#Viega 03]\] Section 3.6, "Using Environment Variables Securely"

...