| Wiki Markup |
|---|
Section 7.20.4.5 of C99 says that \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] says that: |
The set of environment names and the method for altering the environment list are implementation-defined.
...
Duplicate Environment Variable Detection (POSIX)
Here is The following code defines a function that uses the environ array (specified in POSIX) to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, and so the program immediately terminates a duplicate is detected.
| Code Block | ||
|---|---|---|
| ||
extern char ** environ;
int main(void) {
if(multiple_vars_with_same_name()) {
printf("Someone may be tampering.\n");
return 1;
}
/* ... */
return 0;
}
int multiple_vars_with_same_name(void) {
size_t i;
size_t j;
size_t k;
size_t l;
size_t len_i;
size_t len_j;
for(i = 0; environ[i] != NULL; i++) {
for(j = i; environ[j] != NULL; j++) {
if(i != j) {
k = 0;
l = 0;
len_i = strlen(environ[i]);
len_j = strlen(environ[j]);
while(k < len_i && l < len_j) {
if(environ[i][k] != environ[j][l])
break;
if(environ[i][k] == '=')
return 1;
k++;
l++;
}
}
}
}
return 0;
}
|
Non-Compliant Code Example
This The following non-compliant code behaves differently when compiled under test Linux and Microsoft Windows implementations.
| Code Block | ||
|---|---|---|
| ||
char *temp;
if (putenv("TEST_ENV=foo") != 0) {
/* Handle Error */
}
if (putenv("Test_ENV=bar") != 0) {
/* Handle Error */
}
temp = getenv("TEST_ENV");
if (temp == NULL) {
/* Handle Error */
}
printf("%s\n",temp);
|
...