Page History

The getenv() function searches an environment list for a string that matches a specified name, and returns a pointer to a string associated with the matched list member. Due to the manner in which environment variables are stored, multiple environment variables with the same name can cause unexpected results.

Non-Compliant Code Example

This code behaves differently when compiled under Linux and Windows.

char *temp;

if (putenv("TEST_ENV=foo") != 0) {
  /* Handle Error */
}
if (putenv("Test_ENV=bar") != 0) {
  /* Handle Error */
}

temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle Error */
}

printf("%s\n",temp);

On a test IA-32 Linux machine with GCC Compiler Version 3.4.4 this code prints:

foo

Whereas, on a test IA-32 Windows XP machine with Microsoft Visual C++ 2008 Express it prints:

bar

Non-Compliant Code Example

In this non-compliant code example, the getenv function is used to retrieve a value from the environment.

char *temp;
char *copy;

if ((temp = getenv("TEST_ENV")) != NULL) {
  copy = (char *)malloc(strlen(temp) + 1);
  if (copy != NULL) {
    strcpy(copy, temp);
  }
  else {
    /* handle error condition */
  }

  copy[0] = 'a';
  setenv("TEST_ENV", copy, 1);
}
else {
  return -1;
}

Compliant Solution (glibc)

Depending on the implementation, a program may not consistently choose the same value if there are multiple environment variables with the same name. The GNU glibc library addresses this issue in getenv() and setenv() by always using the first variable it encounters and ignoring the rest. Other implementations are following suit, although it is unwise to rely on this.

...

Duplicate Environment Variable Detection (POSIX)

In this compliant solution, Here is a function that uses the environ array is manually searched (specified in POSIX) to manually search for duplicate key entries. Any duplicates may indicate duplicate environment variables are considered an attack, and so the program immediately terminates.

extern char ** environ;

int main(void) {
  if(multiple_vars_with_same_name()) {
    printf("Someone may be tampering.\n");
    return 1;
  }

  /* ... */

  return 0;
}

int multiple_vars_with_same_name(void) {
  size_t i;
  size_t j;
  size_t k;
  size_t l;
  size_t len_i;
  size_t len_j;

  for(i = 0; environ[i] != NULL; i++) {
    for(j = i; environ[j] != NULL; j++) {
      if(i != j) {
        k = 0;
        l = 0;

        len_i = strlen(environ[i]);
        len_j = strlen(environ[j]);

        while(k < len_i && l < len_j) {
          if(environ[i][k] != environ[j][l])
            break;

          if(environ[i][k] == '=')
            return 1;

          k++;
          l++;
        }
      }
    }
  }
  return 0;
}

Non-Compliant Code Example

This code behaves differently when compiled under Linux and Windows, because in Windows, environment variables are case-insensitive.

char *temp;

if (putenv("TEST_ENV=foo") != 0) {
  /* Handle Error */
}
if (putenv("Test_ENV=bar") != 0) {
  /* Handle Error */
}

temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle Error */
}

printf("%s\n",temp);

On a test IA-32 Linux machine with GCC Compiler Version 3.4.4, this code prints:

foo

Whereas, on a test IA-32 Windows XP machine with Microsoft Visual C++ 2008 Express, it prints:

bar

Compliant Solution

Portable code should use environment variables that differ by more than capitalization.

char *temp;

if (putenv("TEST_ENV_1=foo") != 0) {
  /* Handle Error */
}
if (putenv("TEST_ENV_2=bar") != 0) {
  /* Handle Error */
}

temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle Error */
}

printf("%s\n",temp);

Risk Assessment

An adversary can create multiple environment variables with the same name. If the program checks one copy but uses another, security checks may be circumvented.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"

...