...
Consequently, if an environment variable contains information that is available by other means, including system properties, that environment variable must not be used.
Noncompliant Code Example
This noncompliant code example tries to get the user name, using an environment variable.
...
This program runs the program /usr/bin/printenv which prints out all environment variables and their values. It takes a single argument string, and sets the USER environment variable to that string. The subsequent output of the printenv program will indicate that the USER environment variable is indeed set to the string requested.
Compliant Solution
This compliant solution obtains the user name using the user.name system property. This property always contains the correct user name, even if the USER environment variable has been set to an incorrect value, or does not exist.
| Code Block | ||
|---|---|---|
| ||
String username = System.getProperty("user.name");
|
Risk Assessment
A program that depends on environment variables may be fed misinformation by an attacker.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV02-J | low | likely | low | P9 | L2 |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fbaeaa0e219424c3-2e153f18-46cd460c-aff2a8ae-eceeb44443be7ff6748a4b43"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5c61e98ad026492c-5d37d2d0-4f794bc0-93929f6c-3f27ab37f46d51dec7dec4c1"><ac:plain-text-body><![CDATA[ | [[Campione 1996 | AA. Bibliography#Campione 96]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...