Page History

Both environment variables and system properties provide user-defined mappings between keys and their corresponding values and can be used to communicate those values from the environment to a process. According to the Java API \[[API 2006|AA. Bibliography#API 06]\] {{java.lang.System}} class documentation,:

Environment variables have a more global effect because they are visible to all descendants of the process which defines them, not just the immediate Java subprocess. They can have subtly different semantics, such as case insensitivity, on different operating systems. For these reasons, environment variables are more likely to have unintended side effects. It is best to use system properties where possible. Environment variables should be used when a global effect is desired, or when an external system interface requires an environment variable (such as PATH).

When programs Programs that execute in a more trusted domain than their environment , the program must assume that the values of environment variables are untrusted and must sanitize and validate any environment variable values before use.

...

Consequently, when an environment variable contains information that is available by other means, including system properties, that environment variable must not be used. Finally, environmental environment variables must not be used without appropriate validation.

...

Second, an attacker can execute this program with the USER environment variable set to any value he or she chooses. The following code example does just that on a POSIX platform:

public static void main(String args[]) {
  if (args.length != 1) {
    System.err.println("Please supply a user name as the argument");
    return;
  }
  String user = args[0];
  ProcessBuilder pb = new ProcessBuilder();
  pb.command("/usr/bin/printenv");
  Map<String,String> environment = pb.environment();
  environment.put("USER", user);
  pb.redirectErrorStream(true);
  try {
    Process process = pb.start();
    InputStream in = process.getInputStream();
    int c;
    while ((c = in.read()) != -1) {
      System.out.print((char) c);
    }
    int exitVal = process.waitFor();
  } catch (IOException x) {
     x.printStackTrace(System.err);// forward to handler
  } catch (InterruptedException x) {
    // forward  x.printStackTrace(System.err);to handler
  }
}

This program runs the POSIX /usr/bin/printenv command, which prints out all environment variables and their values. It takes a single argument string and sets the USER environment variable to that string. The subsequent output of the printenv program will indicate that the USER environment variable is set to the string requested.

...

...