...
When programs execute in a more trusted domain than their environment, the program must assume that the values of environment variables are untrusted and must sanitize and validate any environment variable values before use.
The default values of system properties are set by the Java Virtual Machine (JVM) upon startup and can be considered trusted. However, they may be overridden by properties from untrusted sources, such as a configuration file. Properties System properties from untrusted sources must be sanitized and validated before use.
...
To maximize portability, never refer to an environment variable when the same value is available in a system property. For example, if the operating system provides a user name, it will always be available in the system property
user.name.
In factActually, relying on environment variables is more than a simple portability issue. An attacker can essentially control all environment variables that enter a program using a mechanism such as the java.lang.ProcessBuilder class.
Consequently, when an environment variable contains information that is available by other means, including system properties, that environment variable should must not be used. Untrusted Finally, environmental variables must not be used without appropriate validation.
...
| Code Block | ||
|---|---|---|
| ||
String username = System.getenv("USER");
|
This certainly First, this is a portability issue. The Java Tutorial Campione 1996 further suggests:
The way environment variables are used also varies. For example, Windows provides the user name in an environment variable called
USERNAME, while UNIX implementations might provide the user name inUSER,LOGNAME, or both.
FurthermoreSecond, an attacker can execute this program with the USER environment variable set to any value he or she chooses. The following code example does just that:
| Code Block | ||
|---|---|---|
| ||
public static void main(String args[]) {
if (args.length != 1) {
System.err.println("Please supply a user name as the argument");
return;
}
String user = args[0];
ProcessBuilder pb = new ProcessBuilder();
pb.command("/usr/bin/printenv");
Map<String,String> environment = pb.environment();
environment.put("USER", user);
pb.redirectErrorStream(true);
try {
Process process = pb.start();
InputStream in = process.getInputStream();
int c;
while ((c = in.read()) != -1) {
System.out.print((char) c);
}
int exitVal = process.waitFor();
} catch (IOException x) {
x.printStackTrace(System.err);
} catch (InterruptedException x) {
x.printStackTrace(System.err);
}
}
|
This program runs the program /usr/bin/printenv command, which prints out all environment variables and their values. It takes a single argument string and sets the USER environment variable to that string. The subsequent output of the printenv program will indicate that the USER environment variable is indeed set to the string requested.
...
This compliant solution obtains the user name using the user.name system property. This property always contains The Java Virtual Machine (JVM), upon initialization sets this system property to the correct user name, even when the USER environment variable has been set to an incorrect value or is missing.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b94df8765f8e24e0-bd7ea6d0-44da4f3f-a921b427-ba9d7d60b16a39c5bc80760f"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2a37dcb5043bc02b-cfeb2b10-487b46f0-b6bfbf6c-1470cb716f431519823fb822"><ac:plain-text-body><![CDATA[ | [[Campione 1996 | AA. Bibliography#Campione 96]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...