SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft C/C++test 10.4

The getenv() function searches an environment list , provided by the host environment, for a string that matches a specified name . The getenv() function and returns a pointer to a string associated with the matched list member. Due to the way environment variables are stored.

Subclause 7.22.4.6 of the C Standard [ISO/IEC 9899:2011] states:

The set of environment names and the method for altering the environment list are implementation-defined.

Depending on the implementation, multiple environment variables with the same name may be allowed and can cause unexpected results .

Implementation Details

Depending on the implementation, if a program may not cannot consistently choose the same value if there are multiple environment variables with the same name. The GNU glibc library attempts to deal with addresses this issue ( in getenv() and setenv()) by always using the first variable it comes across, encounters and ignoring the rest. unsetenv() will remove all the entries matching the variable name.

Non-Compliant Coding Example

However, it is unwise to rely on this behavior.

One common difference between implementations is whether or not environment variables are case sensitive. Although UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP" [MSDN].

Duplicate Environment Variable Detection (POSIX)

The following code defines a function that uses the POSIX environ array to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, so the program immediately terminates if a duplicate is detectedThis non-compliant code example compares the value of the TMP and TEMP environment variables to determine if they are the same. This code example is non-compliant because the string referenced by tmpvar may be overwritten as a result of the second call to getenv() function. As a result, it is possible that both tmpvar and tempvar will compare equal even if the two environment variables have different values.

Code Block
bgColor#FFcccc#ccccff
langc
extern 
char *tmpvar;
char *tempvarenviron;

tmpvarint = getenv("TMP");
if (!tmpvar) return -1;
tempvar = getenv("TEMP");
if (!tempvar) return -1;

if (strcmp(tmpvar, tempvar) == 0main(void) {
  if (multiple_vars_with_same_name()) {
   puts printf("TMPSomeone andmay TEMP are the samebe tampering.\n");
    return 1;
  }
else {
  puts("TMP and TEMP are NOT the same.\n")/* ... */

  return 0;
}

Compliant Solution (Windows)

Microsoft Visual Studio 2005 provides provides the getenv_s() and _wgetenv_s() functions for getting a value from the current environment.

Code Block
bgColor#ccccff

char *tmpvar;
char *tempvar;
size_t requiredSize;

getenv_s(&requiredSize, NULL, 0, "TMP");
tmpvar= malloc(requiredSize * sizeof(char));
if (!tmpvar) {
   /* handle error condition */
}
getenv_s(&requiredSize, tmpvar, requiredSize, "TMP" );

getenv_s(&requiredSize, NULL, 0, "TEMP");
tempvar= malloc(requiredSize * sizeof(char));
if (!tempvar

int multiple_vars_with_same_name(void) {
  size_t i;
  size_t j;
  size_t k;
  size_t l;
  size_t len_i;
  size_t len_j;

  for(size_t i = 0; environ[i] != NULL; i++) {
    for(size_t j = i; environ[j] != NULL; j++) {
   /* handle error condition */
}
getenv_s(&requiredSize, tempvar, requiredSize, "TEMP" );

if (strcmp(tmpvar, tempvar) == 0i != j) {
     puts("TMP and TEMP arek the same.\n");
}
else {
  puts("TMP and TEMP are NOT the same.\n");
}

Compliant Solution (Windows)

Wiki Markup
Microsoft Visual Studio 2005 provides provides the {{\_dupenv_s()}} and {{\_wdupenv_s()}} functions for getting a value from the current environment.  \[[Microsoft Visual Studio 2005/.NET Framework 2.0 help pages|http://msdn2.microsoft.com/en-us/library/ms175774(VS.80).aspx]\].

The _dupenv_s() function searches the list of environment variables for a specified name. If the name is found, a buffer is allocated, the variable's value is copied into the buffer, and the buffer's address and number of elements are returned. By allocating the buffer itself, _dupenv_s() provides a more convenient alternative to getenv_s(), _wgetenv_s().

It is the calling program's responsibility to free the memory by calling free().

Code Block
bgColor#ccccff

char *tmpvar;
char *tempvar;
size_t len;

errno_t err = _dupenv_s(&tmpvar, &len, "TMP");
if (err) return -1;
errno_t err = _dupenv_s(&tempvar, &len, "TEMP");
if (err) {
  free(tmpvar);
  return -1;
}

if (strcmp(tmpvar, tempvar) == 0) {
  puts("TMP and TEMP are the same.\n");
}
else {
  puts("TMP and TEMP are NOT the same.\n");
}
free(tmpvar);
free(tempvar);

Compliant Solution (POSIX)

The following compliant solution depends on the POSIX strdup() function to make a copy of the environment variable string.

Code Block
bgColor#ccccff

char *tmpvar = strdup(getenv("TMP"));
char *tempvar = strdup(getenv("TEMP"));
if (!tmpvar) return -1;
if (!tempvar) return -1;

if (strcmp(tmpvar, tempvar) == 0) {
  puts("TMP and TEMP are the same.\n");
}
else {
  puts("TMP and TEMP are NOT the same.\n");
}

Wiki Markup
If an environmental variable does not exist, the call to {{getenv()}} returns a null pointer.  In these cases, the call to {{strdup()}} should also return a null pointer, but it is important to verify this as this behavior is not guaranteed by POSIX \[[Open Group 04|AA. C References#Open Group 04]\]

Compliant Solution

This compliant solution is fully portable.

Code Block
bgColor#ccccff

char *tmpvar;
char *tempvar;
char *temp;

if ( (temp = getenv("TMP")) != NULL) {
  tmpvar= malloc(strlen(temp)+1);
  if (tmpvar != NULL) {
    strcpy(tmpvar, temp);
  }
  else {
    /* handle error condition */
  }
}
else {
  return -1;
}

if ( (temp = getenv("TEMP")) != NULL) {
  tempvar= malloc(strlen(temp)+1);
  if (tempvar != NULL) {
    strcpy(tempvar, temp);
  }
  else {
    /* handle error condition */
  }
}
else {
  return -1;
}

if (strcmp(tmpvar, tempvar) == 0) {
  puts("TMP and TEMP are the same.\n");
}
else {
  puts("TMP and TEMP are NOT the same.\n");
}

Risk Assessment

= 0;
        l = 0;

        len_i = strlen(environ[i]);
        len_j = strlen(environ[j]);

        while (k < len_i && l < len_j) {
          if (environ[i][k] != environ[j][l])
            break;

          if (environ[i][k] == '=')
            return 1;

          k++;
          l++;
        }
      }
    }
  }
  return 0;
}

Noncompliant Code Example

This noncompliant code example behaves differently when compiled and run on Linux and Microsoft Windows platforms:

Code Block
bgColor#ffcccc
langc
if (putenv("TEST_ENV=foo") != 0) {
  /* Handle error */
}
if (putenv("Test_ENV=bar") != 0) {
  /* Handle error */
}

const char *temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle error */
}

printf("%s\n", temp);

On an IA-32 Linux machine with GCC 3.4.4, this code prints

Code Block
foo

whereas, on an IA-32 Windows XP machine with Microsoft Visual C++ 2008 Express, it prints

Code Block
bar

Compliant Solution

Portable code should use environment variables that differ by more than capitalization:

Code Block
bgColor#ccccff
langc
if (putenv("TEST_ENV=foo") != 0) {
  /* Handle error */
}
if (putenv("OTHER_ENV=bar") != 0) {
  /* Handle error */
}

const char *temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle error */
}

printf("%s\n", temp);

Risk Assessment

An attacker can create multiple environment variables with the same name (for example, by using the POSIX execve() function). If the program checks one copy but uses another, security checks may be circumvented.

Recommendation

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV02-

A

3 (high)

1 (low)

1 (high)

P3

L3

C

Low

Unlikely

Medium

P2

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE




Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-ENV02-a

Usage of system properties (environment variables) should be restricted

Related Vulnerabilities

Search for Examples of vulnerabilities resulting from the violation of this recommendation can be found rule on the CERT website.

References

Related Guidelines

SEI CERT C++ Coding StandardVOID ENV00-CPP. Beware of multiple environment variables with the same effective name
ISO/IEC TR 24772:2013Executing or Loading Untrusted Code [XYS]
MITRE CWECWE-462, Duplicate key in associative list (Alist)
CWE-807, Reliance on untrusted inputs in a security decision

Bibliography

[ISO/IEC 9899:2011]Section 7.22.4, "Communication with the Environment"
[MSDN]getenv()


...

Image Added Image Added Image Added Wiki Markup\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment" \[[Open Group 04|AA. C References#Open Group 04]\] Chapter 8, "Environment Variables", [strdup|http://www.opengroup.org/onlinepubs/009695399/functions/strdup.html] \[[Viega 03|AA. C References#Viega 03]\] Section 3.6, "Using Environment Variables Securely"