Page History

The getenv() function searches an environment list for a string that matches a specified name , and returns a pointer to a string associated with the matched list member. Due to the manner in which environment variables are stored.

Subclause 7.22.4.6 of the C Standard [ISO/IEC 9899:2011] states:

The set of environment names and the method for altering the environment list are implementation-defined.

Depending on the implementation, multiple environment variables with the same name may be allowed and can cause unexpected results .Depending on the implementation, if a program may not cannot consistently choose the same value if there are multiple environment variables with the same name. The GNU glibc library addresses this issue in getenv() and setenv() by always using the first variable it encounters and ignoring the rest. Other implementations are following suitHowever, although it is unwise to rely on this behavior.

One common difference between implementations is whether or not environment variables are case sensitive. Although UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP" [MSDN].

Duplicate Environment Variable Detection (POSIX)

Here is The following code defines a function that uses the POSIX environ array (specified in POSIX) to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, and so the program immediately terminates if a duplicate is detected.

extern char ** environ;

int main(void) {
  if (multiple_vars_with_same_name()) {
    printf("Someone may be tampering.\n");
    return 1;
  }

  /* ... */

  return 0;
}

int multiple_vars_with_same_name(void) {
  size_t i;
  size_t j;
  size_t k;
  size_t l;
  size_t len_i;
  size_t len_j;

  for(size_t i = 0; environ[i] != NULL; i++) {
    for(size_t j = i; environ[j] != NULL; j++) {
      if (i != j) {
        k = 0;
        l = 0;

        len_i = strlen(environ[i]);
        len_j = strlen(environ[j]);

        while (k < len_i && l < len_j) {
          if (environ[i][k] != environ[j][l])
            break;

          if (environ[i][k] == '=')
            return 1;

          k++;
          l++;
        }
      }
    }
  }
  return 0;
}

...

Noncompliant Code Example

This noncompliant code example behaves differently when compiled under and run on Linux and Windows, because in Windows, environment variables are case-insensitive.Microsoft Windows platforms:

char *temp;

if (putenv("TEST_ENV=foo") != 0) {
  /* Handle Errorerror */
}
if (putenv("Test_ENV=bar") != 0) {
  /* Handle Errorerror */
}

const char *temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle Errorerror */
}

printf("%s\n", temp);

On a test an IA-32 Linux machine with GCC Compiler Version 3.4.4, this code prints:

foo

Whereaswhereas, on a test an IA-32 Windows XP machine with Microsoft Visual C++ 2008 Express, it prints:

bar

Compliant Solution

Portable code should use environment variables that differ by more than capitalization.:

char *temp;

if (putenv("TEST_ENV_1=foo") != 0) {
  /* Handle Errorerror */
}
if (putenv("TESTOTHER_ENV_2=bar") != 0) {
  /* Handle Errorerror */
}

const char *temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle Errorerror */
}

printf("%s\n", temp);

Risk Assessment

An adversary attacker can create multiple environment variables with the same name (for example, by using the POSIX execve() function). If the program checks one copy but uses another, security checks may be circumvented.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"

Related Guidelines

Bibliography

...

Image Added Image Added Image AddedENV01-A. Do not make assumptions about the size of an environment variable      10. Environment (ENV)       ENV03-A. Sanitize the environment when invoking external programs