Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft C/C++test 10.4

The getenv() function searches an environment list for a string that matches a specified name and returns a pointer to a string associated with the matched list member.

Subclause 7.22.4.6 of the C Standard Wiki MarkupSection 7.20.4.5 of C99 states: \[ [ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]2011] states:

The set of environment names and the method for altering the environment list are implementation-defined.

The getenv() function searches an environment list for a string that matches a specified name, and returns a pointer to a string associated with the matched list member. Depending on the implementation, multiple environment variables with the same name may be allowed and can cause unexpected results if a program cannot consistently choose the same value. The GNU glibc library addresses this issue in getenv() and setenv() by always using the first variable it encounters and ignoring the rest. Other implementations are following suitHowever, although it is unwise to rely on this .

Running a program with duplicate environment variables is a fairly simple task, as the execve() function has the signature:

Code Block

int execve(const char *filename, char *const argv[], char *const envp[]);

and makes no guarantees with regard to duplicate variables in its envp argument.

behavior.

One common difference between implementations is whether or not environment variables are case sensitive. Although UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows Wiki MarkupOne common difference between implementations is whether or not environment variables are case sensitive. While UNIX-like implementations are generally case sensitive, environment variables are "not case sensitive in Windows 98/Me and Windows NT/2000/XP" \ [[MSDN|AA. C References#MSDN]\].

Duplicate Environment Variable Detection (POSIX)

The following code defines a function that uses the POSIX environ array to manually search for duplicate key entries. Any duplicate environment variables are considered an attack, so the program immediately terminates if a duplicate is detected.

Code Block
bgColor#ccccff
langc

extern char ** environ;

int main(void) {
  if (multiple_vars_with_same_name()) {
    printf("Someone may be tampering.\n");
    return 1;
  }

  /* ... */

  return 0;
}

int multiple_vars_with_same_name(void) {
  size_t i;
  size_t j;
  size_t k;
  size_t l;
  size_t len_i;
  size_t len_j;

  for(size_t i = 0; environ[i] != NULL; i++) {
    for(size_t j = i; environ[j] != NULL; j++) {
      if (i != j) {
        k = 0;
        l = 0;

        len_i = strlen(environ[i]);
        len_j = strlen(environ[j]);

        while (k < len_i && l < len_j) {
          if (environ[i][k] != environ[j][l])
            break;

          if (environ[i][k] == '=')
            return 1;

          k++;
          l++;
        }
      }
    }
  }
  return 0;
}

...

Noncompliant Code Example

The following non-compliant code This noncompliant code example behaves differently when compiled under test and run on Linux and Microsoft Windows implementations.platforms:

Code Block
bgColor#ffcccc
langc

char *temp;

if (putenv("TEST_ENV=foo") != 0) {
  /* Handle Errorerror */
}
if (putenv("Test_ENV=bar") != 0) {
  /* Handle Errorerror */
}

const char *temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle Errorerror */
}

printf("%s\n", temp);

On a test an IA-32 Linux machine with GCC Compiler Version 3.4.4, this code prints:

Code Block

foo

Whereaswhereas, on a test an IA-32 Windows XP machine with Microsoft Visual C++ 2008 Express, it prints:

Code Block

bar

Compliant Solution

Portable code should use environment variables that differ by more than capitalization.:

Code Block
bgColor#ccccff
langc

char *temp;

if (putenv("TEST_ENV=foo") != 0) {
  /* Handle Errorerror */
}
if (putenv("OTHER_ENV=bar") != 0) {
  /* Handle Errorerror */
}

const char *temp = getenv("TEST_ENV");

if (temp == NULL) {
  /* Handle Errorerror */
}

printf("%s\n", temp);

Risk Assessment

An adversary attacker can create multiple environment variables with the same name (for example, by using the POSIX execve() function). If the program checks one copy but uses another, security checks may be circumvented.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV02-

A

C

low

Low

unlikely

Unlikely

medium

Medium

P2

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE




Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-ENV02-a

Usage of system properties (environment variables) should be restricted

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

References

...

Beware of multiple environment variables with the same effective name
ISO/IEC TR 24772:2013Executing or Loading Untrusted Code [XYS]
MITRE CWECWE-462, Duplicate key in associative list (Alist)
CWE-807, Reliance on untrusted inputs in a security decision

Bibliography

...

...

2011]Section 7.22.4,

...

"Communication

...

with

...

the

...

Environment"

...

[

...


...

Image Added Image Added Image Added|AA. C References#MSDN]\] [{{getenv()}}|http://msdn.microsoft.com/en-us/library/tehxacec(VS.71).aspx]ENV01-A. Do not make assumptions about the size of an environment variable      10. Environment (ENV)       ENV03-A. Sanitize the environment when invoking external programs