Page History

The getenv() function searches an environment list for a string that matches a specified name and returns a pointer to a string associated with the matched list member.

Section Subclause 7.22.4.6 of the C Standard [ISO/IEC 9899:2011] states:

...

Noncompliant Code Example

The following This noncompliant code example behaves differently when compiled and run on Linux and Microsoft Windows platforms:

...

An attacker can create multiple environment variables with the same name (for example, by using the POSIX execve() function). If the program checks one copy but uses another, security checks may be circumvented.

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
ENV02-C

low

Low

unlikely

Unlikely

medium

Medium

P2

L3

Automated Detection

Tool	Version	Checker	Description
Compass/ROSE

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-ENV02-a

Usage of system properties (environment variables) should be restricted

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++

Secure

Coding Standard

ENV02

VOID ENV00-CPP. Beware of multiple environment variables with the same effective name
ISO/IEC TR 24772:2013	Executing or Loading Untrusted Code [XYS]
MITRE CWE	CWE-462, Duplicate key in associative list (Alist) CWE-807, Reliance on untrusted inputs in a security decision

Bibliography

[ISO/IEC 9899:2011]	Section 7.22.4, "Communication with the Environment"
[MSDN]	`getenv()`

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 73

New Version Current

Key

Noncompliant Code Example

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography