The getenv()
function searches an environment list for a string that matches a specified name, and returns a pointer to a string associated with the matched list member. Due to the way environment variables are stored, multiple environment variables with the same name can cause unexpected results. You may end up checking one value, but actually returning another.
Implementation Details
Depending on the implementation, a program may not consistently choose the same value if there are multiple environment variables with the same name. The GNU glibc library attempts to deal with this issue in getenv()
and setenv()
by always using the first variable it comes across, and ignoring the rest. unsetenv()
will remove all the entries matching the variable name. Other implementations are following this lead.
The glibc getenv()
and setenv()
functions will always choose the same value, so using them is a good option.
char *temp; char *copy; if ((temp = getenv("TEST_ENV")) != NULL) { copy= malloc(strlen(temp) + 1); if (copy != NULL) { strcpy(copy, temp); } else { /* handle error condition */ } copy[0] = 'a'; setenv("TEST_ENV", copy, 1); } else { return -1; }
In addition, it is possible to search through environ
checking for multiple entries of a variable. Upon finding a duplicate, abort()
. It is very unlikely that there would be a need for more than one variable of the same name.
Risk Assessment
An adversary could create several environment variables with the same name. If the program checks against one copy, but actually uses another, this could be a clear problem.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ENV02-A |
2 (medium) |
1 (unlikely) |
3 (low) |
P6 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.20.4, "Communication with the environment"
ENV01-A. Do not make assumptions about the size of an environment variable 11. Environment (ENV) ENV03-A. Sanitize the environment before invoking external programs