Do not modify the value returned by the getenv()
function. Create a copy and make your changes locally, so that they are not overwritten. According to C99 [[ISO/IEC 9899:1999]]:
The
getenv
function returns a pointer to a string associated with the matched list member. The string pointed to shall not be modified by the program, but may be overwritten by a subsequent call to thegetenv
function. If the specified name cannot be found, a null pointer is returned.
Non-Compliant Code Example
This non-compliant code example modifies the string returned by getenv()
.
char *env = getenv("TEST_ENV"); env[0] = 'a';
Compliant Solution (local copy)
For the case where the intent of the non-compliant code example is to use the modified value of the environment variable locally and not modify the environment, this compliant solution makes a local copy of that string value, and then modifies the local copy.
char const *env; char *copy_of_env; env = getenv("TEST_ENV"); if (env != NULL) { copy_of_env = (char *)malloc(strlen(env) + 1); if (copy_of_env != NULL) { strcpy(copy_of_env, env); } else { /* Error handling */ } copy_of_env[0] = 'a'; }
Compliant Solution (modifying the environment in POSIX)
For the case where the intent of the non-compliant code example is to modify the environment, this compliant solution will perform that action using the POSIX putenv()
function.
char const *env; char *copy_of_env; env = getenv("TEST_ENV"); if (env != NULL) { copy_of_env = (char *)malloc(sizeof("TEST_ENV=") + strlen(env)); if (copy_of_env != NULL) { strcpy(copy_of_env, "TEST_ENV="); strcat(copy_of_env, env); copy_of_env[sizeof("TEST_ENV=") - 1] = 'a'; if (putenv(copy_of_env) != 0) { /* handle error */ } } else { /* Error handling */ } }
Risk Assessment
The modified string may be overwritten by a subsequent call to the getenv()
function. Depending on the implementation, modifying the string returned by getenv()
may or may not modify the environment.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ENV30-C |
low |
probable |
medium |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899:1999]] Section 7.20.4.5, "The getenv
function"
[[Open Group 04]] getenv
ENV04-A. Do not call system() if you do not need a command processor 10. Environment (ENV)