The getenv()
function searches an environment list, provided by the host environment, for a string that matches a specified name. Do not rely on the pointer to the string returned by getenv()
following a subsequent invocation.
According to C99 [[ISO/IEC 9899-1999]]:
The getenv function returns a pointer to a string associated with the matched list member. The string pointed to shall not be modified by the program, but may be overwritten by a subsequent call to the getenv function.
This allows an implementation, for example, to copy the environmental variable to an internal static buffer and return a pointer to that buffer.
If you do not immediately make a copy of the value returned by getenv()
, but instead store the pointer somewhere for later use, you could end up with a dangling pointer or a different value altogether.
Non-Compliant Coding Example
char *pwd; char *home; pwd = getenv("PWD"); if (!pwd) return -1; home = getenv("HOME"); if (!home) return -1; if (strcmp(pwd, home) == 0) { puts("pwd and home are the same.\n"); } else { puts("pwd and home are NOT the same.\n"); }
Compliant Solution
There is a race condition here even after you call getenv() and before you copy. Be careful to only manipulate the process environment from a single thread at a time.
Risk Assessment
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ENV03-A |
2 (high) |
2 (probable) |
2 (medium) |
P8 |
L2 |
Examples of vulnerabilities resulting from the violation of this recommendation can be found on the CERT website.
References
[[Dowd 06]] Chapter 10, "UNIX II: Processes"
[[ISO/IEC 9899-1999]] Section 7.20.4, "Communication with the environment"
[[Open Group 04]] Chapter 8, "Environment Variables"
[[Viega 03]] Section 3.6, "Using Environment Variables Securely"
[[Wheeler 03]] Section 5.2, "Environment Variables"