C99 [[ISO/IEC 9899:1999]] defines getenv
as follows:
The
getenv
function returns a pointer to a string associated with the matched list member. The string pointed to shall not be modified by the program, but may be overwritten by a subsequent call to thegetenv
function. If the specified name cannot be found, a null pointer is returned.
Consequently, if the string returned by getenv()
needs to be altered, a local copy should be created to ensure that the environment is not directly and unintentionally modified.
Non-Compliant Code Example
This non-compliant code example modifies the string returned by getenv()
by replacing all double quote ("
) characters with underscores.
void strtr(char *str, char orig, char rep) { while (*str != '\0') { if (*str == orig) { *str = rep; } str++; } } /* ... */ char *env = getenv("TEST_ENV"); if (env == NULL) { /* Handle Error */ } strtr(env,'"', '_'); /* ... */
Compliant Solution (local copy)
For the case where the intent of the non-compliant code example is to use the modified value of the environment variable locally and not modify the environment, this compliant solution makes a local copy of that string value, and then modifies the local copy.
char const *env; char *copy_of_env; env = getenv("TEST_ENV"); if (env == NULL) { /* Handle Error */ } copy_of_env = (char *)malloc(strlen(env) + 1); if (copy_of_env == NULL) { /* Handle Error */ } strcpy(copy_of_env, env); strtr(copy_of_env,'\"', '_');
Compliant Solution (modifying the environment in POSIX)
For the case where the intent is to modify the environment, this compliant solution will save the altered string back into the environment by using the POSIX setenv()
and strdup()
functions.
char const *env; char *copy_of_env; env = getenv("TEST_ENV"); if (env == NULL) { /* Handle Error */ } copy_of_env = strdup(env); if (copy_of_env == NULL) { /* Handle Error */ } strtr(copy_of_env,'\"', '_'); if (setenv("TEST_ENV", copy_of_env, 1) != 0) { /* Handle Error */ }
Risk Assessment
The modified string may be overwritten by a subsequent call to the getenv()
function. Depending on the implementation, modifying the string returned by getenv()
may or may not modify the environment.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ENV30-C |
low |
probable |
medium |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899:1999]] Section 7.20.4.5, "The getenv
function"
[[Open Group 04]] getenv
ENV04-A. Do not call system() if you do not need a command processor 10. Environment (ENV)