21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

variants we’re explicitly supporting in this book, Darwin is the major exception here<br />

because it does not use ELF (Executable and Linking Format) for its executable format)<br />

and most standard implementations of malloc( ) all recognize a wide variety of<br />

environment variables that control their behavior.<br />

In most cases, you should never be doing anything in your programs that will make<br />

use of the PATH environment variable. Circumstances do exist in which it may be reasonable<br />

to do so, but make sure to weigh your options carefully beforehand. Indeed,<br />

you should consider carefully whether you should be using any environment variable<br />

in your programs. Regardless, if you launch external programs from within your<br />

program, you may not have control over what the external programs do, so you<br />

should take care to provide any external programs you launch with a sane and secure<br />

environment.<br />

In particular, the two environment variables IFS and PATH should always be forced to<br />

sane values. The IFS environment variable is somewhat obscure, but it is used by<br />

many shells to determine which character separates command-line arguments. Modern<br />

Unix shells use a reasonable default value for IFS if it is not already set. Nonetheless,<br />

you should defensively assume that the shell does nothing of the sort. Therefore,<br />

instead of simply deleting the IFS environment variable, set it to something sane,<br />

such as a space, tab, and newline character.<br />

The PATH environment variable is used by the shell and some of the exec*( ) family of<br />

standard C functions to locate an executable if a path is not explicitly specified. The<br />

search path should never include relative paths, especially the current directory as<br />

denoted by a single period. To be safe, you should always force the setting of the<br />

PATH environment variable to _PATH_STDPATH, which is defined in paths.h. This value is<br />

what the shell normally uses to initialize the variable, but an attacker or naïve user<br />

could change it later. The definition of _PATH_STDPATH differs from platform to platform,<br />

so you should generally always use that value so that you get the right standard<br />

paths for the system your program is running on.<br />

Finally, the TZ environment variable denotes the time zone that the program should<br />

use, when relevant. Because users may not be in the same time zone as the machine<br />

(which will use a default whenever the variable is not set), it is a good idea to preserve<br />

this variable, if present. Note also that this variable is generally used by the OS,<br />

not the application. If you’re using it at the application level, make sure to do proper<br />

input validation to protect against problems such as buffer overflow.<br />

Finally, a special environment variable,, is defined to be the time zone on many systems.<br />

All systems will use it if it is defined, but while most systems will get along fine<br />

without it, some systems will not function properly without its being set. Therefore,<br />

you should preserve it if it is present.<br />

Any other environment variables that are defined should be removed unless you<br />

know, for some reason, that you need the variable to be set. For any environment<br />

4 | Chapter 1: Safe Initialization<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!