| To: | austin-group-l@xxxxxxxxxxxxx |
|---|---|
| Subject: | Re: [Fwd: Re: Clearing environ] |
| From: | Geoff Clare <gwc@xxxxxxxxxxxxx> |
| Date: | Fri, 1 Aug 2008 17:07:15 +0100 |
| References: | <1217604384.26163.32.camel@xxxxxx> <200808011542.m71Fgc2p002689@xxxxxx> |
Glenn Fowler <gsf@xxxxxx> wrote, on 01 Aug 2008: > > > From: "Robert C. Seacord" <rcs:cert.org> > > > We have a write-up and associated discussion on this topic in The CERT C > > Secure Coding Standard: > > > ENV03-C. Sanitize the environment when invoking external programs > > ><https://www.securecoding.cert.org/confluence/display/seccode/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs> > > interesting that clearenv() is labeled non-standard and > then used as part of a compliant solution Well, it does say it may be used "if available": "The non-standard function clearenv() may be used to clear out the environment where available, otherwise it can be cleared by obtaining a list of environment variable names from environ and removing each one using unsetenv()." Where the code uses it, I suppose the reader is expected to work out that if clearenv() is not available the code should do the "otherwise" thing. -- Geoff Clare <g.clare@xxxxxx> The Open Group, Thames Tower, Station Road, Reading, RG1 1LX, England |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: Clearing environ, Nick Stoughton |
|---|---|
| Next by Date: | Re: Clearing environ, Geoff Clare |
| Previous by Thread: | Re: [Fwd: Re: Clearing environ], Glenn Fowler |
| Next by Thread: | Re: [Fwd: Re: Clearing environ], Glenn Fowler |
| Indexes: | [Date] [Thread] [All Lists] |