top | item 42797701

(no title)

I’d argue that libraries shouldn’t read environment variables at all. They’re passed on the initial program stack and look just like stack vars, so the issue here is essentially the same as taking the address of a stack variable and misusing it.

Just like a library wouldn’t try to use argv directly, it shouldn’t use envp either (even if done via getenv/setenv)

discuss

No comments yet.