WUtil: make use of secure_getenv if the function is available

As pointed by Coverity (#50226), the function getenv can return unreliable data, so if a sensitive application makes uses of the function 'wgethomedir' or 'wusergnusteppath' we'd better use the GNU function secure_getenv which ignore environment variable when used in a known critical cases. Signed-off-by: Christophe CURIS <christophe.curis@free.fr>
2026-01-04 12:54:20 +01:00 · 2014-05-18 00:56:43 +02:00
parent 3aae412588
commit a72c166b6e
4 changed files with 34 additions and 0 deletions
--- a/WINGs/findfile.c
+++ b/WINGs/findfile.c
@@ -46,7 +46,11 @@ char *wgethomedir()
 	if (home)
 		return home;

+#ifdef HAVE_SECURE_GETENV
+	tmp = secure_getenv("HOME");
+#else
 	tmp = getenv("HOME");
+#endif
 	if (tmp) {
 		home = wstrdup(tmp);
 		return home;