Bug 1194680, Use PR_GetEnvSecure, r=jld

sailfishos-mirror · Jan 29, 2016 · 1a953f7 · 1a953f7
1 parent fb09962
commit 1a953f7
Show file tree

Hide file tree

Showing 49 changed files with 99 additions and 83 deletions.
diff --git a/cmd/httpserv/httpserv.c b/cmd/httpserv/httpserv.c
@@ -1268,11 +1268,11 @@ main(int argc, char **argv)
 	}
     }
 
-    tmp = getenv("TMP");
+    tmp = PR_GetEnvSecure("TMP");
     if (!tmp)
-	tmp = getenv("TMPDIR");
+	tmp = PR_GetEnvSecure("TMPDIR");
     if (!tmp)
-	tmp = getenv("TEMP");
+	tmp = PR_GetEnvSecure("TEMP");
     /* we're an ordinary single process server. */
     listen_sock = getBoundListenSocket(port);
     prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);

diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
@@ -416,7 +416,7 @@ SECU_DefaultSSLDir(void)
     char *dir;
     static char sslDir[1000];
 
-    dir = PR_GetEnv("SSL_DIR");
+    dir = PR_GetEnvSecure("SSL_DIR");
     if (!dir)
 	return NULL;
 
@@ -455,7 +455,7 @@ SECU_ConfigDirectory(const char* base)
 
 
     if (base == NULL || *base == 0) {
-	home = PR_GetEnv("HOME");
+	home = PR_GetEnvSecure("HOME");
 	if (!home) home = "";
 
 	if (*home && home[strlen(home) - 1] == '/')

diff --git a/cmd/lib/secutil.h b/cmd/lib/secutil.h
@@ -116,7 +116,7 @@ extern char *SEC_ReadDongleFile(int fd);
 /* Just sticks the two strings together with a / if needed */
 char *SECU_AppendFilenameToDir(char *dir, char *filename);
 
-/* Returns result of getenv("SSL_DIR") or NULL */
+/* Returns result of PR_GetEnvSecure("SSL_DIR") or NULL */
 extern char *SECU_DefaultSSLDir(void);
 
 /*

diff --git a/cmd/libpkix/pkix/top/test_validatechain_NB.c b/cmd/libpkix/pkix/top/test_validatechain_NB.c
@@ -249,7 +249,7 @@ int test_validatechain_NB(int argc, char *argv[]){
                 chainCerts,
                 plContext);
 
-        ldapName = PR_GetEnv("LDAP");
+        ldapName = PR_GetEnvSecure("LDAP");
         /* Is LDAP set in the environment? */
         if ((ldapName == NULL) || (*ldapName == '\0')) {
                 testError("LDAP not set in environment");
@@ -276,7 +276,7 @@ int test_validatechain_NB(int argc, char *argv[]){
 
         testSetupCertStore(valParams, ldapName);
 
-        logging = PR_GetEnv("LOGGING");
+        logging = PR_GetEnvSecure("LOGGING");
         /* Is LOGGING set in the environment? */
         if ((logging != NULL) && (*logging != '\0')) {
 

diff --git a/cmd/modutil/installparse.c b/cmd/modutil/installparse.c
@@ -201,9 +201,9 @@ yyparse()
     register int yym, yyn, yystate;
 #if YYDEBUG
     register char *yys;
-    extern char *getenv();
+    extern char *PR_GetEnvSecure();
 
-    if ((yys = getenv("YYDEBUG")) != NULL)
+    if ((yys = PR_GetEnvSecure("YYDEBUG")) != NULL)
     {
         yyn = *yys;
         if (yyn >= '0' && yyn <= '9')

diff --git a/cmd/pk11mode/pk11mode.c b/cmd/pk11mode/pk11mode.c
@@ -754,7 +754,7 @@ int main(int argc, char **argv)
 #ifdef _WIN32
     FreeLibrary(hModule);
 #else
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(lib);
     }

diff --git a/cmd/pk11util/pk11util.c b/cmd/pk11util/pk11util.c
@@ -1404,7 +1404,7 @@ unloadModule(Module *module)
 {
     char *disableUnload = NULL;
 
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
 
     if (module->library && !disableUnload) {
 	PR_UnloadLibrary(module->library);

diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c
@@ -2459,12 +2459,12 @@ main(int argc, char **argv)
             testBulkBuf[i] = i;
     }
 
-    envString = getenv(envVarName);
-    tmp = getenv("TMP");
+    envString = PR_GetEnvSecure(envVarName);
+    tmp = PR_GetEnvSecure("TMP");
     if (!tmp)
-	tmp = getenv("TMPDIR");
+	tmp = PR_GetEnvSecure("TMPDIR");
     if (!tmp)
-	tmp = getenv("TEMP");
+	tmp = PR_GetEnvSecure("TEMP");
     if (envString) {
 	/* we're one of the children in a multi-process server. */
 	listen_sock = PR_GetInheritedFD(inheritableSockName);

diff --git a/cmd/shlibsign/shlibsign.c b/cmd/shlibsign/shlibsign.c
@@ -1288,7 +1288,7 @@ int main(int argc, char **argv)
     }
 #endif
 
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(lib);
     }

diff --git a/cmd/signtool/javascript.c b/cmd/signtool/javascript.c
@@ -64,7 +64,7 @@ InlineJavaScript(char *dir, PRBool recurse)
 	PR_fprintf(outputFD, "\nGenerating inline signatures from HTML files in: %s\n",
 	     dir);
     }
-    if (PR_GetEnv("SIGNTOOL_DUMP_PARSE")) {
+    if (PR_GetEnvSecure("SIGNTOOL_DUMP_PARSE")) {
 	dumpParse = PR_TRUE;
     }
 

diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
@@ -5,6 +5,7 @@
 #include "signtool.h"
 #include "prio.h"
 #include "prmem.h"
+#include "prenv.h"
 #include "nss.h"
 
 static int	is_dir (char *filename);
@@ -981,7 +982,7 @@ char	*get_default_cert_dir (void)
     static char	db [FNSIZE];
 
 #ifdef XP_UNIX
-    home = getenv ("HOME");
+    home = PR_GetEnvSecure ("HOME");
 
     if (home && *home) {
 	sprintf (db, "%s/.netscape", home);
@@ -994,7 +995,7 @@ char	*get_default_cert_dir (void)
 
     /* first check the environment override */
 
-    home = getenv ("JAR_HOME");
+    home = PR_GetEnvSecure ("JAR_HOME");
 
     if (home && *home) {
 	sprintf (db, "%s/cert7.db", home);

diff --git a/cmd/smimetools/cmsutil.c b/cmd/smimetools/cmsutil.c
@@ -1069,9 +1069,9 @@ main(int argc, char **argv)
     PRBool      batch = PR_FALSE;
 
 #ifdef NISCC_TEST
-    const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
+    const char *ev = PR_GetEnvSecure("NSS_DISABLE_ARENA_FREE_LIST");
     PORT_Assert(ev); 
-    ev = PR_GetEnv("NSS_STRICT_SHUTDOWN");
+    ev = PR_GetEnvSecure("NSS_STRICT_SHUTDOWN");
     PORT_Assert(ev); 
 #endif 
 

diff --git a/cmd/strsclnt/strsclnt.c b/cmd/strsclnt/strsclnt.c
@@ -1448,7 +1448,7 @@ main(int argc, char **argv)
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);
 
-    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
+    tmp = PR_GetEnvSecure("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
         int sec = PORT_Atoi(tmp);
 	if (sec > 0) {

diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
@@ -968,7 +968,7 @@ int main(int argc, char **argv)
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
-    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
+    tmp = PR_GetEnvSecure("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
        int sec = PORT_Atoi(tmp);
        if (sec > 0) {

diff --git a/external_tests/google_test/gtest/test/gtest_unittest.cc b/external_tests/google_test/gtest/test/gtest_unittest.cc
@@ -421,9 +421,9 @@ class FormatEpochTimeInMillisAsIso8601Test : public Test {
   virtual void SetUp() {
     saved_tz_ = NULL;
 
-    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* getenv, strdup: deprecated */)
-    if (getenv("TZ"))
-      saved_tz_ = strdup(getenv("TZ"));
+    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* PR_GetEnvSecure, strdup: deprecated */)
+    if (PR_GetEnvSecure("TZ"))
+      saved_tz_ = strdup(PR_GetEnvSecure("TZ"));
     GTEST_DISABLE_MSC_WARNINGS_POP_()
 
     // Set up the time zone for FormatEpochTimeInMillisAsIso8601 to use.  We

diff --git a/external_tests/ssl_gtest/ssl_gtest.cc b/external_tests/ssl_gtest/ssl_gtest.cc
@@ -1,4 +1,5 @@
 #include "nspr.h"
+#include "prenv.h"
 #include "nss.h"
 #include "ssl.h"
 
@@ -16,7 +17,7 @@ int main(int argc, char **argv) {
   ::testing::InitGoogleTest(&argc, argv);
   g_working_dir_path = ".";
 
-  char* workdir = getenv("NSS_GTEST_WORKDIR");
+  char* workdir = PR_GetEnvSecure("NSS_GTEST_WORKDIR");
   if (workdir)
     g_working_dir_path = workdir;
 

diff --git a/lib/certdb/certdb.c b/lib/certdb/certdb.c
@@ -1344,7 +1344,7 @@ cert_TestHostName(char *cn, const char *hn)
     static int useShellExp = -1;
 
     if (useShellExp < 0) {
-        useShellExp = (NULL != PR_GetEnv("NSS_USE_SHEXP_IN_CERT_NAME"));
+        useShellExp = (NULL != PR_GetEnvSecure("NSS_USE_SHEXP_IN_CERT_NAME"));
     }
     if (useShellExp) {
         /* Backward compatible code, uses Shell Expressions (SHEXP). */

diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
@@ -1137,7 +1137,7 @@ cert_VerifyCertChainPkix(
     fnStackNameArr[0] = "cert_VerifyCertChainPkix";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak =
-        (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
+        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
                                                                    PKIX_FALSE
                                                                    : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
@@ -2019,7 +2019,7 @@ CERT_PKIXVerifyCert(
     fnStackNameArr[0] = "CERT_PKIXVerifyCert";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak =
-        (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
+        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
                                                                    PKIX_FALSE
                                                                    : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;

diff --git a/lib/certhigh/ocsp.c b/lib/certhigh/ocsp.c
@@ -159,7 +159,7 @@ wantOcspTrace(void)
 
 #ifdef NSS_HAVE_GETENV
     if (firstTime) {
-        char *ev = getenv("NSS_TRACE_OCSP");
+        char *ev = PR_GetEnvSecure("NSS_TRACE_OCSP");
         if (ev && ev[0]) {
             wantTrace = PR_TRUE;
         }

diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c
@@ -904,7 +904,7 @@ BL_Unload(void)
    * never does a handshake on it, BL_Unload will be called even though freebl
    * was never loaded. So, don't assert blLib. */
   if (blLib) {
-      disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+      disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
       if (!disableUnload) {
 #ifdef DEBUG
           PRStatus status = PR_UnloadLibrary(blLib);

diff --git a/lib/freebl/mpi/utils/isprime.c b/lib/freebl/mpi/utils/isprime.c
@@ -38,7 +38,7 @@ int main(int argc, char *argv[])
   {
     char *tmp;
 
-    if((tmp = getenv("RM_TESTS")) != NULL) {
+    if((tmp = PR_GetEnvSecure("RM_TESTS")) != NULL) {
       if((g_tests = atoi(tmp)) <= 0)
 	g_tests = RM_TESTS;
     }

diff --git a/lib/freebl/mpi/utils/metime.c b/lib/freebl/mpi/utils/metime.c
@@ -27,8 +27,8 @@ int main(int argc, char *argv[])
 
   mp_int     a, m, c;
 
-  if(getenv("SEED") != NULL)
-    seed = abs(atoi(getenv("SEED")));
+  if(PR_GetEnvSecure("SEED") != NULL)
+    seed = abs(atoi(PR_GetEnvSecure("SEED")));
   else 
     seed = (unsigned int)time(NULL);
 

diff --git a/lib/freebl/mpi/utils/primegen.c b/lib/freebl/mpi/utils/primegen.c
@@ -46,7 +46,7 @@ int main(int argc, char *argv[])
 
   /* We'll just use the C library's rand() for now, although this
      won't be good enough for cryptographic purposes */
-  if((out = getenv("SEED")) == NULL) {
+  if((out = PR_GetEnvSecure("SEED")) == NULL) {
     srand((unsigned int)time(NULL));
   } else {
     srand((unsigned int)atoi(out));

diff --git a/lib/freebl/rijndael.c b/lib/freebl/rijndael.c
@@ -7,6 +7,7 @@
 #endif
 
 #include "prinit.h"
+#include "prenv.h"
 #include "prerr.h"
 #include "secerr.h"
 
@@ -1041,7 +1042,7 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
 #ifdef USE_HW_AES
     if (has_intel_aes == 0) {
 	unsigned long eax, ebx, ecx, edx;
-	char *disable_hw_aes = getenv("NSS_DISABLE_HW_AES");
+	char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
 
 	if (disable_hw_aes == NULL) {
 	    freebl_cpuid(1, &eax, &ebx, &ecx, &edx);

diff --git a/lib/freebl/stubs.c b/lib/freebl/stubs.c
@@ -138,6 +138,7 @@ STUB_DECLARE(PRStatus,PR_Sleep,(PRIntervalTime ticks));
 STUB_DECLARE(PRStatus,PR_Unlock,(PRLock *lock));
 STUB_DECLARE(PRStatus,PR_WaitCondVar,(PRCondVar *cvar,
 			PRIntervalTime timeout));
+STUB_DECLARE(char*,PR_GetEnvSecure,(const char *));
 
 
 STUB_DECLARE(SECItem *,SECITEM_AllocItem_Util,(PLArenaPool *arena,
@@ -465,6 +466,13 @@ PR_WaitCondVar_stub(PRCondVar *cvar, PRIntervalTime timeout)
     return PR_FAILURE;
 }
 
+extern char*
+PR_GetEnvSecure_stub(const char *var)
+{
+    STUB_SAFE_CALL1(PR_GetEnvSecure, var);
+    abort();
+    return NULL;
+}
 
 
 extern void
@@ -570,6 +578,7 @@ freebl_InitNSPR(void *lib)
     STUB_FETCH_FUNCTION(PR_Unlock);
     STUB_FETCH_FUNCTION(PR_Lock);
     STUB_FETCH_FUNCTION(PR_DestroyLock);
+    STUB_FETCH_FUNCTION(PR_GetEnvSecure);
     return SECSuccess;
 }
 

diff --git a/lib/freebl/stubs.h b/lib/freebl/stubs.h
@@ -58,6 +58,7 @@
 #define PR_Sleep  PR_Sleep_stub
 #define PR_Unlock  PR_Unlock_stub
 #define PR_WaitCondVar PR_WaitCondVar_stub
+#define PR_GetEnvSecure PR_GetEnvSecure_stub
 
 extern int  FREEBL_InitStubs(void);
 

diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
@@ -17,6 +17,7 @@
 #include "prerror.h"
 #include "prthread.h"
 #include "prprf.h"
+#include "prenv.h"
 
 size_t RNG_FileUpdate(const char *fileName, size_t limit);
 
@@ -888,9 +889,9 @@ void RNG_SystemInfoForRNG(void)
     bytes = RNG_FileUpdate("/dev/urandom", SYSTEM_RNG_SEED_COUNT);
 
     /* If the user points us to a random file, pass it through the rng */
-    randfile = getenv("NSRANDFILE");
+    randfile = PR_GetEnvSecure("NSRANDFILE");
     if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
-	char *randCountString = getenv("NSRANDCOUNT");
+	char *randCountString = PR_GetEnvSecure("NSRANDCOUNT");
 	int randCount = randCountString ? atoi(randCountString) : 0;
 	if (randCount != 0) {
 	    RNG_FileUpdate(randfile, randCount);
@@ -1075,7 +1076,7 @@ int ReadOneFile(int fileToRead)
     int i, error = -1;
 
     if (fd == NULL) {
-	dir = getenv("HOME");
+	dir = PR_GetEnvSecure("HOME");
 	if (dir) {
 	    fd = opendir(dir);
 	}

diff --git a/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
@@ -765,7 +765,7 @@ pkix_pl_Socket_RegisterSelf(void *plContext)
 #ifdef PKIX_SOCKETTRACE
         {
                 char *val = NULL;
-                val = PR_GetEnv("SOCKETTRACE");
+                val = PR_GetEnvSecure("SOCKETTRACE");
                 /* Is SOCKETTRACE set in the environment? */
                 if ((val != NULL) && (*val != '\0')) {
                         socketTraceFlag =

diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
@@ -135,7 +135,7 @@ PKIX_PL_Initialize(
             return PKIX_ALLOC_ERROR();
         }
 
-        if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+        if (PR_GetEnvSecure("NSS_STRICT_SHUTDOWN")) {
             pkixLog = PR_NewLogModule("pkix");
         }
         /*
@@ -262,7 +262,7 @@ PKIX_PL_Shutdown(void *plContext)
 
 #ifdef DEBUG
         numLeakedObjects = pkix_pl_lifecycle_ObjectLeakCheck(NULL);
-        if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+        if (PR_GetEnvSecure("NSS_STRICT_SHUTDOWN")) {
            PORT_Assert(numLeakedObjects == 0);
         }
 #else