Don't allow form data to try setting environment variables, and duplicate environment variable values as needed (Issue #1547)

michaelrsweet · michaelrsweet · commit 4651f36e9fa0 · 2026-04-13T14:25:22.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -168,6 +168,8 @@ v2.5b1 - YYYY-MM-DD
 - Fixed an allocation bug in the `rastertoepson` filter (Issue #1537)
 - Fixed a range check when loading cached SNMP supply information (Issue #1538)
 - Fixed A4 support in the `ippevepcl` program (Issue #1544)
+- Fixed issues with the environment variable support of CGI programs
+  (Issue #1547)
 - Removed hash support for SHA2-512-224 and SHA2-512-256.
 - Removed `mantohtml` script for generating html pages (use
   `https://www.msweet.org/mantohtml/`)
diff --git a/cgi-bin/var.c b/cgi-bin/var.c
@@ -162,7 +162,11 @@ cgiGetArray(const char *name,		/* I - Name of array variable */
 
 
   if (!_cups_strncasecmp(name, "ENV:", 4))
-    return (getenv(name + 4));
+  {
+    const char *val = getenv(name + 4);
+
+    return (val ? strdup(val) : NULL);
+  }
 
   if ((var = cgi_find_variable(name)) == NULL)
     return (NULL);
@@ -1170,10 +1174,12 @@ cgi_initialize_string(const char *data)	/* I - Form data string */
     */
 
     for (s = name; *data != '\0'; data ++)
+    {
       if (*data == '=')
         break;
       else if (*data >= ' ' && s < (name + sizeof(name) - 1))
         *s++ = *data;
+    }
 
     *s = '\0';
     if (*data == '=')
@@ -1186,6 +1192,7 @@ cgi_initialize_string(const char *data)	/* I - Form data string */
     */
 
     for (s = value, done = 0; !done && *data != '\0'; data ++)
+    {
       switch (*data)
       {
 	case '&' :	/* End of data... */
@@ -1228,6 +1235,7 @@ cgi_initialize_string(const char *data)	/* I - Form data string */
               *s++ = *data;
             break;
       }
+    }
 
     *s = '\0';		/* nul terminate the string */
 
@@ -1247,6 +1255,9 @@ cgi_initialize_string(const char *data)	/* I - Form data string */
 
     fprintf(stderr, "DEBUG2: cgi_initialize_string: name=\"%s\", value=\"%s\"\n", name, value);
 
+    if (!_cups_strncasecmp(name, "ENV:", 4))
+      continue;				// Don't allow environment vars to be set
+
     if ((s = strrchr(name, '-')) != NULL && isdigit(s[1] & 255))
     {
       *s++ = '\0';
