-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathExecRelative.qhelp
More file actions
37 lines (26 loc) · 955 Bytes
/
ExecRelative.qhelp
File metadata and controls
37 lines (26 loc) · 955 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>When a command is executed with a relative path, the runtime uses
the PATH environment variable to find which executable to run. Therefore, any
user who can change the PATH environment variable can cause the
software to run a different, malicious executable.</p>
</overview>
<recommendation>
<p>In most cases, simply use a command that has an absolute path instead of a relative path.</p>
<p>In some cases, the location of the executable might be different on
different installations. In such cases, consider specifying the
location of key executables with some form of configuration. When using
this approach, be careful that the configuration system is not itself
vulnerable to malicious modifications.</p>
</recommendation>
<example>
<sample src="ExecRelative.java" />
</example>
<references>
<!-- LocalWords: CWE executables
-->
</references>
</qhelp>