Bug 1194680, Use PR_GetEnvSecure, r=jld NSS_3_22_BRANCH
authorKai Engert <kaie@kuix.de>
Fri, 29 Jan 2016 11:59:33 +0100
branchNSS_3_22_BRANCH
changeset 11892 8cb86341855e2de3e4ef096e9d372649abac25f6
parent 11891 2a88c0b4bce48ea03e267b09bec95c17fb07e745
child 11893 d5105ce96d764eefd40fb451e1cca58df573d31d
push id990
push userkaie@kuix.de
push dateFri, 12 Feb 2016 14:57:15 +0000
reviewersjld
bugs1194680
Bug 1194680, Use PR_GetEnvSecure, r=jld
cmd/httpserv/httpserv.c
cmd/lib/secutil.c
cmd/lib/secutil.h
cmd/libpkix/pkix/top/test_validatechain_NB.c
cmd/modutil/installparse.c
cmd/pk11mode/pk11mode.c
cmd/pk11util/pk11util.c
cmd/selfserv/selfserv.c
cmd/shlibsign/shlibsign.c
cmd/signtool/javascript.c
cmd/signtool/util.c
cmd/smimetools/cmsutil.c
cmd/strsclnt/strsclnt.c
cmd/tstclnt/tstclnt.c
external_tests/google_test/gtest/test/gtest_unittest.cc
external_tests/ssl_gtest/ssl_gtest.cc
lib/certdb/certdb.c
lib/certhigh/certvfypkix.c
lib/certhigh/ocsp.c
lib/freebl/loader.c
lib/freebl/mpi/utils/isprime.c
lib/freebl/mpi/utils/metime.c
lib/freebl/mpi/utils/primegen.c
lib/freebl/rijndael.c
lib/freebl/stubs.c
lib/freebl/stubs.h
lib/freebl/unix_rand.c
lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
lib/nss/nssinit.c
lib/pk11wrap/debug_module.c
lib/pk11wrap/pk11akey.c
lib/pk11wrap/pk11load.c
lib/pk11wrap/pk11pars.c
lib/pk11wrap/pk11util.c
lib/softoken/fipstokn.c
lib/softoken/legacydb/lgattr.c
lib/softoken/legacydb/lginit.c
lib/softoken/lgglue.c
lib/softoken/pkcs11c.c
lib/softoken/sdb.c
lib/softoken/softoken.h
lib/ssl/ssl3con.c
lib/ssl/sslsnce.c
lib/ssl/sslsock.c
lib/sysinit/nsssysinit.c
lib/util/secoid.c
lib/util/secport.c
lib/util/utilpars.c
--- a/cmd/httpserv/httpserv.c
+++ b/cmd/httpserv/httpserv.c
@@ -1263,21 +1263,21 @@ main(int argc, char **argv)
 	FILE *tmpfile=fopen(pidFile,"w+");
 
 	if (tmpfile) {
 	    fprintf(tmpfile,"%d",getpid());
 	    fclose(tmpfile);
 	}
     }
 
-    tmp = getenv("TMP");
+    tmp = PR_GetEnvSecure("TMP");
     if (!tmp)
-	tmp = getenv("TMPDIR");
+	tmp = PR_GetEnvSecure("TMPDIR");
     if (!tmp)
-	tmp = getenv("TEMP");
+	tmp = PR_GetEnvSecure("TEMP");
     /* we're an ordinary single process server. */
     listen_sock = getBoundListenSocket(port);
     prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
     if (prStatus != PR_SUCCESS)
         errExit("PR_SetFDInheritable");
 
     lm = PR_NewLogModule("TestCase");
 
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -411,17 +411,17 @@ struct matchobj {
 };
 
 char *
 SECU_DefaultSSLDir(void)
 {
     char *dir;
     static char sslDir[1000];
 
-    dir = PR_GetEnv("SSL_DIR");
+    dir = PR_GetEnvSecure("SSL_DIR");
     if (!dir)
 	return NULL;
 
     if (strlen(dir) >= PR_ARRAY_SIZE(sslDir)) {
 	return NULL;
     }
     sprintf(sslDir, "%s", dir);
 
@@ -450,17 +450,17 @@ SECU_ConfigDirectory(const char* base)
     const char *dir = ".netscape";
     char *home;
     static char buf[1000];
 
     if (initted) return buf;
     
 
     if (base == NULL || *base == 0) {
-	home = PR_GetEnv("HOME");
+	home = PR_GetEnvSecure("HOME");
 	if (!home) home = "";
 
 	if (*home && home[strlen(home) - 1] == '/')
 	    sprintf (buf, "%.900s%s", home, dir);
 	else
 	    sprintf (buf, "%.900s/%s", home, dir);
     } else {
 	sprintf(buf, "%.900s", base);
--- a/cmd/lib/secutil.h
+++ b/cmd/lib/secutil.h
@@ -111,17 +111,17 @@ extern SECStatus SEC_WriteDongleFile(int
 extern char *SEC_ReadDongleFile(int fd);
 
 
 /* End stolen headers */
 
 /* Just sticks the two strings together with a / if needed */
 char *SECU_AppendFilenameToDir(char *dir, char *filename);
 
-/* Returns result of getenv("SSL_DIR") or NULL */
+/* Returns result of PR_GetEnvSecure("SSL_DIR") or NULL */
 extern char *SECU_DefaultSSLDir(void);
 
 /*
 ** Should be called once during initialization to set the default 
 **    directory for looking for cert.db, key.db, and cert-nameidx.db files
 ** Removes trailing '/' in 'base' 
 ** If 'base' is NULL, defaults to set to .netscape in home directory.
 */
--- a/cmd/libpkix/pkix/top/test_validatechain_NB.c
+++ b/cmd/libpkix/pkix/top/test_validatechain_NB.c
@@ -244,17 +244,17 @@ int test_validatechain_NB(int argc, char
                 NULL,
                 PKIX_FALSE,
                 PKIX_FALSE,
                 PKIX_FALSE,
                 PKIX_FALSE,
                 chainCerts,
                 plContext);
 
-        ldapName = PR_GetEnv("LDAP");
+        ldapName = PR_GetEnvSecure("LDAP");
         /* Is LDAP set in the environment? */
         if ((ldapName == NULL) || (*ldapName == '\0')) {
                 testError("LDAP not set in environment");
                 goto cleanup;
         }
 
         pkixTestErrorResult = pkix_pl_Socket_CreateByName
                 (PKIX_FALSE,       /* isServer */
@@ -271,17 +271,17 @@ int test_validatechain_NB(int argc, char
                 testError("Unable to connect to LDAP Server");
                 goto cleanup;
         }
 
         PKIX_TEST_DECREF_BC(socket);
 
         testSetupCertStore(valParams, ldapName);
 
-        logging = PR_GetEnv("LOGGING");
+        logging = PR_GetEnvSecure("LOGGING");
         /* Is LOGGING set in the environment? */
         if ((logging != NULL) && (*logging != '\0')) {
 
                 PKIX_TEST_EXPECT_NO_ERROR
                         (PKIX_List_Create(&loggers, plContext));
 
 		testLogErrors
 			(PKIX_VALIDATE_ERROR, 2, loggers, plContext);
--- a/cmd/modutil/installparse.c
+++ b/cmd/modutil/installparse.c
@@ -196,19 +196,19 @@ Pk11Install_yyerror(char *message)
 #define YYACCEPT goto yyaccept
 #define YYERROR goto yyerrlab
 int
 yyparse()
 {
     register int yym, yyn, yystate;
 #if YYDEBUG
     register char *yys;
-    extern char *getenv();
+    extern char *PR_GetEnvSecure();
 
-    if ((yys = getenv("YYDEBUG")) != NULL)
+    if ((yys = PR_GetEnvSecure("YYDEBUG")) != NULL)
     {
         yyn = *yys;
         if (yyn >= '0' && yyn <= '9')
             yydebug = yyn - '0';
     }
 #endif
 
     yynerrs = 0;
--- a/cmd/pk11mode/pk11mode.c
+++ b/cmd/pk11mode/pk11mode.c
@@ -749,17 +749,17 @@ cleanup:
     }
     if (moduleSpec) {
         PR_smprintf_free(moduleSpec);
     }
 
 #ifdef _WIN32
     FreeLibrary(hModule);
 #else
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(lib);
     }
 #endif
     if (CKR_OK == crv && doForkTests && !disableUnload) {
         /* try to fork with softoken both de-initialized and unloaded */
         crv = PKM_ForkCheck(123, NULL, PR_TRUE, NULL);
     }
--- a/cmd/pk11util/pk11util.c
+++ b/cmd/pk11util/pk11util.c
@@ -1399,17 +1399,17 @@ putOutput(Value **ptr)
     }
 }
 	   
 CK_RV
 unloadModule(Module *module)
 {
     char *disableUnload = NULL;
 
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
 
     if (module->library && !disableUnload) {
 	PR_UnloadLibrary(module->library);
     }
 
     module->library = NULL;
     module->functionList = NULL;
 
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -2454,22 +2454,22 @@ main(int argc, char **argv)
     if (testBulk) {
         testBulkBuf = PORT_Malloc(testBulkSize);
         if (testBulkBuf == NULL)
             errExit("Out of memory: testBulkBuf");
         for (i = 0; i < testBulkSize; i++)
             testBulkBuf[i] = i;
     }
 
-    envString = getenv(envVarName);
-    tmp = getenv("TMP");
+    envString = PR_GetEnvSecure(envVarName);
+    tmp = PR_GetEnvSecure("TMP");
     if (!tmp)
-	tmp = getenv("TMPDIR");
+	tmp = PR_GetEnvSecure("TMPDIR");
     if (!tmp)
-	tmp = getenv("TEMP");
+	tmp = PR_GetEnvSecure("TEMP");
     if (envString) {
 	/* we're one of the children in a multi-process server. */
 	listen_sock = PR_GetInheritedFD(inheritableSockName);
 	if (!listen_sock)
 	    errExit("PR_GetInheritedFD");
 #ifndef WINNT
 	/* we can't do this on NT because it breaks NSPR and
 	PR_Accept will fail on the socket in the child process if
--- a/cmd/shlibsign/shlibsign.c
+++ b/cmd/shlibsign/shlibsign.c
@@ -1283,17 +1283,17 @@ cleanup:
         PL_strfree(output_file); 
     }
 #ifdef USES_LINKS
     if (link_file) { /* allocated by mkoutput function */
         PL_strfree(link_file); 
     }
 #endif
 
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(lib);
     }
     PR_Cleanup();
 
     if (crv != CKR_OK)
 	return crv;
     
--- a/cmd/signtool/javascript.c
+++ b/cmd/signtool/javascript.c
@@ -59,17 +59,17 @@ static int	num_handlers = 23;
 int
 InlineJavaScript(char *dir, PRBool recurse)
 {
     jartree = dir;
     if (verbosity >= 0) {
 	PR_fprintf(outputFD, "\nGenerating inline signatures from HTML files in: %s\n",
 	     dir);
     }
-    if (PR_GetEnv("SIGNTOOL_DUMP_PARSE")) {
+    if (PR_GetEnvSecure("SIGNTOOL_DUMP_PARSE")) {
 	dumpParse = PR_TRUE;
     }
 
     return foreach(dir, "", javascript_fn, recurse, PR_FALSE /*include dirs*/,
          		(void * )NULL);
 
 }
 
--- a/cmd/signtool/util.c
+++ b/cmd/signtool/util.c
@@ -1,15 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "signtool.h"
 #include "prio.h"
 #include "prmem.h"
+#include "prenv.h"
 #include "nss.h"
 
 static int	is_dir (char *filename);
 
 /***********************************************************
  * Nasty hackish function definitions
  */
 
@@ -976,30 +977,30 @@ InitCrypto(char *cert_dir, PRBool readOn
 char	*get_default_cert_dir (void)
 {
     char	*home;
 
     char	*cd = NULL;
     static char	db [FNSIZE];
 
 #ifdef XP_UNIX
-    home = getenv ("HOME");
+    home = PR_GetEnvSecure ("HOME");
 
     if (home && *home) {
 	sprintf (db, "%s/.netscape", home);
 	cd = db;
     }
 #endif
 
 #ifdef XP_PC
     FILE * fp;
 
     /* first check the environment override */
 
-    home = getenv ("JAR_HOME");
+    home = PR_GetEnvSecure ("JAR_HOME");
 
     if (home && *home) {
 	sprintf (db, "%s/cert7.db", home);
 
 	if ((fp = fopen (db, "r")) != NULL) {
 	    fclose (fp);
 	    cd = home;
 	}
--- a/cmd/smimetools/cmsutil.c
+++ b/cmd/smimetools/cmsutil.c
@@ -1064,19 +1064,19 @@ main(int argc, char **argv)
     char *envFileName;
     SECItem input = { 0, 0, 0};
     SECItem envmsg = { 0, 0, 0 };
     SECStatus rv;
     PRFileDesc *contentFile = NULL;
     PRBool      batch = PR_FALSE;
 
 #ifdef NISCC_TEST
-    const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
+    const char *ev = PR_GetEnvSecure("NSS_DISABLE_ARENA_FREE_LIST");
     PORT_Assert(ev); 
-    ev = PR_GetEnv("NSS_STRICT_SHUTDOWN");
+    ev = PR_GetEnvSecure("NSS_STRICT_SHUTDOWN");
     PORT_Assert(ev); 
 #endif 
 
     progName = strrchr(argv[0], '/');
     if (!progName)
        progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
--- a/cmd/strsclnt/strsclnt.c
+++ b/cmd/strsclnt/strsclnt.c
@@ -1443,17 +1443,17 @@ main(int argc, char **argv)
     if (port == 0)
 	Usage(progName);
 
     if (fileName)
     	readBigFile(fileName);
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);
 
-    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
+    tmp = PR_GetEnvSecure("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
         int sec = PORT_Atoi(tmp);
 	if (sec > 0) {
 	    maxInterval = PR_SecondsToInterval(sec);
     	}
     }
 
     /* Call the NSS initialization routines */
--- a/cmd/tstclnt/tstclnt.c
+++ b/cmd/tstclnt/tstclnt.c
@@ -963,17 +963,17 @@ int main(int argc, char **argv)
     serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
     serverCertAuth.allowCRLSideChannelData = PR_TRUE;
 
     progName = strrchr(argv[0], '/');
     if (!progName)
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
-    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
+    tmp = PR_GetEnvSecure("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
        int sec = PORT_Atoi(tmp);
        if (sec > 0) {
            maxInterval = PR_SecondsToInterval(sec);
        }
     }
 
     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
--- a/external_tests/google_test/gtest/test/gtest_unittest.cc
+++ b/external_tests/google_test/gtest/test/gtest_unittest.cc
@@ -416,19 +416,19 @@ class FormatEpochTimeInMillisAsIso8601Te
   // 32 bits, even when 64-bit integer types are available.  We have to
   // force the constants to have a 64-bit type here.
   static const TimeInMillis kMillisPerSec = 1000;
 
  private:
   virtual void SetUp() {
     saved_tz_ = NULL;
 
-    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* getenv, strdup: deprecated */)
-    if (getenv("TZ"))
-      saved_tz_ = strdup(getenv("TZ"));
+    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* PR_GetEnvSecure, strdup: deprecated */)
+    if (PR_GetEnvSecure("TZ"))
+      saved_tz_ = strdup(PR_GetEnvSecure("TZ"));
     GTEST_DISABLE_MSC_WARNINGS_POP_()
 
     // Set up the time zone for FormatEpochTimeInMillisAsIso8601 to use.  We
     // cannot use the local time zone because the function's output depends
     // on the time zone.
     SetTimeZone("UTC+00");
   }
 
--- a/external_tests/ssl_gtest/ssl_gtest.cc
+++ b/external_tests/ssl_gtest/ssl_gtest.cc
@@ -1,9 +1,10 @@
 #include "nspr.h"
+#include "prenv.h"
 #include "nss.h"
 #include "ssl.h"
 
 #include <cstdlib>
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
@@ -11,17 +12,17 @@
 
 std::string g_working_dir_path;
 
 int main(int argc, char **argv) {
   // Start the tests
   ::testing::InitGoogleTest(&argc, argv);
   g_working_dir_path = ".";
 
-  char* workdir = getenv("NSS_GTEST_WORKDIR");
+  char* workdir = PR_GetEnvSecure("NSS_GTEST_WORKDIR");
   if (workdir)
     g_working_dir_path = workdir;
 
   for (int i = 0; i < argc; i++) {
     if (!strcmp(argv[i], "-d")) {
       g_working_dir_path = argv[i + 1];
       ++i;
     }
--- a/lib/certdb/certdb.c
+++ b/lib/certdb/certdb.c
@@ -1339,17 +1339,17 @@ CERT_AddOKDomainName(CERTCertificate *ce
 ** This function may modify string cn, so caller must pass a modifiable copy.
 */
 static SECStatus
 cert_TestHostName(char *cn, const char *hn)
 {
     static int useShellExp = -1;
 
     if (useShellExp < 0) {
-        useShellExp = (NULL != PR_GetEnv("NSS_USE_SHEXP_IN_CERT_NAME"));
+        useShellExp = (NULL != PR_GetEnvSecure("NSS_USE_SHEXP_IN_CERT_NAME"));
     }
     if (useShellExp) {
         /* Backward compatible code, uses Shell Expressions (SHEXP). */
         int regvalid = PORT_RegExpValid(cn);
         if (regvalid != NON_SXP) {
             SECStatus rv;
             /* cn is a regular expression, try to match the shexp */
             int match = PORT_RegExpCaseSearch(hn, cn);
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -1132,17 +1132,17 @@ cert_VerifyCertChainPkix(
          * Setting the variable to false, to make additional chain
          * validations be handled by old nss. */
         usePKIXValidationEngine = PR_FALSE;
     }
     testStartFnStackPosition = 2;
     fnStackNameArr[0] = "cert_VerifyCertChainPkix";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak =
-        (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
+        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
                                                                    PKIX_FALSE
                                                                    : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
 
     /* Prevent multi-threaded run of object leak test */
     fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
     PORT_Assert(fnInvLocalCount == 1);
 
@@ -2014,17 +2014,17 @@ CERT_PKIXVerifyCert(
          * Setting the variable to false, to make additional chain
          * validations be handled by old nss. */
         usePKIXValidationEngine = PR_FALSE;
     }
     testStartFnStackPosition = 1;
     fnStackNameArr[0] = "CERT_PKIXVerifyCert";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak =
-        (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
+        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
                                                                    PKIX_FALSE
                                                                    : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
 
     /* Prevent multi-threaded run of object leak test */
     fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
     PORT_Assert(fnInvLocalCount == 1);
 
--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -154,17 +154,17 @@ cert_DupOCSPCertID(const CERTOCSPCertID 
 static PRBool
 wantOcspTrace(void)
 {
     static PRBool firstTime = PR_TRUE;
     static PRBool wantTrace = PR_FALSE;
 
 #ifdef NSS_HAVE_GETENV
     if (firstTime) {
-        char *ev = getenv("NSS_TRACE_OCSP");
+        char *ev = PR_GetEnvSecure("NSS_TRACE_OCSP");
         if (ev && ev[0]) {
             wantTrace = PR_TRUE;
         }
         firstTime = PR_FALSE;
     }
 #endif
     return wantTrace;
 }
--- a/lib/freebl/loader.c
+++ b/lib/freebl/loader.c
@@ -899,17 +899,17 @@ BL_Unload(void)
    * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
    * from NSS_Shutdown. */
   char *disableUnload = NULL;
   vector = NULL;
   /* If an SSL socket is configured with SSL_BYPASS_PKCS11, but the application
    * never does a handshake on it, BL_Unload will be called even though freebl
    * was never loaded. So, don't assert blLib. */
   if (blLib) {
-      disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+      disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
       if (!disableUnload) {
 #ifdef DEBUG
           PRStatus status = PR_UnloadLibrary(blLib);
           PORT_Assert(PR_SUCCESS == status);
 #else
           PR_UnloadLibrary(blLib);
 #endif
       }
--- a/lib/freebl/mpi/utils/isprime.c
+++ b/lib/freebl/mpi/utils/isprime.c
@@ -33,17 +33,17 @@ int main(int argc, char *argv[])
 	    "Use '0x' prefix for a hexadecimal value\n", g_prog);
     return 1;
   }
 
   /* Read number of tests from environment, if present */
   {
     char *tmp;
 
-    if((tmp = getenv("RM_TESTS")) != NULL) {
+    if((tmp = PR_GetEnvSecure("RM_TESTS")) != NULL) {
       if((g_tests = atoi(tmp)) <= 0)
 	g_tests = RM_TESTS;
     }
   }
 
   mp_init(&a);
   if(argv[1][0] == '0' && argv[1][1] == 'x')
     mp_read_radix(&a, argv[1] + 2, 16);
--- a/lib/freebl/mpi/utils/metime.c
+++ b/lib/freebl/mpi/utils/metime.c
@@ -22,18 +22,18 @@ int main(int argc, char *argv[])
 {
   int          ix, num, prec = 8;
   unsigned int seed;
   clock_t      start, stop;
   double       sec;
 
   mp_int     a, m, c;
 
-  if(getenv("SEED") != NULL)
-    seed = abs(atoi(getenv("SEED")));
+  if(PR_GetEnvSecure("SEED") != NULL)
+    seed = abs(atoi(PR_GetEnvSecure("SEED")));
   else 
     seed = (unsigned int)time(NULL);
 
   if(argc < 2) {
     fprintf(stderr, "Usage: %s <num-tests> [<nbits>]\n", argv[0]);
     return 1;
   }
 
--- a/lib/freebl/mpi/utils/primegen.c
+++ b/lib/freebl/mpi/utils/primegen.c
@@ -41,17 +41,17 @@ int main(int argc, char *argv[])
   int		rawlen, bits, outlen, ngen, ix, jx;
   int           g_strong = 0;
   mp_int	testval;
   mp_err	res;
   clock_t	start, end;
 
   /* We'll just use the C library's rand() for now, although this
      won't be good enough for cryptographic purposes */
-  if((out = getenv("SEED")) == NULL) {
+  if((out = PR_GetEnvSecure("SEED")) == NULL) {
     srand((unsigned int)time(NULL));
   } else {
     srand((unsigned int)atoi(out));
   }
 
   if(argc < 2) {
     fprintf(stderr, "Usage: %s <bits> [<count> [strong]]\n", argv[0]);
     return 1;
--- a/lib/freebl/rijndael.c
+++ b/lib/freebl/rijndael.c
@@ -2,16 +2,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "prinit.h"
+#include "prenv.h"
 #include "prerr.h"
 #include "secerr.h"
 
 #include "prtypes.h"
 #include "blapi.h"
 #include "rijndael.h"
 
 #include "cts.h"
@@ -1036,17 +1037,17 @@ aes_InitContext(AESContext *cx, const un
     }
     if (!cx) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
     	return SECFailure;
     }
 #ifdef USE_HW_AES
     if (has_intel_aes == 0) {
 	unsigned long eax, ebx, ecx, edx;
-	char *disable_hw_aes = getenv("NSS_DISABLE_HW_AES");
+	char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
 
 	if (disable_hw_aes == NULL) {
 	    freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
 	    has_intel_aes = (ecx & (1 << 25)) != 0 ? 1 : -1;
 #ifdef INTEL_GCM
 	    has_intel_clmul = (ecx & (1 << 1)) != 0 ? 1 : -1;
 	    if ((ecx & (1 << 27)) != 0 && (ecx & (1 << 28)) != 0 &&
 		check_xcr0_ymm()) {
--- a/lib/freebl/stubs.c
+++ b/lib/freebl/stubs.c
@@ -133,16 +133,17 @@ STUB_DECLARE(PRFileDesc *,PR_Open,(const
 			 PRIntn mode));
 STUB_DECLARE(PRInt32,PR_Read,(PRFileDesc *fd, void *buf, PRInt32 amount));
 STUB_DECLARE(PROffset32,PR_Seek,(PRFileDesc *fd, PROffset32 offset, 
 			PRSeekWhence whence));
 STUB_DECLARE(PRStatus,PR_Sleep,(PRIntervalTime ticks));
 STUB_DECLARE(PRStatus,PR_Unlock,(PRLock *lock));
 STUB_DECLARE(PRStatus,PR_WaitCondVar,(PRCondVar *cvar,
 			PRIntervalTime timeout));
+STUB_DECLARE(char*,PR_GetEnvSecure,(const char *));
 
 
 STUB_DECLARE(SECItem *,SECITEM_AllocItem_Util,(PLArenaPool *arena,
 			SECItem *item,unsigned int len));
 STUB_DECLARE(SECComparison,SECITEM_CompareItem_Util,(const SECItem *a,
 			const SECItem *b));
 STUB_DECLARE(SECStatus,SECITEM_CopyItem_Util,(PLArenaPool *arena,
 			SECItem *to,const SECItem *from));
@@ -460,16 +461,23 @@ PR_NotifyAllCondVar_stub(PRCondVar *cvar
 extern PRStatus
 PR_WaitCondVar_stub(PRCondVar *cvar, PRIntervalTime timeout)
 {
     STUB_SAFE_CALL2(PR_WaitCondVar, cvar, timeout);
     abort();
     return PR_FAILURE;
 }
 
+extern char*
+PR_GetEnvSecure_stub(const char *var)
+{
+    STUB_SAFE_CALL1(PR_GetEnvSecure, var);
+    abort();
+    return NULL;
+}
 
 
 extern void
 PR_DestroyCondVar_stub(PRCondVar *cvar)
 {
     STUB_SAFE_CALL1(PR_DestroyCondVar, cvar);
     abort();
     return;
@@ -565,16 +573,17 @@ freebl_InitNSPR(void *lib)
     STUB_FETCH_FUNCTION(PR_NotifyCondVar);
     STUB_FETCH_FUNCTION(PR_NotifyAllCondVar);
     STUB_FETCH_FUNCTION(PR_WaitCondVar);
     STUB_FETCH_FUNCTION(PR_DestroyCondVar);
     STUB_FETCH_FUNCTION(PR_NewLock);
     STUB_FETCH_FUNCTION(PR_Unlock);
     STUB_FETCH_FUNCTION(PR_Lock);
     STUB_FETCH_FUNCTION(PR_DestroyLock);
+    STUB_FETCH_FUNCTION(PR_GetEnvSecure);
     return SECSuccess;
 }
 
 static SECStatus
 freebl_InitNSSUtil(void *lib)
 {
     STUB_FETCH_FUNCTION(PORT_Alloc_Util);
     STUB_FETCH_FUNCTION(PORT_Free_Util);
--- a/lib/freebl/stubs.h
+++ b/lib/freebl/stubs.h
@@ -53,12 +53,13 @@
 #define PR_NotifyCondVar PR_NotifyCondVar_stub
 #define PR_NotifyAllCondVar PR_NotifyAllCondVar_stub
 #define PR_Open  PR_Open_stub
 #define PR_Read  PR_Read_stub
 #define PR_Seek  PR_Seek_stub
 #define PR_Sleep  PR_Sleep_stub
 #define PR_Unlock  PR_Unlock_stub
 #define PR_WaitCondVar PR_WaitCondVar_stub
+#define PR_GetEnvSecure PR_GetEnvSecure_stub
 
 extern int  FREEBL_InitStubs(void);
 
 #endif
--- a/lib/freebl/unix_rand.c
+++ b/lib/freebl/unix_rand.c
@@ -12,16 +12,17 @@
 #include <sys/time.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
 #include "secrng.h"
 #include "secerr.h"
 #include "prerror.h"
 #include "prthread.h"
 #include "prprf.h"
+#include "prenv.h"
 
 size_t RNG_FileUpdate(const char *fileName, size_t limit);
 
 /*
  * When copying data to the buffer we want the least signicant bytes
  * from the input since those bits are changing the fastest. The address
  * of least significant byte depends upon whether we are running on
  * a big-endian or little-endian machine.
@@ -883,19 +884,19 @@ void RNG_SystemInfoForRNG(void)
 	RNG_RandomUpdate(buf, strlen(buf));
     }
     GiveSystemInfo();
 
     /* grab some data from system's PRNG before any other files. */
     bytes = RNG_FileUpdate("/dev/urandom", SYSTEM_RNG_SEED_COUNT);
 
     /* If the user points us to a random file, pass it through the rng */
-    randfile = getenv("NSRANDFILE");
+    randfile = PR_GetEnvSecure("NSRANDFILE");
     if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
-	char *randCountString = getenv("NSRANDCOUNT");
+	char *randCountString = PR_GetEnvSecure("NSRANDCOUNT");
 	int randCount = randCountString ? atoi(randCountString) : 0;
 	if (randCount != 0) {
 	    RNG_FileUpdate(randfile, randCount);
 	} else {
 	    RNG_FileForRNG(randfile);
 	}
     }
 
@@ -1070,17 +1071,17 @@ int ReadOneFile(int fileToRead)
 #else
     struct dirent entry, firstEntry;
 #define entry_dir entry
 #endif
 
     int i, error = -1;
 
     if (fd == NULL) {
-	dir = getenv("HOME");
+	dir = PR_GetEnvSecure("HOME");
 	if (dir) {
 	    fd = opendir(dir);
 	}
     }
     if (fd == NULL) {
 	return 1;
     }
 
--- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
@@ -760,17 +760,17 @@ pkix_pl_Socket_RegisterSelf(void *plCont
         entry.comparator = NULL;
         entry.duplicateFunction = NULL;
 
         systemClasses[PKIX_SOCKET_TYPE] = entry;
 
 #ifdef PKIX_SOCKETTRACE
         {
                 char *val = NULL;
-                val = PR_GetEnv("SOCKETTRACE");
+                val = PR_GetEnvSecure("SOCKETTRACE");
                 /* Is SOCKETTRACE set in the environment? */
                 if ((val != NULL) && (*val != '\0')) {
                         socketTraceFlag =
                                 ((*val == '1')?PKIX_TRUE:PKIX_FALSE);
                 }
         }
 #endif
 
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
@@ -130,17 +130,17 @@ PKIX_PL_Initialize(
             PKIX_RETURN(OBJECT);
         }
 
         classTableLock = PR_NewLock();
         if (classTableLock == NULL) {
             return PKIX_ALLOC_ERROR();
         }
 
-        if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+        if (PR_GetEnvSecure("NSS_STRICT_SHUTDOWN")) {
             pkixLog = PR_NewLogModule("pkix");
         }
         /*
          * Register Object, it is the base object of all other objects.
          */
         pkix_pl_Object_RegisterSelf(plContext);
 
         /*
@@ -257,17 +257,17 @@ PKIX_PL_Shutdown(void *plContext)
         }
 
         PR_DestroyLock(classTableLock);
 
         pkix_pl_HttpCertStore_Shutdown(plContext);
 
 #ifdef DEBUG
         numLeakedObjects = pkix_pl_lifecycle_ObjectLeakCheck(NULL);
-        if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+        if (PR_GetEnvSecure("NSS_STRICT_SHUTDOWN")) {
            PORT_Assert(numLeakedObjects == 0);
         }
 #else
         pkix_pl_lifecycle_ObjectLeakCheck(NULL);
 #endif
 
         if (plContext != NULL) {
                 PKIX_PL_NssContext_Destroy(plContext);
--- a/lib/nss/nssinit.c
+++ b/lib/nss/nssinit.c
@@ -686,17 +686,17 @@ nss_Init(const char *configdir, const ch
 
 	pkixError = PKIX_Initialize
 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
 
 	if (pkixError != NULL) {
 	    goto loser;
 	} else {
-            char *ev = getenv("NSS_ENABLE_PKIX_VERIFY");
+            char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
             if (ev && ev[0]) {
                 CERT_SetUsePKIXForValidation(PR_TRUE);
             }
         }
 
 
     }
 
--- a/lib/pk11wrap/debug_module.c
+++ b/lib/pk11wrap/debug_module.c
@@ -2680,17 +2680,17 @@ static void print_final_statistics(void)
     int total_calls = 0;
     PRIntervalTime total_time = 0;
     PRUint32 pr_total_time;
     char *type;
     char *fname;
     FILE *outfile = NULL;
     int i;
 
-    fname = PR_GetEnv("NSS_OUTPUT_FILE");
+    fname = PR_GetEnvSecure("NSS_OUTPUT_FILE");
     if (fname) {
 	/* need to add an optional process id to the filename */
 	outfile = fopen(fname,"w+");
     }
     if (!outfile) {
 	outfile = stdout;
     }
 	
--- a/lib/pk11wrap/pk11akey.c
+++ b/lib/pk11wrap/pk11akey.c
@@ -163,17 +163,17 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
         case ecKey:
 	    keyType = CKK_EC;
 	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
 	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
  	    signedattr = attrs;
 	    PK11_SETATTRS(attrs, CKA_EC_PARAMS, 
 		          pubKey->u.ec.DEREncodedParams.data,
 		          pubKey->u.ec.DEREncodedParams.len); attrs++;
-	    if (PR_GetEnv("NSS_USE_DECODED_CKA_EC_POINT")) {
+	    if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) {
 	    	PK11_SETATTRS(attrs, CKA_EC_POINT, 
 			  pubKey->u.ec.publicValue.data,
 			  pubKey->u.ec.publicValue.len); attrs++;
 	    } else {
 		pubValue = SEC_ASN1EncodeItem(NULL, NULL,
 			&pubKey->u.ec.publicValue,
 			SEC_ASN1_GET(SEC_OctetStringTemplate));
 		if (pubValue == NULL) {
--- a/lib/pk11wrap/pk11load.c
+++ b/lib/pk11wrap/pk11load.c
@@ -461,17 +461,17 @@ secmod_LoadPKCS11Module(SECMODModule *mo
     /*
      * We need to get the function list
      */
     if ((*entry)((CK_FUNCTION_LIST_PTR *)&mod->functionList) != CKR_OK) 
 								goto fail;
 
 #ifdef DEBUG_MODULE
     if (PR_TRUE) {
-	modToDBG = PR_GetEnv("NSS_DEBUG_PKCS11_MODULE");
+	modToDBG = PR_GetEnvSecure("NSS_DEBUG_PKCS11_MODULE");
 	if (modToDBG && strcmp(mod->commonName, modToDBG) == 0) {
 	    mod->functionList = (void *)nss_InsertDeviceLog(
 	                           (CK_FUNCTION_LIST_PTR)mod->functionList);
 	}
     }
 #endif
 
     mod->isThreadSafe = PR_TRUE;
@@ -553,17 +553,17 @@ secmod_LoadPKCS11Module(SECMODModule *mo
     mod->moduleID = nextModuleID++;
     return SECSuccess;
 fail2:
     if (enforceAlreadyInitializedError || (!alreadyLoaded)) {
         PK11_GETTAB(mod)->C_Finalize(NULL);
     }
 fail:
     mod->functionList = NULL;
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
     if (library && !disableUnload) {
         PR_UnloadLibrary(library);
     }
     return SECFailure;
 }
 
 SECStatus
 SECMOD_UnloadModule(SECMODModule *mod) {
@@ -582,17 +582,17 @@ SECMOD_UnloadModule(SECMODModule *mod) {
     mod->loaded = PR_FALSE;
     
     /* do we want the semantics to allow unloading the internal library?
      * if not, we should change this to SECFailure and move it above the
      * mod->loaded = PR_FALSE; */
     if (mod->internal && (mod->dllName == NULL)) {
         if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
           if (softokenLib) {
-              disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+              disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
               if (!disableUnload) {
 #ifdef DEBUG
                   PRStatus status = PR_UnloadLibrary(softokenLib);
                   PORT_Assert(PR_SUCCESS == status);
 #else
                   PR_UnloadLibrary(softokenLib);
 #endif
               }
@@ -604,17 +604,17 @@ SECMOD_UnloadModule(SECMODModule *mod) {
     }
 
     library = (PRLibrary *)mod->library;
     /* paranoia */
     if (library == NULL) {
 	return SECFailure;
     }
 
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(library);
     }
     return SECSuccess;
 }
 
 void
 nss_DumpModuleLog(void)
--- a/lib/pk11wrap/pk11pars.c
+++ b/lib/pk11wrap/pk11pars.c
@@ -1081,17 +1081,17 @@ secmod_configIsDBM(char *configDir)
 	return PR_TRUE;
     }
     /* explicit open of a non-dbm database */
     if ((strncmp(configDir, "sql:",4) == 0) 
 	|| (strncmp(configDir, "rdb:", 4) == 0)
 	|| (strncmp(configDir, "extern:", 7) == 0)) {
 	return PR_FALSE;
     }
-    env = PR_GetEnv("NSS_DEFAULT_DB_TYPE");
+    env = PR_GetEnvSecure("NSS_DEFAULT_DB_TYPE");
     /* implicit dbm open */
     if ((env == NULL) || (strcmp(env,"dbm") == 0)) {
 	return PR_TRUE;
     }
     /* implicit non-dbm open */
     return PR_FALSE;
 }
 
--- a/lib/pk11wrap/pk11util.c
+++ b/lib/pk11wrap/pk11util.c
@@ -79,17 +79,17 @@ SECMOD_Shutdown()
     }
 
     /* make all the slots and the lists go away */
     PK11_DestroySlotLists();
 
     nss_DumpModuleLog();
 
 #ifdef DEBUG
-    if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+    if (PR_GetEnvSecure("NSS_STRICT_SHUTDOWN")) {
 	PORT_Assert(secmod_PrivateModuleCount == 0);
     }
 #endif
     if (secmod_PrivateModuleCount) {
     	PORT_SetError(SEC_ERROR_BUSY);
 	return SECFailure;
     }
     return SECSuccess;
--- a/lib/softoken/fipstokn.c
+++ b/lib/softoken/fipstokn.c
@@ -431,17 +431,17 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserve
     CK_RV crv;
 
     sftk_ForkReset(pReserved, &crv);
 
     if (nsf_init) {
 	return CKR_CRYPTOKI_ALREADY_INITIALIZED;
     }
 
-    if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
+    if ((envp = PR_GetEnvSecure("NSS_ENABLE_AUDIT")) != NULL) {
 	sftk_audit_enabled = (atoi(envp) == 1);
     }
 
     crv = nsc_CommonInitialize(pReserved, PR_TRUE);
 
     /* not an 'else' rv can be set by either SFTK_LowInit or SFTK_SlotInit*/
     if (crv != CKR_OK) {
 	sftk_fatalError = PR_TRUE;
--- a/lib/softoken/legacydb/lgattr.c
+++ b/lib/softoken/legacydb/lgattr.c
@@ -566,17 +566,17 @@ lg_FindECPublicKeyAttribute(NSSLOWKEYPub
     case CKA_VERIFY_RECOVER:
     case CKA_WRAP:
 	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
     case CKA_EC_PARAMS:
 	return lg_CopyAttributeSigned(attribute,type,
 					key->u.ec.ecParams.DEREncoding.data,
 					key->u.ec.ecParams.DEREncoding.len);
     case CKA_EC_POINT:
-	if (getenv("NSS_USE_DECODED_CKA_EC_POINT")) {
+	if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) {
 	    return lg_CopyAttributeSigned(attribute, type,
 					key->u.ec.publicValue.data,
 					key->u.ec.publicValue.len);
 	} else {
 	    SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, 
 					&(key->u.ec.publicValue), 
 					SEC_ASN1_GET(SEC_OctetStringTemplate));
 	    CK_RV crv;
--- a/lib/softoken/legacydb/lginit.c
+++ b/lib/softoken/legacydb/lginit.c
@@ -163,17 +163,17 @@ DB * rdbopen(const char *appName, const 
 	db = (*lg_rdbfunc)(appName,prefix,type,rdbmapflags(flags));
 	if (!db && status && lg_rdbstatusfunc) {
 	    *status = (*lg_rdbstatusfunc)();
 	}
 	return db;
     }
 
     /* couldn't find the entry point, unload the library and fail */
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(lib);
     }
     return NULL;
 }
 
 /*
  * the following data structures are from rdb.h.
--- a/lib/softoken/lgglue.c
+++ b/lib/softoken/lgglue.c
@@ -413,17 +413,17 @@ sftkdbCall_Shutdown(void)
 	return CKR_OK;
     }
     if (legacy_glue_shutdown) {
 #ifdef NO_FORK_CHECK
 	PRBool parentForkedAfterC_Initialize = PR_FALSE;
 #endif
 	crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
     }
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(legacy_glue_lib);
     }
     legacy_glue_lib = NULL;
     legacy_glue_open = NULL;
     legacy_glue_readSecmod = NULL;
     legacy_glue_releaseSecmod = NULL;
     legacy_glue_deleteSecmod = NULL;
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -31,16 +31,17 @@
 #include "pkcs11t.h"
 #include "secoid.h"
 #include "alghmac.h"
 #include "softoken.h"
 #include "secasn1.h"
 #include "secerr.h"
 
 #include "prprf.h"
+#include "prenv.h"
 
 #define __PASTE(x,y)    x##y
 
 /*
  * we renamed all our internal functions, get the correct
  * definitions for them...
  */ 
 #undef CK_PKCS11_FUNCTION_INFO
@@ -4765,17 +4766,17 @@ dhgn_done:
 	if (rv != SECSuccess) { 
 	    if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
 		sftk_fatalError = PR_TRUE;
 	    }
 	    crv = sftk_MapCryptError(PORT_GetError());
 	    break;
 	}
 
-	if (getenv("NSS_USE_DECODED_CKA_EC_POINT")) {
+	if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) {
 	    crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, 
 				sftk_item_expand(&ecPriv->publicValue));
 	} else {
 	    SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, 
 					&ecPriv->publicValue, 
 					SEC_ASN1_GET(SEC_OctetStringTemplate));
 	    if (!pubValue) {
 		crv = CKR_ARGUMENTS_BAD;
--- a/lib/softoken/sdb.c
+++ b/lib/softoken/sdb.c
@@ -230,17 +230,17 @@ sdb_getFallbackTempDir(void)
         "/tmp",
         NULL     /* List terminator */
     };
     unsigned int i;
     struct stat buf;
     const char *zDir = NULL;
 
     azDirs[0] = sqlite3_temp_directory;
-    azDirs[1] = getenv("TMPDIR");
+    azDirs[1] = PR_GetEnvSecure("TMPDIR");
 
     for (i = 0; i < PR_ARRAY_SIZE(azDirs); i++) {
         zDir = azDirs[i];
         if (zDir == NULL) continue;
         if (stat(zDir, &buf)) continue;
         if (!S_ISDIR(buf.st_mode)) continue;
         if (access(zDir, 07)) continue;
         break;
@@ -1857,17 +1857,17 @@ sdb_init(char *dbname, char *table, sdbD
       *
       * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
       *   always be used.
       *
       * It is expected that most applications would use the "auto" selection,
       * the environment variable is primarily to simplify testing, and to 
       * correct potential corner cases where  */
 
-     env = PR_GetEnv("NSS_SDB_USE_CACHE");
+     env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
 
      if (env && PORT_Strcasecmp(env,"no") == 0) {
 	enableCache = PR_FALSE;
      } else if (env && PORT_Strcasecmp(env,"yes") == 0) {
 	enableCache = PR_TRUE;
      } else {
 	char *tempDir = NULL;
 	PRUint32 tempOps = 0;
@@ -2008,17 +2008,17 @@ s_open(const char *directory, const char
     }
 #endif
 
     /* how long does it take to test for a non-existant file in our working
      * directory? Allows us to test if we may be on a network file system */
     accessOps = 1;
     {
         char *env;
-        env = PR_GetEnv("NSS_SDB_USE_CACHE");
+        env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
         /* If the environment variable is set to yes or no, sdb_init() will
          * ignore the value of accessOps, and we can skip the measuring.*/
         if (!env || ((PORT_Strcasecmp(env, "no") != 0) &&
                      (PORT_Strcasecmp(env, "yes") != 0))){
            accessOps = sdb_measureAccess(directory);
         }
     }
 
--- a/lib/softoken/softoken.h
+++ b/lib/softoken/softoken.h
@@ -147,17 +147,17 @@ extern PRBool sftk_fatalError;
 ** macros to check for forked child process after C_Initialize
 */
 #if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
 
 #ifdef DEBUG
 
 #define FORK_ASSERT() \
     { \
-        char* forkAssert = getenv("NSS_STRICT_NOFORK"); \
+        char* forkAssert = PR_GetEnvSecure("NSS_STRICT_NOFORK"); \
         if ( (!forkAssert) || (0 == strcmp(forkAssert, "1")) ) { \
             PORT_Assert(0); \
         } \
     }
 
 #else
 
 #define FORK_ASSERT()
@@ -234,17 +234,17 @@ extern PRBool sftkForkCheckDisabled;
             return CKR_DEVICE_ERROR; \
         } \
     } while (0)
 
 #define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
 
 #define ENABLE_FORK_CHECK() \
     { \
-        char* doForkCheck = getenv("NSS_STRICT_NOFORK"); \
+        char* doForkCheck = PR_GetEnvSecure("NSS_STRICT_NOFORK"); \
         if ( doForkCheck && !strcmp(doForkCheck, "DISABLED") ) { \
             sftkForkCheckDisabled = PR_TRUE; \
         } \
     }
 
 
 #else
 
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -10160,26 +10160,26 @@ get_fake_cert(SECItem *pCertItem, int *p
     const char *extension;
     int         fileNum;
     PRInt32     numBytes   = 0;
     PRStatus    prStatus;
     PRFileInfo  info;
     char        cfn[100];
 
     pCertItem->data = 0;
-    if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
+    if ((testdir = PR_GetEnvSecure("NISCC_TEST")) == NULL) {
 	return SECSuccess;
     }
     *pIndex   = (NULL != strstr(testdir, "root"));
     extension = (strstr(testdir, "simple") ? "" : ".der");
     fileNum     = PR_ATOMIC_INCREMENT(&connNum) - 1;
-    if ((startat = PR_GetEnv("START_AT")) != NULL) {
+    if ((startat = PR_GetEnvSecure("START_AT")) != NULL) {
 	fileNum += atoi(startat);
     }
-    if ((stopat = PR_GetEnv("STOP_AT")) != NULL && 
+    if ((stopat = PR_GetEnvSecure("STOP_AT")) != NULL && 
 	fileNum >= atoi(stopat)) {
 	*pIndex = -1;
 	return SECSuccess;
     }
     sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
     cf = PR_Open(cfn, PR_RDONLY, 0);
     if (!cf) {
 	goto loser;
--- a/lib/ssl/sslsnce.c
+++ b/lib/ssl/sslsnce.c
@@ -1523,17 +1523,17 @@ SSL_InheritMPServerSIDCacheInstance(cach
 
     ssl_InitSessionCacheLocks(PR_FALSE);
 
     ssl_sid_lookup  = ServerSessionIDLookup;
     ssl_sid_cache   = ServerSessionIDCache;
     ssl_sid_uncache = ServerSessionIDUncache;
 
     if (!envString) {
-    	envString  = getenv(envVarName);
+    	envString  = PR_GetEnvSecure(envVarName);
 	if (!envString) {
 	    SET_ERROR_CODE
 	    return SECFailure;
 	}
     }
     myEnvString = PORT_Strdup(envString);
     if (!myEnvString) 
 	return SECFailure;
@@ -1742,17 +1742,17 @@ LockPoller(void * arg)
 /* Launch thread to poll cache for expired locks */
 static SECStatus 
 LaunchLockPoller(cacheDesc *cache)
 {
     const char * timeoutString;
     PRThread *   pollerThread;
 
     cache->mutexTimeout = SID_LOCK_EXPIRATION_TIMEOUT;
-    timeoutString       = getenv("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT");
+    timeoutString       = PR_GetEnvSecure("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT");
     if (timeoutString) {
 	long newTime = strtol(timeoutString, 0, 0);
 	if (newTime == 0) 
 	    return SECSuccess;  /* application doesn't want poller thread */
 	if (newTime > 0)
 	    cache->mutexTimeout = (PRUint32)newTime;
 	/* if error (newTime < 0) ignore it and use default */
     }
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -3327,84 +3327,84 @@ ssl_SetDefaultsFromEnvironment(void)
 {
 #if defined( NSS_HAVE_GETENV )
     static int firsttime = 1;
 
     if (firsttime) {
         char * ev;
         firsttime = 0;
 #ifdef DEBUG
-        ev = getenv("SSLDEBUGFILE");
+        ev = PR_GetEnvSecure("SSLDEBUGFILE");
         if (ev && ev[0]) {
             ssl_trace_iob = fopen(ev, "w");
         }
         if (!ssl_trace_iob) {
             ssl_trace_iob = stderr;
         }
 #ifdef TRACE
-        ev = getenv("SSLTRACE");
+        ev = PR_GetEnvSecure("SSLTRACE");
         if (ev && ev[0]) {
             ssl_trace = atoi(ev);
             SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
         }
 #endif /* TRACE */
-        ev = getenv("SSLDEBUG");
+        ev = PR_GetEnvSecure("SSLDEBUG");
         if (ev && ev[0]) {
             ssl_debug = atoi(ev);
             SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
         }
 #endif /* DEBUG */
-        ev = getenv("SSLKEYLOGFILE");
+        ev = PR_GetEnvSecure("SSLKEYLOGFILE");
         if (ev && ev[0]) {
             ssl_keylog_iob = fopen(ev, "a");
             if (!ssl_keylog_iob) {
                 SSL_TRACE(("SSL: failed to open key log file"));
             } else {
                 if (ftell(ssl_keylog_iob) == 0) {
                     fputs("# SSL/TLS secrets log file, generated by NSS\n",
                           ssl_keylog_iob);
                 }
                 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
             }
         }
 #ifndef NO_PKCS11_BYPASS
-        ev = getenv("SSLBYPASS");
+        ev = PR_GetEnvSecure("SSLBYPASS");
         if (ev && ev[0]) {
             ssl_defaults.bypassPKCS11 = (ev[0] == '1');
             SSL_TRACE(("SSL: bypass default set to %d", \
                       ssl_defaults.bypassPKCS11));
         }
 #endif /* NO_PKCS11_BYPASS */
-        ev = getenv("SSLFORCELOCKS");
+        ev = PR_GetEnvSecure("SSLFORCELOCKS");
         if (ev && ev[0] == '1') {
             ssl_force_locks = PR_TRUE;
             ssl_defaults.noLocks = 0;
             strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED.  ");
             SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
         }
-        ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION");
+        ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION");
         if (ev) {
             if (ev[0] == '1' || LOWER(ev[0]) == 'u')
                 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
             else if (ev[0] == '0' || LOWER(ev[0]) == 'n')
                 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
             else if (ev[0] == '2' || LOWER(ev[0]) == 'r')
                 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN;
             else if (ev[0] == '3' || LOWER(ev[0]) == 't')
                 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL;
             SSL_TRACE(("SSL: enableRenegotiation set to %d",
                        ssl_defaults.enableRenegotiation));
         }
-        ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
+        ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
         if (ev && ev[0] == '1') {
             ssl_defaults.requireSafeNegotiation = PR_TRUE;
             SSL_TRACE(("SSL: requireSafeNegotiation set to %d",
                         PR_TRUE));
         }
-        ev = getenv("NSS_SSL_CBC_RANDOM_IV");
+        ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV");
         if (ev && ev[0] == '0') {
             ssl_defaults.cbcRandomIV = PR_FALSE;
             SSL_TRACE(("SSL: cbcRandomIV set to 0"));
         }
     }
 #endif /* NSS_HAVE_GETENV */
 }
 
--- a/lib/sysinit/nsssysinit.c
+++ b/lib/sysinit/nsssysinit.c
@@ -1,15 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "seccomon.h"
 #include "prio.h"
 #include "prprf.h"
 #include "plhash.h"
+#include "prenv.h"
 
 /*
  * The following provides a default example for operating systems to set up
  * and manage applications loading NSS on their OS globally.
  *
  * This code hooks in to the system pkcs11.txt, which controls all the loading
  * of pkcs11 modules common to all applications.
  */
@@ -36,17 +37,17 @@ testdir(char *dir)
    return S_ISDIR(buf.st_mode);
 }
 
 #define NSS_USER_PATH1 "/.pki"
 #define NSS_USER_PATH2 "/nssdb"
 static char *
 getUserDB(void)
 {
-   char *userdir = getenv("HOME");
+   char *userdir = PR_GetEnvSecure("HOME");
    char *nssdir = NULL;
 
    if (userdir == NULL) {
 	return NULL;
    }
 
    nssdir = PORT_Alloc(strlen(userdir)
 		+sizeof(NSS_USER_PATH1)+sizeof(NSS_USER_PATH2));
@@ -128,17 +129,17 @@ userCanModifySystemDB()
 #else
 #error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
 #endif
 #endif
 
 static PRBool 
 getFIPSEnv(void)
 {
-    char *fipsEnv = getenv("NSS_FIPS");
+    char *fipsEnv = PR_GetEnvSecure("NSS_FIPS");
     if (!fipsEnv) {
 	return PR_FALSE;
     }
     if ((strcasecmp(fipsEnv,"fips") == 0) ||
 	(strcasecmp(fipsEnv,"true") == 0) ||
 	(strcasecmp(fipsEnv,"on") == 0) ||
 	(strcasecmp(fipsEnv,"1") == 0)) {
 	 return PR_TRUE;
--- a/lib/util/secoid.c
+++ b/lib/util/secoid.c
@@ -1985,32 +1985,32 @@ SECOID_Init(void)
 
 #define NSS_VERSION_VARIABLE __nss_util_version
 #include "verref.h"
 
     if (oidhash) {
 	return SECSuccess; /* already initialized */
     }
 
-    if (!PR_GetEnv("NSS_ALLOW_WEAK_SIGNATURE_ALG")) {
+    if (!PR_GetEnvSecure("NSS_ALLOW_WEAK_SIGNATURE_ALG")) {
 	/* initialize any policy flags that are disabled by default */
 	xOids[SEC_OID_MD2                           ].notPolicyFlags = ~0;
 	xOids[SEC_OID_MD4                           ].notPolicyFlags = ~0;
 	xOids[SEC_OID_MD5                           ].notPolicyFlags = ~0;
 	xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
 	xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
 	xOids[SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
 	xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~0;
 	xOids[SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC].notPolicyFlags = ~0;
     }
 
     /* turn off NSS_USE_POLICY_IN_SSL by default */
     xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
 
-    envVal = PR_GetEnv("NSS_HASH_ALG_SUPPORT");
+    envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
     if (envVal)
     	handleHashAlgSupport(envVal);
 
     if (secoid_InitDynOidData() != SECSuccess) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         PORT_Assert(0); /* this function should never fail */
     	return SECFailure;
     }
--- a/lib/util/secport.c
+++ b/lib/util/secport.c
@@ -316,17 +316,17 @@ PORT_FreeArena(PLArenaPool *arena, PRBoo
     	return;
     if (ARENAPOOL_MAGIC == pool->magic ) {
 	len  = sizeof *pool;
 	lock = pool->lock;
 	PZ_Lock(lock);
     }
     if (!checkedEnv) {
 	/* no need for thread protection here */
-	doFreeArenaPool = (PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST") == NULL);
+	doFreeArenaPool = (PR_GetEnvSecure("NSS_DISABLE_ARENA_FREE_LIST") == NULL);
 	checkedEnv = PR_TRUE;
     }
     if (zero) {
 	PL_ClearArenaPool(arena, 0);
     }
     if (doFreeArenaPool) {
 	PL_FreeArenaPool(arena);
     } else {
--- a/lib/util/utilpars.c
+++ b/lib/util/utilpars.c
@@ -1078,17 +1078,17 @@ const char *
     } else if (PORT_Strncmp(configdir, EXTERNDB, sizeof(EXTERNDB)-1) == 0) {
 	dbType = NSS_DB_TYPE_EXTERN;
 	configdir = configdir + sizeof(EXTERNDB) -1;
     } else if (PORT_Strncmp(configdir, LEGACY, sizeof(LEGACY)-1) == 0) {
 	dbType = NSS_DB_TYPE_LEGACY;
 	configdir = configdir + sizeof(LEGACY) -1;
     } else {
 	/* look up the default from the environment */
-	char *defaultType = PR_GetEnv("NSS_DEFAULT_DB_TYPE");
+	char *defaultType = PR_GetEnvSecure("NSS_DEFAULT_DB_TYPE");
 	if (defaultType != NULL) {
 	    if (PORT_Strncmp(defaultType, SQLDB, sizeof(SQLDB)-2) == 0) {
 		dbType = NSS_DB_TYPE_SQL;
 	    } else if (PORT_Strncmp(defaultType,EXTERNDB,sizeof(EXTERNDB)-2)==0) {
 		dbType = NSS_DB_TYPE_EXTERN;
 	    } else if (PORT_Strncmp(defaultType, LEGACY, sizeof(LEGACY)-2) == 0) {
 		dbType = NSS_DB_TYPE_LEGACY;
 	    }