AutoHotkey Community

[arbe]

[Chris]

It's not a bug; those are environment variables. The help file explains that when your script accesses an empty variable, AHK checks to see if that variable exists as an environment variable, and if so it retrieves the string from there.

[arbe]

Chris, thanks for your explanation.

Is there any way to turn this behaviour off? If empty variables are always checked against environment variables, one cannot write deterministic scripts, since you don't know the environment of the target machine.

For example, I want to load clipboard contents and add an error handler, if the clipboard was empty. If the variable, I loaded the (empty) contents to, is registered as an environment variable, the error check will think the clipboard was not empty.

If this is unclear, here is some code:

[Chris]

Although there's currently no way to turn it off, your points are well made. I'll add it to the to-do list.

Thanks.

[JSLover]

[Chris]

That's a good possibility; thanks.

[jonny]

A workaround would be to store the contents of the environment variable at the start of the script, and then check for that instead of checking for a blank var. If it was empty or nonexistent it will still work the same anyway. The only downside is that environment vars can change.

Another alternative is to get into the habit of using prefixes for your variables.

[Dewi Morgan]

Trouble is, while you may use prefixes for your variables, your script is still vulnerable to an env var of the same name. Which is dream territory for a hacker.

This is why, in PHP, they made the radical change of setting "register globals" to be off by default, despite the fact that this broke the vast majority of scripts.

The fix for the broken scripts is to change the scripts to add a line at the top that registers the environment variables as variables. And nobody thought it was a bad thing that all the PHP scripts everywhere in the world needed to be fixed, because register globals had always been such an intrinsically bad and insecure thing.

For example, my PHP library has a function that checks a username and password against a database, and returns the matching userid, or null if none is found. Like so:

[arbe]

Hi Chris,

are there any news about the implementation of this feature?

This security related issue is getting more and more attention. A recent report about undefined behavior caused by uninitialized variables (that has been cited by the renowned german Heise magazine recently) can be found here: http://www.felinemenace.org/~mercy/papers/UBehavior/Undefined%20Behavior.pdf

[Chris]

It is tentatively planned to have a #v1.1 directive that when present in scripts running on versions older than 1.1, puts 1.1 behavior into effect. One such behavior would be turning off the automatic fetching of environment variables whenever an empty variable is referenced.

This option may also arrive sooner as a separate directive.

Edit: v1.0.43.08 introduces the #NoEnv directive, which is recommended for all new scripts.

[kapege.de]

[PhiLho]

For those, like me, [re]discovering this thread, shimanov made a script to workaround this problem.
_________________
vPhiLho := RegExReplace("Philippe Lhoste", "^(\w{3})\w*\s+\b(\w{3})\w*$", "$1$2")