--- cyrus-sasl-1.5.27/lib/common.c~	Thu Oct 14 19:42:38 2004
+++ cyrus-sasl-1.5.27/lib/common.c	Thu Oct 14 19:44:57 2004
@@ -682,7 +682,9 @@
 
   if (! path_dest)
     return SASL_BADPARAM;
-  path = getenv(SASL_PATH_ENV_VAR);
+  /* Honor external variable only in a safe environment */
+  if (getuid() == geteuid() && getgid() == getegid())
+	  *path = getenv(SASL_PATH_ENV_VAR);
   if (! path)
     path = PLUGINDIR;
   return _sasl_strdup(path, path_dest, NULL);