--- cyrus-sasl-2.1.19/lib/common.c.orig	2004-10-19 13:04:57.000000000 +0200
+++ cyrus-sasl-2.1.19/lib/common.c	2004-10-19 13:10:34.000000000 +0200
@@ -1114,11 +1114,13 @@
 _sasl_getconfpath(void *context __attribute__((unused)),
 	      char ** path_dest)
 {
-  char *path;
+  char *path = NULL;
 
   if (! path_dest)
     return SASL_BADPARAM;
-  path = getenv(SASL_CONF_PATH_ENV_VAR);
+  /* Honor external variable only in a safe environment */
+  if (getuid() == geteuid() && getgid() == getegid())
+    path = getenv(SASL_CONF_PATH_ENV_VAR);
   if (! path)
     path = CONFIGDIR;
   return _sasl_strdup(path, path_dest, NULL);
@@ -1880,7 +1882,11 @@
   if (! path)
     return SASL_BADPARAM;
 
-  *path = getenv(SASL_PATH_ENV_VAR);
+  /* Honor external variable only in a safe environment */
+  if (getuid() == geteuid() && getgid() == getegid())
+    *path = getenv(SASL_PATH_ENV_VAR);
+  else
+    *path = NULL;
   if (! *path)
     *path = PLUGINDIR;