diff -Naur cyrus-sasl-2.1.18-orig/lib/common.c cyrus-sasl-2.1.18/lib/common.c
--- cyrus-sasl-2.1.18-orig/lib/common.c	2004-03-10 10:51:35.000000000 -0500
+++ cyrus-sasl-2.1.18/lib/common.c	2004-07-07 21:20:21.953011443 -0400
@@ -1794,7 +1794,10 @@
   if (! path)
     return SASL_BADPARAM;
 
-  *path = getenv(SASL_PATH_ENV_VAR);
+  /* Honor external variable only in a safe environment */
+  if (getuid() == geteuid() && getgid() == getegid())
+    *path = getenv(SASL_PATH_ENV_VAR);
+
   if (! *path)
     *path = PLUGINDIR;