SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 34

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 35

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Most of these characters or patterns are primarily a problem to scripts or automated parsing, but because they are not commonly used, it is best to disallow their use to reduce potential problems.  Interoperability concerns also exist because different operating systems handle filenames of this sort in different ways.  Leading dashes can cause programs when programs are called with this filename as a parameter, the first character or characters of the file might be taken to mean that its an option switch.  Control characters in a filename can cause unexpected results from shell scripts and in logging.  Spaces can again cause problems with scripts and anytime double quotes aren't used to surround the filename.  Character encodings can be a huge issue and are also discussed in MSC10-A. Character Encoding - UTF8 Related Issues.  Other special characters are included in this recommendation because they are commonly used as separators and having them in a filename can cause unexpected and potentially insecure behavior.

Wiki Markup
As a result of the influence of MS-DOS, file names of the form {{xxxxxxxx.xxx}}, where x denotes an alphanumeric character, are generally supported by modern systems.  In some cases file names are case sensitive while in other cases they are case insensitive.
VU#439395, "Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive filesystem" is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues
  VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues \[[VU#439395 |AA. C References#VU439395]\].

Non-Compliant Coding Example: Encoding

...

Wiki Markup
\[[Kuhn 06|AA. C References#Kuhn 06]\] UTF-8 and Unicode FAQ for Unix/Linux
\[[ISO/IEC 646-1991|AA. C References#ISO/IEC 646-1991]\] ISO 7-bit coded character set for information interchange
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 5.2.1, "Character sets"
\[[MISRA 04|AA. C References#MISRA 04]\] Rule 3.2, "The character set and the corresponding encoding shall be documented," and Rule 4.1, "Only those escape sequences that are defined in the ISO C standard shall be used"
\[[Wheeler 03|AA. C References#Wheeler03]\] 5.4 File Names
\[[VU#881872|AA. C References#VU881872]\]

...

MSC08-A. Library functions should validate their parameters      14. Miscellaneous (MSC)       MSC10-A. Character Encoding - UTF8 Related Issues