SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 40

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 41

changes.mady.by.user Pamela Curtis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
% & + , - . : = _

Wiki MarkupWhen naming files, variables, etc., only these characters should be considered for use. This recommendation is related to \[[and other objects, only these characters should be considered for use. This recommendation is related to STR02-A. Sanitize data passed to complex subsystems]\].

File Names

File names containing particular characters can be troublesome and can cause unexpected behavior leading to potential vulnerabilities. If a program allows the user to specify a filename file name in the creation or renaming of a file, certain checks should be made to disallow the following characters and patterns:

  • Leading dashes
  • Control characters such as newlines, carriage returns, and escape
  • Spaces
  • Invalid character encodings
  • Any characters other than letters, numbers, and punctuation designated above as portable

Many of the punctuation characters aren't unconditionally safe for filenames even of they are portably available.

...

  • -

...

  • Leading

...

  • dashes

...

  • can

...

  • cause

...

  • problems when

...

  • programs

...

  • are

...

  • called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
  • Control characters such as newlines, carriage returns, and escape - Control characters in a file name can cause unexpected results from shell scripts and in logging.
  • Spaces - Spaces can cause problems with scripts and when double quotes aren't used to surround the file name.
  • Invalid character encodings - Character encodings can be a huge issue. They are also discussed in MSC10-A. Character Encoding - UTF8 Related Issues.
  • Any characters other than letters, numbers, and punctuation designated above as portable - Other special characters are included in this recommendation because they are commonly used as separators and having them in a file name can cause unexpected and potentially insecure behavior.

Also, many of the punctuation characters aren't unconditionally safe for file names even of they are portably available.

Most of these characters or patterns are primarily a problem to scripts or automated parsing, but because they are not commonly used, it is best to disallow their use to reduce potential problems. Interoperability concerns also exist because different operating systems handle file names of this sort in different ways.

with this filename as a parameter, the first character or characters of the file might be taken to mean that its an option switch.  Control characters in a filename can cause unexpected results from shell scripts and in logging.  Spaces can again cause problems with scripts and anytime double quotes aren't used to surround the filename.  Character encodings can be a huge issue and are also discussed in \[[MSC10-A. Character Encoding - UTF8 Related Issues]\].  Other special characters are included in this recommendation because they are commonly used as separators and having them in a filename can cause unexpected and potentially insecure behavior.
Wiki Markup
As a result of the influence of MS-DOS, file names of the form {{xxxxxxxx.xxx}}, where x denotes an alphanumeric character, are generally supported by modern systems.  In some cases file names are case sensitive, while in other cases they are case insensitive.  VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues \[[VU#439395 |AA. C References#VU439395]\].

Non-Compliant

...

Code Example:

...

File Name

In the following non-compliant code, unsafe characters are used as part of a filenamefile name.

Code Block
bgColor#ffcccc
#include <fcntl.h>
#include <sys/stat.h>

int main(void) {
   char *file_name = "&#xBB;&#xA3;???&#xAB;";
   mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;

   int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, mode);
   if (fd == -1) {
      /* Handle Error */
   }
}

An implementation is free to define its own mapping of the non-"safe" characters. For example, when tested on a Red Hat Linux distribution, this non-compliant code example resulted in the following file name:

Code Block
??????

Compliant Solution:

...

File Name

Use a descriptive filenamefile name, containing only the subset of ASCII described above.

...

Non-Compliant Code Example (File Name)

Wiki MarkupThis non-compliant code example is derived from \[[FIO30-C. Exclude user input from format strings]\] except that a newline is removed on the assumption that {{fgets()}} will include it.

Code Block
bgColor#FFCCCC
char myFilename[1000];
char const elimNewLn[] = "\n";

fgets(myFilename, sizeof(myFilename)-1, stdin);
myFilename[sizeof(myFilename)-1] = '\0';
myFilename[strcspn(myFilename, elimNewLn)] = '\0';

No checks are performed on the filename file name to prevent troublesome characters.  If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, they could choose particular characters in the output filename file name to confuse the later process for malicious purposes.

...

In this compliant solution, the program rejects filenames file names that violate the guidelines for selecting safe characters.

...

Similarly, you must provide validate all filenames file names originating from untrusted sources to ensure they contain only safe characters.

...