Page History

...

When naming files, variables, and other objects, only these characters should be considered for use. This recommendation is related to STR02-C. Sanitize data passed to complex subsystems.

File Names

File names containing particular characters can be troublesome and can cause unexpected behavior leading to potential vulnerabilities. If a program allows the user to specify a file name in the creation or renaming of a file, certain checks should be made to disallow the following characters and patterns:

• Leading dashes—Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
• Control characters, such as newlines, carriage returns, and escape—Control characters in a file name can cause unexpected results from shell scripts and in logging.
• Spaces—Spaces can cause problems with scripts and when double quotes are not used to surround the file name.
• Invalid character encodings—Character encodings can be a huge issue. (See MSC10-C. Character Encoding - UTF8 Related Issuesencoding: UTF8-related issues.)
• Any characters other than letters, numbers, and punctuation designated here as portable—Other special characters are included in this recommendation because they are commonly used as separators, and having them in a file name can cause unexpected and potentially insecure behavior.

...

As a result of the influence of MS-DOS, file names of the form xxxxxxxx.xxx, where x denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive, and on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case-sensitivity issues [VU#439395].

Noncompliant Code Example (File Name 1)

In the following noncompliant code, unsafe characters are used as part of a file name.

...

An implementation is free to define its own mapping of the "nonsafe" characters. For example, when tested on a Red Hat Linux distribution, this noncompliant code example resulted in the following file name:

??????

Compliant Solution (File Name 1)

Use a descriptive file name containing only the subset of ASCII previously described.

#include <fcntl.h>
#include <sys/stat.h>

int main(void) {
   char *file_name = "name.ext";
   mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;

   int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, mode);
   if (fd == -1) {
      /* Handle error */
   }
}

Noncompliant Code Example (File Name 2)

This noncompliant code example is derived from FIO30-C. Exclude user input from format strings, except that a newline is removed on the assumption that fgets() will include it.

...

No checks are performed on the file name to prevent troublesome characters. If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, he or she could choose particular characters in the output file name to confuse the later process for malicious purposes.

Compliant Solution (File Name 2)

In this compliant solution, the program rejects file names that violate the guidelines for selecting safe characters.

...

Similarly, you must validate all file names originating from untrusted sources to ensure they contain only safe characters.

Risk Assessment

Failing to use only the subset of ASCII that is guaranteed to work can result in misinterpreted data.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...