Page History

...

Absolute or relative path names may contain file links such as symbolic (soft) links, hard links, short cuts, shadows, aliases, and junctions rather than canonical paths. These aliases must be fully resolved before any file validation operations are performed. For example, the final target of a symbolic link called trace might be the path name /home/system/trace. Path names may also contain special file names that make validation difficult:

".â " refers to the directory itself.
Inside a directory, the special file name "..â " refers to the directoryâs parent directory.

...

The CERT C Secure Coding Standard	FIO02-C. Canonicalize path names originating from untrusted sources
The CERT C++ Secure Coding Standard	FIO02-CPP. Canonicalize path names originating from untrusted sources
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6b42f5d8eeb4b514-68f0496c-441a48eb-9a429c36-3aef10ca244c1d529b4115e2"><ac:plain-text-body><![CDATA[	[ISO/IEC TR 24772:2010	http://www.aitcnet.org/isai/]	"Path Traversal [EWR]"	]]></ac:plain-text-body></ac:structured-macro>
MITRE CWE	CWE-171, "Cleansing, Canonicalization, and Comparison Errors"
	CWE-647, "Use of Non-Canonical URL Paths for Authorization Decisions"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="52bdc544e04fbac4-d3ee37ea-40c748b5-b212b761-31436d97690d3b47a27ae8ee"><ac:plain-text-body><![CDATA[	[[API 2006	AA. Bibliography#API 06]]	[method getCanonicalPath()	http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()]	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2bee044d0ad45609-2ad35171-48ab48d1-9c51b46d-37bcf0ba44de990d9059cb3e"><ac:plain-text-body><![CDATA[	[[Harold 1999	AA. Bibliography#Harold 99]]		]]></ac:plain-text-body></ac:structured-macro>

...

Space shortcuts

Page tree

Versions Compared

Old Version 95

New Version 96

Key