...
- Leading dashes: Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
- Control characters, such as newlines, carriage returns, and escape: Control characters in a file name can cause unexpected results from shell scripts and in logging.
- Spaces: Spaces can cause problems with scripts and when double quotes aren't used to surround the file name.
- Invalid character encodings: Character encodings can make it difficult to perform proper validation of string datafile and path names. (See rule IDS11-J. Sanitize non-character code points before performing other sanitization.)
- Characters other than letters, numbers, and portable punctuation: These characters may be used as separatorsname-separator character. Including them in a file or path name can cause unexpected and potentially insecure behavior.
Wiki Markup xxxxxxxx.xxx}}, where x denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive; while on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues \[[VU#439395|AA. Bibliography#VU439395]\].
In addition to the letters of the English alphabet ("A" through "Z" and "a" through "z"), the digits ("0" through "9"), and the space, only the following characters are portable:
...
Only these characters should be considered for use in file and path names. Punctuation characters not on this list are not unconditionally safe for file names even if they are portably available. These characters or patterns can cause problems for scripts and automated parsing, but because they are not commonly used, it is best to disallow their use to reduce potential problems. Interoperability concerns also exist because different operating systems handle these punctuation characters in file and path names of this sort in different waysin an implementation-defined manner.
This is an instance of rule IDS00-J. Sanitize untrusted data passed across a trust boundary.
...
ISO 7-bit coded character set for information interchange | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d3d6f45fdff7f166-eac6c40c-4fb645e3-b913ba01-a77c281d85a55628dd55df88"><ac:plain-text-body><![CDATA[ | [[Kuhn 2006 | AA. Bibliography#Kuhn 06]] | UTF-8 and Unicode FAQ for UNIX/Linux | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b3cb452300a8934c-808c7e05-464e4f7c-9ca5b545-01636a6e6469b729d32d5d8f"><ac:plain-text-body><![CDATA[ | [[Wheeler 2003 | AA. Bibliography#Wheeler03]] | 5.4 File Names]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e3456aa4ff01ff25-5af69346-4f684cb5-a9b9b91c-4f9d6046981a391370744264"><ac:plain-text-body><![CDATA[ | [[VU#881872 | AA. Bibliography#VU881872]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...