...
- Leading dashes: Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
- Control characters, such as newlines, carriage returns, and escape: Control characters in a file name can cause unexpected results from shell scripts and in logging.
- Spaces: Spaces can cause problems with scripts and when double quotes aren't used to surround the file name.
- Invalid character encodings: Character encodings can make it difficult to perform proper validation of file and path names. (See rule IDS11-J. Eliminate non-character code points before validation.)
- Name-space separation characters: Including name-space separation characters in a file or path name can cause unexpected and potentially insecure behavior.
- Command interpreters, scripts and parsers: Some characters have special meaning when processed by a command interpreter, shell, or parser and should consequently be avoided.
| Wiki Markup |
|---|
As a result of the influence of MS-DOS, file names of the form {{xxxxxxxx.xxx}}, where x denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive; while on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability in C resulting from a failure to deal appropriately with case sensitivity issues \[[VU#439395|AA. Bibliography#VU439395]\]. |
This is an instance of rule IDS00-J. Sanitize untrusted data passed across a trust boundary.
...
MSC09-C. Character Encoding - Use Subset of ASCII for Safety | ||||
MSC09-CPP. Character Encoding - Use Subset of ASCII for Safety | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="992006ddc504946f-3bc16c14-433048a1-9344a651-54d0ead1fc2a2283dad824ad"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Choice of Filenames and other External Identifiers [AJN]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-116, "Improper Encoding or Escaping of Output" |
...
ISO 7-bit coded character set for information interchange | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ab3bb1d9a1e6d82d-672ab3c4-47144b3b-87cb9b78-f2f981d348d6c0168e0873c2"><ac:plain-text-body><![CDATA[ | [[Kuhn 2006 | AA. Bibliography#Kuhn 06]] | UTF-8 and Unicode FAQ for UNIX/Linux | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ad9d107f4fcdb5c4-68fd0338-45b044da-acb89ca0-7983182ad56cdc06cafbfe8e"><ac:plain-text-body><![CDATA[ | [[Wheeler 2003 | AA. Bibliography#Wheeler03]] | 5.4 File Names | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="319dd9b31fe5ad95-1cba8a17-407547df-ae1a8912-f1b7665b07135a41e0ffea27"><ac:plain-text-body><![CDATA[ | [[VU#439395 | AA. Bibliography#VU439395]] | ]]></ac:plain-text-body></ac:structured-macro> |
...