SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 55

changes.mady.by.user Yitzhak Mandelbaum

Saved on

compared with

New Version 56

changes.mady.by.user Yitzhak Mandelbaum

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

  • Leading dashes: Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
  • Control characters, such as newlines, carriage returns, and escape: Control characters in a file name can cause unexpected results from shell scripts and in logging.
  • Spaces: Spaces can cause problems with scripts and when double quotes aren't used to surround the file name.
  • Invalid character encodings: Character encodings can make it difficult to perform proper validation of file and path names. (See rule IDS11-J. Eliminate noncharacter code points before validation).
  • Name-space separation characters: Including name-space separation characters in a file or path name can cause unexpected and potentially insecure behavior.
  • Command interpreters, scripts, and parsers: Some characters have special meaning when processed by a command interpreter, shell, or parser and should consequently be avoided.

Wiki MarkupAs a result of the influence of MS-DOS, file names of the form {{xxxxxxxx.xxx}}, where {{x}} denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive; while on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability in C resulting from a failure to deal appropriately with case sensitivity issues \[ [VU#439395|AA. References#VU439395]\].

This is a specific instance of rule IDS00-J. Sanitize untrusted data passed across a trust boundary.

...

CERT C Secure Coding Standard

MSC09-C. Character encoding - Use subset of ASCII for safety

CERT C++ Secure Coding Standard

MSC09-CPP. Character encoding - Use subset of ASCII for safety<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d5697836-5c98-4197-b569-9ef6d91cdb11"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010http://www.aitcnet.org/isai/]

Choice of filenames and other external identifiers [AJN] ] ]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-116. Improper encoding or escaping of output

...

ISO/IEC 646-1991

ISO 7-bit coded character set for information interchange <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b0e244be-b764-4d38-8e94-1137a48aadae"><ac:plain-text-body><![CDATA[

[ [Kuhn 2006AA. References#Kuhn 06] ]

UTF-8 and Unicode FAQ for UNIX/Linux

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b5cbf6fb-1c37-408f-a194-c9f2b3765f99"><ac:plain-text-body><![CDATA[

[ [Wheeler 2003AA. References#Wheeler03] ]

5.4, File Names

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="92e1edef-9d1f-47b2-9022-8ca19d393cab"><ac:plain-text-body><![CDATA[

[ [VU#439395AA. References#VU439395] ] ]]></ac:plain-text-body></ac:structured-macro>

...

            IDS06-J. Exclude user input from format strings