...
Canonicalization contains an inherent race window between the time you obtain the program obtains the canonical path name and the time you open it opens the file. During this time , the canonical path name is being validated. However, also during this time the canonical path name may have been modified and may no longer be referencing the original valid file. This Fortunately, this race condition can be easily mitigated easily. The canonical path name can be used to determine if the referenced file name is in a secure directory (see FIO00-J. Do not operate on files in shared directories). If the referenced file is in a secure directory, then, by definition, an attacker cannot tamper with it and cannot exploit the race condition.
...
FIO02-C. Canonicalize path names originating from untrusted sources | ||||
FIO02-CPP. Canonicalize path names originating from untrusted sources | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4cfea61a4c869535-71370501-4dc54967-843ab397-f65c63f0df3e8d23171b842e"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Path Traversal [EWR]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-171, "Cleansing, Canonicalization, and Comparison Errors" | ||||
| CWE-647, "Use of Non-Canonical URL Paths for Authorization Decisions" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6c6ea4ac9bcee9b-ca9208d3-4bc84361-b5ab8ff6-06887c39cc4926bef1a77b50"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method getCanonicalPath() | http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="171eb43610d31faa-6454b3fd-41dc4128-a607ab45-fce1469d348c7ade810dabfa"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...