...
Canonicalization contains an inherent race condition window between the time you
...
obtain the canonical path name
...
and the time you open the file
...
During . During this time, the canonical path name is being validated. However, also during this time the canonical path name may have been modified and may no longer be referencing a the original valid file. . This race condition can be mitigated easily. The canonical path name can be used to determine if the referenced file name is in a secure directory (see FIO00-J. Do not operate on files in shared directories). If the referenced file is in a secure directory, then, by definition, an attacker cannot tamper with it and cannot exploit the race condition.
...
FIO02-C. Canonicalize path names originating from untrusted sources | ||||
FIO02-CPP. Canonicalize path names originating from untrusted sources | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="38fc13a0115c1e45-e7c6071d-44be4978-872bb41b-1153a9116543cfa05ea0394a"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Path Traversal [EWR]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-171, "Cleansing, Canonicalization, and Comparison Errors" | ||||
| CWE-647, "Use of Non-Canonical URL Paths for Authorization Decisions" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c3f6c567630909b0-71c98d9a-426c430b-8f2794a1-2b7c454fa82d375c8f0c22fe"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method getCanonicalPath() | http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c7fbcaef98fe66cf-3f2d84b3-48d64c8c-a40c8803-4f7562b9d35fba6e2dc909c9"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...