Page History

...

• Leading dashes: Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
• Control characters, such as newlines, carriage returns, and escape: Control characters in a file name can cause unexpected results from shell scripts and in logging.
• Spaces: Spaces can cause problems with scripts and when double quotes aren't used to surround the file name.
• Invalid character encodings: Character encodings can make it difficult to perform proper validation of file and path names. (See rule IDS11-J. Eliminate non-character code points before validation.)
• Name-space separation characters: Including name-space separation characters in a file or path name can cause unexpected and potentially insecure behavior.
• Command interpreters, scripts, and parsers: Some characters have special meaning when processed by a command interpreter, shell, or parser and should consequently be avoided.

...

This is an instance of rule IDS00-J. Sanitize untrusted data passed across a trust boundary.

Noncompliant Code Example

...

File f = new File("A\uD8AB");
OutputStream out = new FileOutputStream(f);

A Each platform is free to define its own mapping of the non-"safe" characters. For example, when tested on an Ubuntu Linux distribution, this noncompliant code example resulted in the following file name:

...

This noncompliant code example creates a file with input from the user without sanitizing itthe input.

public static void main(String[] args) throws Exception {
  if (args.length < 1) {
    // handle error
  }
  File f = new File(args[0]);
  OutputStream out = new FileOutputStream(f);
  // ...
}

No checks are performed on the file name to prevent troublesome characters. If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, they the attacker could choose particular characters in the output file name to confuse the later process for malicious purposes.

...

public static void main(String[] args) throws Exception {
  if (args.length < 1) {
    // handle error
  }
  String filename = args[0];

  Pattern pattern = 
    Pattern.compile("[^AIDS05-J. Use a subset of ASCII for file"
                    + " and path names^A-Za-z0-9%&+,.:=_]");
  Matcher matcher = pattern.matcher(filename);
  if (matcher.find()) {
    // filename contains bad chars, handle error
  }
  File f = new File(filename);
  OutputStream out = new FileOutputStream(f);
  // ...
}

...

Risk Assessment

Failing to use only the a "safe" subset of ASCII that is guaranteed to work can result in misinterpreted data.

...

Bibliography

...