...
| Wiki Markup |
|---|
As a result of the influence of MS-DOS, file names of the form {{xxxxxxxx.xxx}}, where {{x}} denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive; while on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability in C resulting from a failure to deal appropriately with case sensitivity issues \[[VU#439395|AA. Bibliography#VU439395]\]. |
This is an a specific instance of rule IDS00-J.
...
| Code Block | ||
|---|---|---|
| ||
File f = new File("A\uD8AB");
OutputStream out = new FileOutputStream(f);
|
Each A platform is free to define its own mapping of the non-"safe" unsafe characters. For example, when tested on an Ubuntu Linux distribution, this noncompliant code example resulted in the following file name:
...
| Code Block | ||
|---|---|---|
| ||
public static void main(String[] args) throws Exception {
if (args.length < 1) {
// handle error
}
String filename = args[0];
Pattern pattern =
Pattern.compile("[IDS05-J. Use a subset of ASCII for file"
+ " and path names^A-Za-z0-9%&+,.:=_]");
Matcher matcher = pattern.matcher(filename);
if (matcher.find()) {
// filename contains bad chars, handle error
}
File f = new File(filename);
OutputStream out = new FileOutputStream(f);
// ...
}
|
Similarly, all All file names originating from untrusted sources must be sanitized to ensure they contain only safe characters.
Risk Assessment
Failing to use only a " safe " subset of ASCII can result in misinterpreted data.
...
MSC09-C. Character encoding - Use subset of ASCII for safety | ||||
MSC09-CPP. Character encoding - Use subset of ASCII for safety | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="baddd3086a406307-2c98094f-478e40e2-a1d9aa7e-018a349ac736e297ba5ba143"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Choice of filenames and other external identifiers [AJN] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-116. Improper encoding or escaping of output |
...
ISO 7-bit coded character set for information interchange | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ace572de703f6f89-45b1100d-4a3c4146-a14ba484-8360c075ae84f0720ff10b1a"><ac:plain-text-body><![CDATA[ | [[Kuhn 2006 | AA. Bibliography#Kuhn 06]] | UTF-8 and Unicode FAQ for UNIX/Linux | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="13312e3e5b169498-4e1baf66-46c9467a-b574adac-06426ff55dc4cd7b48bd2a27"><ac:plain-text-body><![CDATA[ | [[Wheeler 2003 | AA. Bibliography#Wheeler03]] | 5.4, File Names | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="331f1510f7a2dacf-2989bba8-43c94689-b7b4a33f-13858750a62176c177a51798"><ac:plain-text-body><![CDATA[ | [[VU#439395 | AA. Bibliography#VU439395]] | ]]></ac:plain-text-body></ac:structured-macro> |
...