SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 31

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 32

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFcccc
public static void main(String[] args) {
  File f = new File(""/tmp/"" + args[1]);
  String absPath = f.getAbsolutePath();
}

...

Code Block
bgColor#ccccff
public static void main(String[] args) throws IOException {
  File f = new File(""/tmp/"" + args[1]);
  String canonicalPath = f.getCanonicalPath();
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C Secure Coding Standard as FIO02-C. Canonicalize path names originating from untrusted sources.

...

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [method getCanonicalPath()|http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()]
\[[API 06|AA. Java References#API 06]\] [method getCanonicalFile()|http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalFile()]
\[[Harold 99|AA. Java References#Harold 99]\]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 171|http://cwe.mitre.org/data/definitions/171.html] ""Cleansing, Canonicalization, and Comparison Errors"", [CWE ID 647|http://cwe.mitre.org/data/definitions/647.html] ""Use of Non-Canonical URL Paths for Authorization Decisions""

...

09. Input Output (FIO)            09. Input Output (FIO)            FIO01-J. Do not let Runtime.exec() fail or block indefinitely