According to the Java API [API 2006] for class java.io.File:
A path name, whether abstract or in string form, may be either absolute or relative. An absolute path name is complete in that no other information is required to locate the file that it denotes. A relative path name, in contrast, must be interpreted in terms of information taken from some other path name.
...
CVE-2008-5518 describes multiple directory traversal vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 on Windows that allow remote attackers to upload files to arbitrary directories.
Related Guidelines
FIO02-C. Canonicalize path names originating from tainted sources | |
FIO02-CPP. Canonicalize path names originating from untrusted sources | |
Path Traversal [EWR] | |
CWE-171, Cleansing, canonicalization, and comparison errors |
...
This rule is applicable in principle to Android. Please refer to the Android specific instance of this rule: DRD08-J. Always canonicalize a URL received by a content provider.
Bibliography
...