...
This compliant solution uses the getCanonicalPath() method, introduced in Java 2, because it resolves all aliases, shortcuts, or symbolic links consistently , across all platforms. The value of the alias (if any) is not included in the returned value. Moreover, relative references like the double period Special fine names such as dot dot (..) are also removed so that the input is reduced to a canonicalized form before validation is carried out. An attacker cannot use ../ sequences to break out of the specified directory when the validate() method is present.
...
| ||||
| ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="29a0e3b766a11fd1-fe792a0b-4d584df2-b37bb7b5-fff78e2797f25d3c8bdf4afe"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 171 | http://cwe.mitre.org/data/definitions/171.html] "Cleansing, Canonicalization, and Comparison Errors"]]></ac:plain-text-body></ac:structured-macro> |
| CWE ID 647 "Use of Non-Canonical URL Paths for Authorization Decisions" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2a3483902c602a11-4b347e97-466c499d-84e6a0b9-d49d2408a042390af4a49d3c"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method getCanonicalPath() | http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e954cf0586c3005f-43ed0dd4-437b4d15-bbb58055-8b262db314c412263e3a4e0c"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...