File and path names containing particular characters or character sequences can cause problems when used in the construction of a file or path name:
- Leading dashes: Leading
According to C99, Section 5.2.1, "Character sets"
Two sets of characters and their associated collating sequences shall be defined: the set in which source files are written (the source character set), and the set interpreted in the execution environment (the execution character set). Each set is further divided into a basic character set, whose contents are given by this subclause, and a set of zero or more locale-specific members (which are not members of the basic character set) called extended characters. The combined set is also called the extended character set. The values of the members of the execution character set are implementation-defined.
Wiki Markup |
---|
There are several national variants of ASCII. As a result, the original ASCII is often referred as US-ASCII. ISO/IEC 646-1991 defines a character set, similar to US-ASCII, but with code positions corresponding to US-ASCII characters {{@\[\]\{\|\}}} as _national use positions_ \[[ISO/IEC 646-1991|AA. Bibliography#ISO/IEC 646-1991]\]. It also gives some liberties with the characters {{\#$^`\~}}. In ISO 646, several national variants of ASCII have been defined, assigning different letters and symbols to the national use positions. Consequently, the characters that appear in those positions, including those in US-ASCII, are less portable in international data transfer. Consequently, due to the national variants, some characters are less portable than othersâthey might be transferred or interpreted incorrectly. |
In addition to the letters of the English alphabet ("A" through "Z" and "a" through "z"), the digits ("0" through "9"), and the space, only the following characters are portable:
No Format |
---|
% & + , - . : = _
|
When naming files, variables, and other objects, only these characters should be considered for use. This recommendation is related to recommendation STR02-C. Sanitize data passed to complex subsystems.
File Names
File names containing particular characters can be troublesome and can cause unexpected behavior leading to potential vulnerabilities. If a program allows the user to specify a file name in the creation or renaming of a file, certain checks should be made to disallow the following characters and patterns:
- Leading dashesâ”Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
- Control characters, such as newlines, carriage returns, and escapeâ”Control escape: Control characters in a file name can cause unexpected results from shell scripts and in logging.
- Spacesâ”Spaces Spaces: Spaces can cause problems with scripts and when double quotes aren't are not used to surround the file name.
- Invalid character encodingsâ”Character encodings can be a huge issueencodings: Character encodings can make it difficult to perform proper validation of file and path names. (See guideline MSC10IDS11-C. Character Encoding - UTF8 Related Issues.)J. Perform any string modifications before validation).
- Namespace prefixing and conventions: Namespace prefixes Any characters other than letters, numbers, and punctuation designated here as portableâ”Other special characters are included in this recommendation because they are commonly used as separators and having them in a file name can cause unexpected and potentially insecure behavior when included in a path name.
Also, many of the punctuation characters aren't unconditionally safe for file names even of they are portably available.
Most of these characters or patterns are primarily a problem to scripts or automated parsing, but, because they are not commonly used, it is best to disallow their use to reduce potential problems. Interoperability concerns also exist because different operating systems handle file names of this sort in different ways.
Wiki Markup |
---|
As a result of the influence of MS-DOS, file names of the form {{xxxxxxxx.xxx}}, where x denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive; while on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues \[[VU#439395|AA. Bibliography#VU439395]\]. |
Noncompliant Code Example: File Name
- Command interpreters, scripts, and parsers: Characters that have special meaning when processed by a command interpreter, shell, or parser.
As a result of the influence of MS-DOS, 8.3 file names of the form xxxxxxxx.xxx
, where x
denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive, and on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues [VU#439395]. Developers should generate file and path names using a safe subset of ASCII characters and, for security critical applications, only accept names that use these characters.
Noncompliant Code Example
In the following noncompliant code exampleIn the following noncompliant code, unsafe characters are used as part of a file name.
Code Block | ||
---|---|---|
| ||
#include <fcntl.h>
#include <sys/stat.h>
int main(void) {
char *file_name = "»£???«";
mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, mode);
if (fd == -1) {
/* Handle Error */
}
}
| ||
File f = new File("A\uD8AB");
OutputStream out = new FileOutputStream(f);
|
A platform An implementation is free to define its own mapping of the non-"safe" unsafe characters. For example, when tested on a Red Hat an Ubuntu Linux distribution, this noncompliant code example resulted in the following file name:
Code Block |
---|
??????A? |
Compliant Solution
...
Use a descriptive file name, containing only the subset of ASCII previously described.
Code Block | ||
---|---|---|
| ||
#include <fcntl.h> #include <sys/stat.h> int main(void) { char *file_name = File f = new File("name.ext"); mode_t modeOutputStream out = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, mode); new FileOutputStream(f); |
Noncompliant Code Example
This noncompliant code example creates a file with input from the user without sanitizing the input.
Code Block | ||
---|---|---|
| ||
public static void main(String[] args) throws Exception { if (fd == -args.length < 1) { //* Handle error Error */ } } |
Noncompliant Code Example (File Name)
This noncompliant code example is derived from rule FIO30-C. Exclude user input from format strings, except that a newline is removed on the assumption that fgets()
will include it.
Code Block | ||
---|---|---|
| ||
char myFilename[1000]; const char elimNewLn[] = "\n"; fgets(myFilename, sizeof(myFilename)-1, stdin); myFilename[sizeof(myFilename)-1] = '\0'; myFilename[strcspn(myFilename, elimNewLn)] = '\0';} File f = new File(args[0]); OutputStream out = new FileOutputStream(f); // ... } |
No checks are performed on the file name to prevent troublesome characters. If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, they the attacker could choose particular characters in the output file name to confuse the later process for malicious purposes.
Compliant Solution
...
This compliant solution uses a whitelist to reject file names containing unsafe characters. Further input validation may be necessary, for example, to ensure that a file or directory name does not end with a periodIn this compliant solution, the program rejects file names that violate the guidelines for selecting safe characters.
Code Block | ||
---|---|---|
| ||
char myFilename[1000];
const char elimNewln[] = "\n";
const char badChars[] = "-\n\r ,;'\\<\"";
do {
fgets(myFilename, sizeof(myFilename)-1, stdin);
myFilename[sizeof(myFilename)-1] ='\0';
myFilename[strcspn(myFilename, elimNewln)]='\0';
} while ( (strcspn(myFilename, badChars))
< (strlen(myFilename)));
| ||
public static void main(String[] args) throws Exception {
if (args.length < 1) {
// Handle error
}
String filename = args[0];
Pattern pattern = Pattern.compile("[^A-Za-z0-9._]");
Matcher matcher = pattern.matcher(filename);
if (matcher.find()) {
// File name contains bad chars; handle error
}
File f = new File(filename);
OutputStream out = new FileOutputStream(f);
// ...
}
|
Exceptions
FIO99-J-EX0: A program may accept a file or path name that uses "unsafe" characters provided that the developer has determined that the file is not used in a restricted sink such as a command interpreter, shell, parser,logger, or other complex subsystem that attaches a particular meaning to these Similarly, you must validate all file names originating from untrusted sources to ensure they contain only safe characters.
Risk Assessment
Failing to use only the a safe subset of ASCII that is guaranteed to work can result in misinterpreted data.
Recommendation Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS15IDS05-C J | medium | unlikely | medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) |
Related Guidelines
...
...
...
...
...
...
...
...
...
...
...
ISO/IEC 9899:1999 Section 5.2.1, "Character sets"
...
Choice of Filenames and |
...
MISRA Rule 3.2, "The character set and the corresponding encoding shall be documented," and Rule 4.1, "Only those escape sequences that are defined in the ISO C standard shall be used"
...
...
Improper |
...
encoding or |
...
escaping of |
...
output |
Bibliography
Wiki Markup |
---|
\[[Kuhn 2006|AA. Bibliography#Kuhn 06]\] UTF-8 and Unicode FAQ for UNIX/Linux
\[[Wheeler 2003|AA. Bibliography#Wheeler03]\] 5.4 File Names
\[[VU#881872|AA. Bibliography#VU881872]\] |
ISO 7-Bit Coded Character Set for Information Interchange | |
UTF-8 and Unicode FAQ for UNIX/Linux | |
5.4, "File Names" | |
[VU#439395] |
...
IDS01-J. Sanitize data passed across a trust boundary 13. Input Validation and Data Sanitization (IDS) IDS03-J. Sanitize non-character code points before performing other sanitization