Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: AD TCF

File names and path names containing particular characters can be troublesome and can cause unexpected behavior leading to potential vulnerabilities. If a program allows the user to specify a file name in the creation or renaming of a file, certain checks should be made to disallow the following characters and patterns:or character sequences can cause problems when used in the construction of a file or path name:

  • Leading dashes: Leading Leading dashes—Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
  • Control characters, such as newlines, carriage returns, and escape—Control escape: Control characters in a file name can cause unexpected results from shell scripts and in logging.
  • Spaces—Spaces Spaces: Spaces can cause problems with scripts and when double quotes aren't are not used to surround the file name.
  • Invalid character encodings — : Character encodings can be a huge issuemake it difficult to perform proper validation of file and path names. (See guideline IDS03IDS11-J. Sanitize non-character code points before performing other sanitization.)Perform any string modifications before validation).
  • Namespace prefixing and conventions: Namespace prefixes Any characters other than letters, numbers, and punctuation designated here as portable — Other special characters are included in this recommendation because they are commonly used as separators and having them in a file name can cause unexpected and potentially insecure behavior when included in a path name.

Also, many of the punctuation characters aren't unconditionally safe for file names even if they are portably available.

These characters or patterns are primarily a problem to scripts and automated parsing, but because they are not commonly used, it is best to disallow their use to reduce potential problems. Interoperability concerns also exist because different operating systems handle file names of this sort in different ways.

Wiki Markup
As a result of the influence of MS-DOS, file names of the form {{xxxxxxxx.xxx}}, where x denotes an alphanumeric character, are generally supported by modern systems.  On some platforms, file names are case sensitive; while on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues \[[VU#439395|AA. Bibliography#VU439395]\].

In addition to the letters of the English alphabet ("A" through "Z" and "a" through "z"), the digits ("0" through "9"), and the space, only the following characters are portable:

No Format

% & + , - . : = _
  • Command interpreters, scripts, and parsers: Characters that have special meaning when processed by a command interpreter, shell, or parser.

As a result of the influence of MS-DOS, 8.3 file names of the form xxxxxxxx.xxx, where x denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive, and on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case sensitivity issues [VU#439395].  Developers should generate file and path names using a safe subset of ASCII characters and, for security critical applications, only accept names that use these charactersOnly these characters should be considered for use in file and path names. This is an instance of guideline IDS01-J. Sanitize data passed across a trust boundary.

Noncompliant Code Example

In the following noncompliant code example, unsafe characters are used as part of a file name.

Code Block
bgColor#ffcccc

File f = new File("A\uD8AB");
OutputStream out = new FileOutputStream(f);

An implementation A platform is free to define its own mapping of the non-"safe" unsafe characters. For example, when tested on an Ubuntu Linux distribution, this noncompliant code example resulted in the following file name:

Code Block

A?

Compliant Solution

Use a descriptive file name, containing only the subset of ASCII previously described.

Code Block
bgColor#ccccff

File f = new File("name.ext");
OutputStream out = new FileOutputStream(f);

Noncompliant Code Example

This noncompliant code example creates a file with input from the user without sanitizing itthe input.

Code Block
bgColor#FFCCCC

public static void main(String[] args) throws Exception {
  if (args.length < 1) {
    // handleHandle error
  }
  File f = new File(args[0]);
  OutputStream out = new FileOutputStream(f);
  // ...
}

No checks are performed on the file name to prevent troublesome characters. If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, they the attacker could choose particular characters in the output file name to confuse the later process for malicious purposes.

Compliant Solution

In this compliant solution, the program This compliant solution  uses a whitelist to reject file names containing unsafe file namescharacters.  Further input validation may be necessary, for example, to ensure that a file or directory name does not end with a period.

Code Block
bgColor#ccccFF

public static void main(String[] args) throws Exception {
  if (args.length < 1) {
    // handleHandle error
  }
  String filename = args[0];

  Pattern pattern = Pattern.compile("[A^A-Za-z0-9%&+,.:=9._]");
  Matcher matcher = pattern.matcher(filename);
  if (matcher.find()) {
    // File filenamename contains bad chars,; handle error
  }
  File f = new File(filename);
  OutputStream out = new FileOutputStream(f);
  // ...
}

 

Exceptions

FIO99-J-EX0: A program may accept a file or path name that uses "unsafe" characters provided that the developer has determined that the file is not used in a restricted sink such as a command interpreter, shell, parser,logger, or other complex subsystem that attaches a particular meaning to these Similarly, all file names originating from untrusted sources must be sanitized to ensure they contain only safe characters.

Risk Assessment

Failing to use only the a safe subset of ASCII that is guaranteed to work can result in misinterpreted data.

Recommendation Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS15IDS05-C J

medium

unlikely

medium

P4

L3

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)

Related Guidelines

...

...

...

...

...

...

...

...

...

...

...

ISO/IEC 9899:1999 Section 5.2.1, "Character sets"

...

MISRA Rule 3.2, "The character set and the corresponding encoding shall be documented," and Rule 4.1, "Only those escape sequences that are defined in the ISO C standard shall be used"

...

Choice of Filenames and

...

Other External Identifiers [AJN]

MITRE CWE

...

Improper

...

encoding or

...

escaping of

...

output

Bibliography

Wiki Markup
\[[Kuhn 2006|AA. Bibliography#Kuhn 06]\] UTF-8 and Unicode FAQ for UNIX/Linux
\[[Wheeler 2003|AA. Bibliography#Wheeler03]\] 5.4 File Names
\[[VU#881872|AA. Bibliography#VU881872]\]

ISO/IEC 646-1991

ISO 7-Bit Coded Character Set for Information Interchange

[Kuhn 2006]

UTF-8 and Unicode FAQ for UNIX/Linux

[Wheeler 2003]

5.4, "File Names"

[VU#439395] 

 

...

Image Added Image Added Image AddedIDS14-J. Perform lossless conversion of String data between differing character encodings      Image Removed      IDS16-J. Do not locale-dependent methods on locale-sensitive data without specifying the appropriate locale