CWE-797 仅在一个绝对路径位置过滤特殊元素

Only Filtering Special Elements at an Absolute Position

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing remaining special elements that may exist before sending it to a downstream component.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 795 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 795 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

范围 影响 注释
Integrity Unexpected State

示例代码

The following code takes untrusted input and uses a substring function to filter a 3-character "../" element located at the 0-index position of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.

bad Perl

my $Username = GetUntrustedInput();
if (substr($Username, 0, 3) eq '../') {
$Username = substr($Username, 3);
}
my $filename = "/home/user/" . $Username;
ReadAndSendFile($filename);

Since the if function is only looking for a substring of "../" between the 0 and 2 position, it only removes that specific "../" element. So an input value such as:

attack

../../../etc/passwd

will have the first "../" filtered, resulting in:

result

../../etc/passwd

This value is then concatenated with the /home/user/ directory:

result

/home/user/../../etc/passwd

which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22).