CWE-793 仅过滤一个特殊元素的单一实例

Only Filtering One Instance of a Special Element

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

The software receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.

扩展描述

Incomplete filtering of this nature may be location-dependent, as in only the first or last element is filtered.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 792 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 792 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

范围 影响 注释
Integrity Unexpected State

示例代码

The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.

bad Perl

my $Username = GetUntrustedInput();
$Username =~ s/..\///;
my $filename = "/home/user/" . $Username;
ReadAndSendFile($filename);

Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as:

attack

../../../etc/passwd

will have the first "../" stripped, resulting in:

result

../../etc/passwd

This value is then concatenated with the /home/user/ directory:

result

/home/user/../../etc/passwd

which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23).