Improper Resolution of Path Equivalence |
Weakness ID: 41 (Weakness Base) | Status: Incomplete |
Description Summary
Extended Description
Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object.
Phase: Architecture and Design Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Input (specifically, unexpected CRLFs) that is not appropriate should not be processed into HTTP headers. |
Use and specify a strong output encoding (such as ISO 8859-1 or UTF 8). |
Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants. |
Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 21 | Pathname Traversal and Equivalence Errors | Development Concepts (primary)699 |
ChildOf | Category | 632 | Weaknesses that Affect Files or Directories | Resource-specific Weaknesses (primary)631 |
ChildOf | Weakness Class | 706 | Use of Incorrectly-Resolved Name or Reference | Research Concepts (primary)1000 |
ChildOf | Category | 723 | OWASP Top Ten 2004 Category A2 - Broken Access Control | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ChildOf | Category | 743 | CERT C Secure Coding Section 09 - Input Output (FIO) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
ParentOf | Weakness Variant | 42 | Path Equivalence: 'filename.' (Trailing Dot) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 44 | Path Equivalence: 'file.name' (Internal Dot) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 46 | Path Equivalence: 'filename ' (Trailing Space) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 47 | Path Equivalence: ' filename (Leading Space) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 48 | Path Equivalence: 'file name' (Internal Whitespace) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 49 | Path Equivalence: 'filename/' (Trailing Slash) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 50 | Path Equivalence: '//multiple/leading/slash' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 51 | Path Equivalence: '/multiple//internal/slash' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 52 | Path Equivalence: '/multiple/trailing/slash//' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 53 | Path Equivalence: '\multiple\\internal\backslash' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 54 | Path Equivalence: 'filedir\' (Trailing Backslash) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 55 | Path Equivalence: '/./' (Single Dot Directory) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 56 | Path Equivalence: 'filedir*' (Wildcard) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 57 | Path Equivalence: 'fakedir/../realdir/filename' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 58 | Path Equivalence: Windows 8.3 Filename | Development Concepts (primary)699 Research Concepts (primary)1000 |
CanFollow | Weakness Class | 20 | Improper Input Validation | Research Concepts1000 |
CanFollow | Weakness Class | 73 | External Control of File Name or Path | Research Concepts1000 |
CanFollow | Weakness Class | 172 | Encoding Error | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Path Equivalence | ||
CERT C Secure Coding | FIO02-C | Canonicalize path names originating from untrusted sources |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings, Type | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Path Equivalence | |||
2009-05-27 | Failure to Resolve Path Equivalence | |||