CWE-76 等价特殊元素的转义处理不恰当

Improper Neutralization of Equivalent Special Elements

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: High

基本描述

The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

扩展描述

The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the software might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 75 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 75 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Other	Other

可能的缓解方案

Requirements

策略:

Programming languages and supporting technologies might be chosen which are not subject to these issues.

Implementation

策略:

Utilize an appropriate mix of whitelist and blacklist parsing to filter equivalent special element syntax from all input.

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Equivalent Special Element Injection

文章来源于互联网:scap中文网