O'Reilly logo

Writing Secure Code by Michael Howard and David LeBlanc

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 11. Canonical Representation Issues

If I had the luxury of writing just one sentence for this chapter, it would simply be, "Do not make any security decision based on the name of a resource, especially a filename." Why? If you don’t know, I suggest you reread the previous chapter. As Gertrude Stein once said, "A rose is a rose is a rose." Or is it? What if the word rose was determined by an untrusted user? Is a ROSE the same as a roze or a ro$e or a r0se or even a r%6fse? Are they all the same thing? The answer is both yes and no. Yes, they are all references to a rose, but syntactically they are different, which can lead to security issues in your applications. By the way, %6f is the hexadecimal equivalent of the ASCII value for the letter ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required