CWE-26: Path Traversal: '/dir/../filename'

Variant Draft Simple

CWE版本: 4.18

更新日期: 2025-09-09

弱点描述

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/dir/../filename" sequences that can resolve to a location that is outside of that directory.

常见后果

影响范围: Confidentiality Integrity

技术影响: Read Files or Directories Modify Files or Directories

潜在缓解措施

阶段: Implementation

策略: Input Validation

阶段: Implementation

策略: Input Validation

描述: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

引入模式

阶段	说明
Implementation	-

适用平台

编程语言

Not Language-Specific (Undetermined)

技术

Web Server (Often)

分类映射

分类名称	条目ID	条目名称	映射适配度
PLOVER	-	'/directory/../filename	-
Software Fault Patterns	SFP16	Path Traversal	-

关键信息

CWE ID: CWE-26

抽象级别: Variant

结构: Simple

状态: Draft