Content deleted Content added
added citation |
Move Secure Coding elements from the Secure_by_design page. Tags: Reverted nowiki added Visual edit |
||
Line 65:
}
</syntaxhighlight>
== Path Traversal prevention ==
Path Traversal is a vulnerability whereby paths provided from an untrusted source are interpreted in such a way that unauthorised file access is possible.
For example, consider a script that fetches an article by taking a filename, which is then read by the script and [[Parse|parsed]]. Such a script might use the following hypothetical URL to retrieve an article about [[dog food]]:
<nowiki>http://www.example.net/cgi-bin/article.sh?name=dogfood.html</nowiki>
If the script has no input checking, instead trusting that the filename is always valid, a [[malicious user]] could forge a URL to retrieve configuration files from the webserver:
<nowiki>http://www.example.net/cgi-bin/article.sh?name=../../../../../etc/passwd</nowiki>
Depending on the script, this may expose the [[Passwd#Password file|/etc/passwd]] file, which on [[Unix-like]] systems contains (among others) [[User identifier (Unix)|user IDs]], their [[Username|login names]], [[home directory]] paths and [[Operating system shell|shells]]. (See [[SQL injection]] for a similar attack.)
== See also ==
| |||