Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-790: Improper Filtering of Special Elements

Improper Filtering of Special Elements
Weakness ID: 790 (Weakness Class)Status: Incomplete
+ Description

Description Summary

The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.
+ Common Consequences

Technical Impact: Unexpected state

+ Demonstrative Examples

Example 1

The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.

(Bad Code)
Example Language: Perl 
my $Username = GetUntrustedInput();
$Username =~ s/\.\.\///;
my $filename = "/home/user/" . $Username;

Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as:


will have the first "../" stripped, resulting in:


This value is then concatenated with the /home/user/ directory:


which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23).

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class138Improper Neutralization of Special Elements
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base791Incomplete Filtering of Special Elements
Research Concepts (primary)1000
+ Content History
Submission DateSubmitterOrganizationSource
2009-12-04MITREInternal CWE Team
Modification DateModifierOrganizationSource
2010-02-16CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
Page Last Updated: July 30, 2014