The software receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.
Incomplete filtering of this nature may be location-dependent, as in only the first or last element is filtered.
The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
Example Language: Perl
my $Username = GetUntrustedInput();
$Username =~ s/\.\.\///;
my $filename = "/home/user/" . $Username;
Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as:
will have the first "../" stripped, resulting in:
This value is then concatenated with the /home/user/ directory:
which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23).
More information is available — Please select a different filter.