Chapter 8
Canonical Representation Issues
If I had the luxury of writing just one sentence for this chapter, it would simply be, Do not make any security decision based on the name of a resource, such as a filename. However, one-sentence chapters don t sell books! As Gertrude Stein once said, A rose is a rose is a rose. Or is it? What about a ROSE or a roze or a ro$e or a r0se or even a r%6fse? Are they all the same thing? The answer is both yes and no. Yes, they are all references to a rose, but syntactically they are different, which can lead to security issues in your applications. By the way, %6f is the hexadecimal equivalent of the ASCII value for the letter o.
Why can these different roses cause security problems? In short, if your application makes security decisions based on the name of a resource, such as a file, chances are good that the application will make a poor decision because often more than one valid way to represent the object name exists.
In this chapter, I ll discuss the meaning of canonical, and in the interest of learning from the industry s past collective mistakes, I ll discuss some canonicalization bugs, especially some coding mistakes specific to Microsoft Windows. Finally, I ll show examples of mitigating canonicalization bugs.
Specific Web-based canonicalization errors are covered in Chapter 12, Securing Web-Based Services. |