Page History

...

There are several national variants of ASCII. As a result, the original ASCII is often called US-ASCII. ISO/IEC 646-1991 defines a character set, similar to US-ASCII, but with code positions corresponding to US-ASCII characters @[]{|} as national use positions [ISO/IEC 646-1991]. It also gives some liberties with the characters #$^`~. In particular characters (e.g., #$^`~).  In ISO/IEC 646-1991, several national variants of ASCII are defined, assigning different letters and symbols to the national use positions. Consequently, the characters that appear in those positions, including those in US-ASCII, are less portable in international data transfer. Because of the national variants, some characters are less portable than others: they might be transferred or interpreted incorrectly.

...

#include <fcntl.h>
#include <sys/stat.h>

int main(void) {
   char *file_name = "&#xBB;&#xA3;???&#xAB;\xe5ngstr\xf6m";
   mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;

   int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, mode);
   if (fd == -1) {
      /* Handle error */
   }
}

An implementation is free to define its own mapping of the "nonsafe" characters. For example, when tested run on a Red Hat Enterprise Linux distribution7.5, this noncompliant code example resulted in the following file name being revealed by the ls command:

?ngstr?????m

Compliant Solution (File Name 1)

...

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...