Page Information

Title:	FIO02-C. Canonicalize path names originating from tainted sources
Author:	Jeffrey Gennari	Aug 22, 2006
Last Changed by:	David Svoboda	Aug 21, 2025
Tiny Link: (useful for email)	https://wiki.sei.cmu.edu/confluence/x/DtcxBQ
Export As:	Word · PDF

SEI CERT Oracle Coding Standard for Java (1)     Page: FIO16-J. Canonicalize path names before validating them

SEI CERT Perl Coding Standard (1)     Page: IDS00-PL. Canonicalize path names before validating them

Android (1)     Page: Unknown Applicability (C Rules/Recomendations)

SEI CERT C Coding Standard (3)     Page: FIO22-C. Close files before spawning processes     Page: FIO15-C. Ensure that file operations are performed in a secure directory     Page: POS05-C. Limit access to files by creating a jail

Parent Page     Page: Rec. 09. Input Output (FIO)

• rose-false-positive
• compass/rose
• cwe-22
• fio
• windows
• android-unknown
• input
• posix
• recommendation
• filename
• cwe-73
• klocwork

Time	Editor
Aug 21, 2025 08:37	Jill Britton	View Changes
)
Jul 24, 2025 11:04	Jill Britton	View Changes
May 20, 2025 08:15	Amy Gale	View Changes
REM Cost Reform
Mar 24, 2025 21:32	Amy Gale	View Changes
Fix whitespace
Mar 24, 2025 21:32	Amy Gale
Update CodeSonar mapping info

External Links (23)
    cwe.mitre.org/data/definitions/41.html
    xorl.wordpress.com/2009/06/09/cve-2009-1760-libtorrent-arbi…
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
    pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04…
    pubs.opengroup.org/onlinepubs/9699919799/
    msdn.microsoft.com/en-us/library/aa364963.aspx
    https://cwe.mitre.org/data/definitions/28.html
    www.kernel.org/doc/man-pages/online/pages/man3/pathconf.3.h…
    https://access.redhat.com/security/cve/CVE-2014-9390
    cwe.mitre.org/data/definitions/73.html
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
    web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1760
    https://github.com/git/git/blob/master/Documentation/RelNot…
    cwe.mitre.org/
    www.kernel.org/doc/man-pages/online/pages/man3/realpath.3.h…
    https://cwe.mitre.org/data/definitions/23.html
    cwe.mitre.org/data/definitions/22.html
    https://cwe.mitre.org/data/definitions/40.html
    cwe.mitre.org/data/definitions/59.html
    https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?p…
    https://www.mathworks.com/help/bugfinder/ref/certcrec.fio02…
    https://www.kb.cert.org/vulnotes/bymetric?searchview&query=…
    https://github.com/git/git/commit/77933f4449b8d6aa7529d627f…

SEI CERT Oracle Coding Standard for Java (2)     Page: FIO16-J. Canonicalize path names before validating them     Home page: SEI CERT Oracle Coding Standard for Java

SEI CERT C++ Coding Standard (2)     Home page: SEI CERT C++ Coding Standard     Page: VOID FIO02-CPP. Canonicalize path names originating from untrusted sources

SEI CERT C Coding Standard (14)     Page: Klocwork     Page: LDRA_V     Page: Rose     Page: Helix QAC_V     Page: CodeSonar_V     Page: Polyspace Bug Finder_V     Page: AA. Bibliography     Page: Klocwork_V     Page: CodeSonar     Page: Polyspace Bug Finder     Page: BB. Definitions     Page: LDRA     Page: Helix QAC     Home page: SEI CERT C Coding Standard