[Owasp-mumbai] What is Canonicalization ?

Dharmesh M Mehta dharmeshmm at mastek.com
Thu Nov 3 05:28:00 EST 2005 

Hi,

Different forms of input that resolve to the same standard name (the
canonical name), is referred to as canonicalization. 
Code is particularly susceptible to canonicalization issues if it makes
security decisions based on the name of a resource 
that is passed to the program as input. Files, paths, and URLs are
resource types that are vulnerable to canonicalization 
because in each case there are many different ways to represent the same
name. File names are also problematic.

Ideally, your code does not accept input file names. If it does, the
name should be converted to its canonical form prior 
to making security decisions, such as whether access should be granted
or denied to the specified file.

Thanks & Regards, 
__________________________________
Dharmesh Mehta
Technology Cell
Mastek Limited
Tel : +91-22-56952222 Extn : 1005
Dream as if you'll live forever. Live as if you'll die today. - James
Dean

MASTEK 
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Owasp-Mumbai mailing list