1. Home
  2. CWE Database
  3. CWE-791
Base · Medium

CWE-791: Incomplete Filtering of Special Elements

The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.

CWE-791 · Base Level

Description

The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.

Potential Impact

Integrity

Unexpected State

Demonstrative Examples

The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
Bad
my $Username = GetUntrustedInput();$Username =~ s/\.\.\///;my $filename = "/home/user/" . $Username;ReadAndSendFile($filename);
Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as:
Attack
../../../etc/passwd
will have the first "../" stripped, resulting in:
Result
../../etc/passwd
This value is then concatenated with the /home/user/ directory:
Result
/home/user/../../etc/passwd
which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23).

CWE-790: Improper Filtering of Special Elements

The product receives data from an upstream component, but does not filter or incorrectly filters special elements before...

Frequently Asked Questions

What is CWE-791?

CWE-791 (Incomplete Filtering of Special Elements) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.

How can CWE-791 be exploited?

Attackers can exploit CWE-791 (Incomplete Filtering of Special Elements) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-791?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-791?

CWE-791 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.