CWE-176: Improper Handling of Unicode Encoding
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not properly handle when an input contains Unicode encoding.
常见后果
影响范围: Integrity
技术影响: Unexpected State
潜在缓解措施
阶段: Architecture and Design
策略: Input Validation
描述: Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
阶段: Implementation
策略: Input Validation
阶段: Implementation
策略: Input Validation
描述: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
观察示例
参考: CVE-2000-0884
Server allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain Unicode encoded characters.
参考: CVE-2001-0709
Server allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode.
参考: CVE-2001-0669
Overlaps interaction error.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Unicode Encoding | - |
| CERT C Secure Coding | MSC10-C | Character Encoding - UTF8 Related Issues | - |