CWE-241: Improper Handling of Unexpected Data Type
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
常见后果
影响范围: Integrity Other
技术影响: Varies by Context Unexpected State
潜在缓解措施
阶段: Implementation
策略: Input Validation
阶段: Implementation
策略: Input Validation
描述: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
观察示例
参考: CVE-1999-1156
FTP server crash via PORT command with non-numeric character.
参考: CVE-2004-0270
Anti-virus product has assert error when line length is non-numeric.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Wrong Data Type | - |
| CERT C Secure Coding | FIO37-C | Do not assume that fgets() or fgetws() returns a nonempty string when successful | CWE More Abstract |