Path Equivalence: ' filename' (Leading Space)
This vulnerability occurs when an application accepts file or directory paths that begin with a space character (like ' filename'), without properly normalizing or validating the input. This can trick the file system's resolution logic, potentially allowing attackers to access unauthorized files or directories outside the intended scope.
File systems and path-handling libraries often treat a leading space as a valid character in a pathname. When an application fails to trim or reject these spaces, it creates an equivalence problem: the system sees ' file.txt' and 'file.txt' as two distinct files. An attacker can exploit this by crafting malicious inputs that bypass simple validation checks or blacklists, using the spaced version to reference sensitive system files or traverse directory structures. To prevent this, developers should implement strict input validation and path canonicalization. Always normalize paths by removing superfluous whitespace and resolving relative segments (like '..') before processing. Use allowlists for permitted directories and access patterns, rather than relying on string-matching checks that can be evaded by trivial character variations like a leading space.
Impact: Read Files or DirectoriesModify Files or Directories
- File Processing
- File or Directory
- PLOVER
- Software Fault Patterns