CWE-249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

{"xhtml:p":["This entry was deprecated for several reasons. The primary\n reason is over-loading of the \"path manipulation\" term and the\n description. The original description for this entry was the\n same as that for the \"Often Misused: File System\" item in the\n original Seven Pernicious Kingdoms paper. However, Seven\n Pernicious Kingdoms also has a \"Path Manipulation\" phrase that\n is for external control of pathnames (CWE-73), which is a\n factor in symbolic link following and path traversal, neither\n of which is explicitly mentioned in 7PK. Fortify uses the\n phrase \"Often Misused: Path Manipulation\" for a broader range\n of problems, generally for issues related to buffer\n management. Given the multiple conflicting uses of this term,\n there is a chance that CWE users may have incorrectly mapped\n to this entry.","The second reason for deprecation is an implied combination of\n\tmultiple weaknesses within buffer-handling functions. The\n\tfocus of this entry was generally on the path-conversion\n\tfunctions and their association with buffer\n\toverflows. However, some of Fortify's Vulncat entries have the\n\tterm \"path manipulation\" but describe a non-overflow weakness\n\tin which the buffer is not guaranteed to contain the entire\n\tpathname, i.e., there is information truncation (see CWE-222\n\tfor a similar concept). A new entry for this non-overflow\n\tweakness may be created in a future version of CWE."]}