In Windows 95, 98, "..." goes up two directories.
http://projects.cerias.purdue.edu/secprog/class2/7.Canon_&_DT.pdf (my
slides, apologies for the self-citation)
according to
http://www.iss.net/security_center/advice/Intrusions/2000617/default.htmeven 4 dots are possible, going up three directories.
Pascal
Robert C. Seacord wrote:
>
> The context notes for this CWE leaf node
> (
http://cwe.mitre.org/data/definitions/32.html) says the following:
>
> *Context Notes*
>
> This manipulation is effective in two different contexts: (1) it is
> equivalent to "..\.." on Windows, or (2) it can take advantage of
> insufficient filtering, e.g. if the programmer does a single-pass
> removal of "./" in a string (collapse of data into unsafe value)
>
> I have not been able to use "..." in place of "..\.." on any of my
> windows systems. Where is this an issue?
>
> As a more general comment--have you given any thought to collapsing some
> of these together? There seem to be an awful lot of nuanced
> distinctions. For example, if you were to introduce the term "separator
> character" which could be equal to '\' or '/' you could quickly
> eliminate a number of leafs in this section.
>
> Thanks,
> rCs
>
> --
> Robert C. Seacord
> Senior Vulnerability Analyst
> CERT/CC
>
> Work: 412-268-7608
> FAX: 412-268-6989
>
