If user input is used as the basis for a file or directory name to open a file, an attacker could manipulate the input to open the file from an unintended location. Suppose you create the following Public function in a server application to save user settings to the file. Your intent is to save the file to the same location as the application by using the Application.StartupPath function.
Public Sub SaveSettings(ByVal UserName As String, _ ByVal Settings As String) Dim hFile As Integer = FreeFile() Dim Filename As String = Application.StartupPath & "\" & _ UserName FileOpen(hFile, Filename, OpenMode.Output) PrintLine(hFile, Settings) FileClose(hFile) End Sub
In the case of ASP.NET Web applications, use