Get Example source ABAP code based on a different SAP table
Directory Traversal Physical file names can be specified as the content of a character-like data object in the statements and system class of the ABAP file interface. If some or all of this content originates outside of the calling program, there is a risk that files or file paths are accessed by unauthorized sources (this is known as directory traversal). The following are potential security risks when using input from outside to access the ABAP file interface:
A file name used in the statements OPEN DATASET and DELETE DATASET originates either partly or in full from outside the program.
A file name passed to the method CREATE_UTF8_FILE_WITH_BOM of the system class CL_ABAP_FILE_UTILITIES originates either partly or in full from outside the program. To act against this security risk, the file names must be validated. This can be a self-programmed validation or the function module FILE_VALIDATE_NAME can be used. This function module checks whether a physical file name matches a logical file name or whether it is a valid directory. One prerequisite is that the matching file names or logical paths were created using the transactions FILE or SF01.
Latest notes:
If a program uses logical file names exclusively, instead of physical file names, the physical file names or paths required by the statements are constructed using the function module FILE_GET_NAME only. In this case, validation is not usually necessary.
Alongside the validation of file names, adequate checks should be made on the authorizations for file access. ABAP_HINT_END
Example ABAP Coding
See the examples under Validating File Names. ABAP_EXAMPLE_END
