The software receives input from an upstream component, but it
does not restrict or incorrectly restricts the input before it is used as an
identifier for a resource that may be outside the intended sphere of
The software uses external input to construct a pathname that
is intended to identify a file or directory that is located underneath a
restricted parent directory, but the software does not properly neutralize
special elements within the pathname that can cause the pathname to resolve to a
location that is outside of the restricted directory.