Weakness reference
CWE-166

Improper Handling of Missing Special Elements

This weakness occurs when software expects certain special characters or delimiters like quotes, brackets, newlines, or terminators in input but fails to…

01Summary

This weakness occurs when software expects certain special characters or delimiters (like quotes, brackets, newlines, or terminators) in input but fails to handle cases where they are missing. When these elements are absent, the parser or processor may misinterpret the data, leading to incorrect behavior, data corruption, or security bypasses. The impact ranges from logic errors to authentication flaws or injection vulnerabilities.

02How It Happens

Most parsers and data processors rely on special characters to mark boundaries between logical units—a closing quote to end a string, a semicolon to end a statement, a newline to end a line. When code assumes these delimiters will always be present without validating their presence, an attacker or malformed input can cause the parser to consume more data than intended, skip validation steps, or enter an unexpected state. This is especially dangerous in contexts like configuration parsing, protocol handling, and query construction, where missing terminators can cause subsequent data to be misinterpreted as part of the previous element.

03Real-World Impact

Missing delimiter handling has led to authentication bypasses (e.g., incomplete credential parsing), SQL injection (when query terminators are missing and user input bleeds into the next statement), log injection (when newline delimiters are absent), and configuration injection (when config file delimiters are not validated). In protocol implementations, missing terminators can cause buffer overruns or state machine confusion. The severity depends on context: in a log file, it may cause confusion; in a query parser, it can enable data exfiltration.

04Vulnerable & Fixed Patterns

Vulnerable pattern
def parse_config_line(line):
    # Assumes line always contains '=' delimiter
    key, value = line.split('=')
    config[key.strip()] = value.strip()

# If input is "key_without_value" (no '='), this raises ValueError
# If input is "key=value\nkey2" (no newline terminator), parsing breaks

Why it's vulnerable:
The code assumes the = delimiter is always present and does not validate the line structure before splitting. Missing or malformed delimiters cause crashes or silent data loss.

Fixed pattern
def parse_config_line(line):
    # Validate presence of delimiter before parsing
    if '=' not in line:
        raise ValueError(f"Invalid config line (missing '='): {line}")
    
    key, value = line.split('=', 1)  # maxsplit=1 prevents over-splitting
    if not key.strip() or not value.strip():
        raise ValueError("Config key and value cannot be empty")
    
    config[key.strip()] = value.strip()
Vulnerable pattern
function parse_csv_record($line) {
    // Assumes fields are always quoted and comma-separated
    $fields = str_getcsv($line);
    $user_id = $fields[0];
    $email = $fields[1];
    $role = $fields[2];
    
    // If a field is missing or quote is unclosed, $fields may be incomplete
    return compact('user_id', 'email', 'role');
}

Why it's vulnerable:
The code does not validate that all expected fields are present after parsing. Missing delimiters or unclosed quotes can result in fewer fields than expected, causing undefined array access or incorrect data assignment.

Fixed pattern
function parse_csv_record($line) {
    $fields = str_getcsv($line);
    
    // Validate that all required fields are present
    if (count($fields) < 3) {
        throw new Exception("CSV record missing required fields");
    }
    
    $user_id = sanitize_id($fields[0]);
    $email = sanitize_email($fields[1]);
    $role = sanitize_role($fields[2]);
    
    return compact('user_id', 'email', 'role');
}

05Prevention Checklist

Validate delimiter presence:
Before parsing, explicitly check that all required delimiters (quotes, commas, newlines, terminators) are present in the expected positions.
Use allowlists for special characters:
Define which special characters are valid in each context and reject input that deviates from the expected format.
Implement strict parsing:
Use parser libraries that enforce strict grammar rules rather than lenient, forgiving parsers that silently skip missing elements.
Test edge cases:
Include test cases for missing delimiters, unclosed quotes, incomplete records, and malformed input in your test suite.
Log parsing failures:
When a delimiter is missing or a record is malformed, log the event and reject the input rather than attempting to recover or guess.
Use length and boundary checks:
Validate that parsed elements fall within expected length ranges and that the total input length matches expectations.

06Signs You May Already Be Affected

Look for parsing errors in logs, incomplete or truncated records in databases, unexpected behavior when processing configuration files or user input, or authentication failures that correlate with unusual input formats. If you see stack traces related to array index out of bounds, undefined variable access, or parsing exceptions, investigate whether missing delimiters in input are the root cause.