...
| Wiki Markup |
|---|
This solution is also non-compliant because it violates \[[FIO32-C|FIO32-C. Temporary file names must be unique when the file is created]\] and \[[FI042-C|FI042-C. Temporary files must be removed before the program exits]\]. |
Compliant Solution: mkstemp() (POSIX)
A reasonably secure solution for generating random file names is to use the mkstemp() function. The mkstemp() function is available on systems that support the Open Group Base Specifications Issue 4, Version 2 or later.
...
In many older implementations, the name is a function of process ID and time--so it is possible for the attacker to guess it and create a decoy in advance. FreeBSD has recently changed the mk*temp() family to get rid of the PID component of the filename and replace the entire thing with base-62 encoded randomness. This raises the number of possible temporary files for the "default" usage of 6 X's significantly, meaning that even mktemp() with 6 X's is reasonably (probabilistically) secure against guessing, except under very frequent usage Kennaway 00.
Compliant Solution: tmpfile_s() (ISO/IEC TR 24731-1 )
The ISO/IEC TR 24731-1 function tmpfile_s() creates a temporary binary file that is different from any other existing file
that is automatically removed when it is closed or at program termination. If the program terminates abnormally, whether an open temporary file is removed is implementation-defined.
The file is opened for update with "wb+" mode which means "truncate to zero length or create binary file for update." To the extent that the underlying system supports the concepts, the file is opened with exclusive (non-shared) access and has a file permission that prevents other users on the system from accessing the file.
The tmpfile_s() function is available on systems that support ISO/IEC TR 24731-1 (e.g., Microsoft Visual Studio 2005).
| Code Block | ||
|---|---|---|
| ||
| Wiki Markup |
|---|
The {{tmpfile_s()}} function may not be compliant with \[[FI042-C|FI042-C. Temporary files must be removed before the program exits]\] for implementations where the temporary file is not removed if the program terminates abnormally. |
Risk Assessment
A protected system file to which the symbolic link points can be overwritten when a vulnerable program is executed.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO32-C | 2 (high) | 2 (probable) | 2 (medium) | P6 P8 | L2 |
References
- ISO/IEC 9899-1999 Sections 7.19.4.3 The tmpfile function, 7.19.4.4 The tmpnam function
- ISO/IEC TR 24731-2006 Section 6.5.1.1 The tmpfile_s function