...
| Wiki Markup |
|---|
However, this code suffers from a _Time of Check, Time of Use_ (or _TOCTOU_) vulnerability (see \[[Seacord 05|AA. C++ References#Seacord 05]\] Section 7.2). On a shared multitasking system there is a window of opportunity between the first call of {{fopen()}} and the second call for a malicious attacker to, for example, create a link with the given filename to an existing file, so that the existing file is overwritten by the second call of {{fopen()}} and the subsequent writing to the file. |
...
References
- Seacord 05 Chapter 7, "File I/O"
- ISO/IEC 9899-1999 Sections 7.19.3, FilesISO/IEC 9899-1999 Sections "Files"; 7.19.4, "Operations on Files"
- ISO/IEC TR 24731-2006 Section 6.5.2.1, "The fopen_s function"
- Open Group 04