The C Standard identifies specific strings to use for the mode on calls to fopen() and fopen_s(). C11 provides C11 provides a new mode flag ', x' , that provides the mechanism needed to determine if the file that is to be opened exists. To be strictly conforming and portable, one of the strings from the following table (adapted from the C Standard, subclause 7.21.5.2 [ISO/IEC 9899:2011]) must be used:
Strings to Use for the Mode on Calls to fopen() and fopen_s()
...
If the mode string begins with one of these sequences, the the implementation might choose to ignore the remaining characters, or it might use them to select different kinds of files.
When calling fopen_s(), any of the mode strings used for writing (w or a) may be prefixed with the u character to give the file system default access permissions.
An implementation may define additional mode strings, but only the modes shown in the table are fully portable and C compliant. Beware that Microsoft Visual Studio 2012 and earlier do not support the 'x' or 'u' mode mode characters [MSDN].
Risk Assessment
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO11-C | mediumMedium | probableProbable | mediumMedium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
|
|
| |||||||
| 590 S | Partially implemented |
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 9899:2011] | Section Subclause 7.21.5.3, "The fopen Function" |
...