The C fopen() function is used to open an existing file or create a new one. The C11 version of the fopen() and fopen_s() provides functions provides a mode flag ', x' , that provides the mechanism needed to determine if the file that is to be opened exists. Not Not using this mode flag can lead to a program overwriting or accessing an unintended file.
...
The C11 Annex K fopen_s() function is designed to improve the security of the fopen() function [ISO/IEC 9899:2011]. Like the C11 fopen() function, the C11 Annex K fopen_s() provides a mechanism to determine if whether the file exists. See See below for use of the exclusive mode flag.
...
The C Standard provides a new flag to address this problem. Section Subclause 7.21.5.3, paragraph 5 [ISO/IEC 9899:2011], states:
...
Use of this option allows for the easy remediation of legacy code. However, note that Microsoft Visual Studio 2012 and earlier do not support the 'x' mode character [MSDN].
Compliant Solution (open(), POSIX)
The open() function, as defined in the Open Group Base Specifications, Issue 6 [Open Group 2004], is available on many platforms and provides finer control than fopen(). In particular, open() accepts the O_CREAT and O_EXCL flags. When used together, these flags instruct the open() function to fail if the file specified by file_name already exists.
...
EXCLUSIVEspecifies that the server is to follow exclusive creation semantics, using the verifier to ensure exclusive creation of the target. No attributes may be provided in this case, since the server may use the target file metadata to store the createverf3 verifier.
For examples on of how to check for the existence of a file without opening it, see recommendation FIO10-C. Take care when using the rename() function.
...
The Win32 API CreateFile() allows you a programmer to create or open a file depending on the flags passed in. By passing Passing in the CREATE_NEW flag , you can ensure ensures the call fails if the file already exists. This compliant solution demonstrates how to open a file for reading and writing , without sharing access to the file such that the call fails if the file already exists.
...
Risk Assessment
The ability to determine if whether an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted upon.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO03-C | mediumMedium | probableProbable | highHigh | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Coverity | 6.5 | OPEN_ARGS | Fully Implementedimplemented | ||||||
| PRQA QA-C |
| warncall for fopen and fopen_s | Partially implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
| [Callaghan 1995] | IETF RFC 1813 NFS Version 3 Protocol Specification |
| [ISO/IEC 9899:2011] | Section Subclause 7.21.5.3, "The fopen Function"Annex Subclause K.3.5.2.1, "The fopen_s Function" |
| [Loosemore 2007] | Section 12.3, "Opening Streams" |
| [Open Group 2004] | |
| [Seacord 2013] | Chapter 8, "File I/O" |
...