...
The fopen and freopen functions are obsolete because the fopen_s and freopen_s functions in C11 Annex K can emulate their usage and improve security by protecting the file from unauthorized access by setting its file protection and opening the file with exclusive access [ISO/IEC WG14 N11739899:2011].
The setbuf function is obsolete because setbuf does not return a value and can be emulated using setvbuf. See FIO12-C. Prefer setvbuf() to setbuf().
...
To remediate invocations of unchecked obsolete functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative nonobsolete functions from C11 Annex K [ISO/IEC TR 24731 (Part I)9899:2011]:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
...
| CERT C Secure Coding Standard | FIO01-C. Be careful using functions that use file names for identification FIO07-C. Prefer fseek() to rewind() FIO12-C. Prefer setvbuf() to setbuf() INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs INT06-C. Use strtol() or a related function to convert a string token to an integer STR06-C. Do not assume that strtok() leaves the parse string unchanged STR07-C. Use TR 24731 for remediation of existing string manipulation code |
| ISO/IEC TR 24772 | Use of Libraries [TRJ] |
| ISO/IEC TR 24731-1:20079899:2011 | Annex K |
| MISRA C:2012 | Rule 21.3 (required) |
| MITRE CWE | CWE-20, Insufficient input validation CWE-73, External control of file name or path CWE-192, Integer coercion error CWE-197, Numeric truncation error CWE-367, Time-of-check, time-of-use race condition CWE-464, Addition of data structure sentinel CWE-676, Use of potentially dangerous function |
...