SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 103

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 104

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider v2.1 (sch jbop) (X_X)@==(Q_Q)@

...

It is important to remember to cleanup in order to allow filenames file names and other resources such as secondary storage to be recycled. In the case of abnormal termination, there is no sure method that can guarantee the removal of orphaned files. For this reason temp cleaner utilities which are invoked manually by a system administrator or periodically run by a daemon to sweep temporary directories and remove old files are widely used. However, these utilities are themselves vulnerable to file-based exploits, and often require the use of shared directories (see FIO15-A. Do not create temporary files in shared directories). However, during normal operation, it is the responsibility of the program to ensure that temporary files are removed either explicitly, or through the use of library routines such as tmpfile_s which guarantee temporary file deletion upon program termination.

...

Wiki Markup
The following non-compliant code attempts to remedy the problem by generating the filenamefile name at runtime using {{tmpnam()}}.  The C99 {{tmpnam()}} function generates a string that is a valid file filenamename and that is not the same as the name of an existing file \[[ISO/IEC 9899-:1999|AA. C References#ISO/IEC 9899-1999]\]. Files created using strings generated by the {{tmpnam()}} function are temporary in that their names should not collide with those generated by conventional naming rules for the [implementation|BB. Definitions#implementation].  The function is potentially capable of generating {{TMP_MAX}} different strings, but any or all of them may already be in use by existing files.

...

This call to open() fails whenever file_name already exists, including when it is a symbolic link. This is secure, but a temporary file is presumably still required. Unfortunately, the method used by tmpnam() to generate filenames file names is not guaranteed to be unpredictable, which leaves room for an attacker to guess the filename file name ahead of time.

Wiki Markup
Care should be observed when using {{O_EXCL}} with remote file systems, as it does not work with NFS version 2. NFS version 3 added support for {{O_EXCL}} mode in {{open()}} see IETF RFC 1813 \[[Callaghan 95|AA. C References#Callaghan 95]\], in particular the {{EXCLUSIVE}} value to the {{mode}} argument of {{CREATE}}.

...

Wiki Markup
The TR 24731-1 {{tmpnam_s()}} function generates a string that is a valid filenamefile name and that is not the same as the name of an existing file \[[ISO/IEC TR 24731-1-:2007|AA. C References#SO/IEC TR 24731-1-2007]\]. It is almost identical to the {{tmpnam}} function above except with an added {{maxsize}} argument for the supplied buffer.

...

For Microsoft Visual Studio 2005, the name generated by tmpnam_s consists of a program-generated filename file name and, after the first call to tmpnam_s(), a file extension of sequential numbers in base 32 (.1-.1vvvvvu, when TMP_MAX_S in stdio.h is INT_MAX).

...

The POSIX function mktemp() takes a given filename file name template and overwrites a portion of it to create a filenamefile name. The template may be any filename file name with some number of Xs appended to it (for example, /tmp/temp.XXXXXX). The trailing Xs are replaced with the current process number and/or a unique letter combination. The number of unique filenames file names mktemp() can return depends on the number of Xs provided.

...

Wiki Markup
It should be possible to open at least {{TMP_MAX}} temporary files during the lifetime of the program (this limit may be shared with {{tmpfile()}}). C99 Section 7.19.4.4 allows for the value of the macro {{TMP_MAX}} to be at little as 25 \[[ISO/IEC 9899-:1999|AA. C References#ISO/IEC 9899-1999]\].

Most historic implementations provide only a limited number of possible temporary filenames file names (usually 26) before filenames file names are recycled.

Code Block
bgColor#FFCCCC
FILE* fp;

if (!(fp = tmpfile())) {
  /* Handle Error */
}

...

The mkstemp() algorithm for selecting filenames file names has proven to be immune to attacks.

...

Wiki Markup
In many older [implementations|BB. Definitions#implementation], the name is a function of process ID and time, so it is possible for the attacker to predict the name and create a decoy in advance.  FreeBSD has recently changed the {{mk*temp()}} family to eliminate the PID component of the filenamefile name and replace the entire field with base-62 encoded randomness.  This raises the number of possible temporary files for the typical use of 6 Xs significantly, meaning that even {{mktemp()}} with 6 Xs is reasonably (probabilistically) secure against guessing, except under frequent usage \[[Kennaway 00|AA. C References#Kennaway 00]\] .

...

Wiki Markup
It should be possible to open at least {{TMP_MAX_S}} temporary files during the lifetime of the program (this limit may be shared with {{tmpnam_s()}}).  The value of the macro {{TMP_MAX_S}} is only required to be 25 \[[ISO/IEC TR 24731-1-:2007|AA. C References#ISO/IEC TR 24731-1-2007]\].

Wiki Markup
TR 24731-1 notes the following regarding the use of {{tmpfile_s()}} instead of {{tmpnam_s()}} \[[ISO/IEC TR 24731-1-:2007|AA. C References#ISO/IEC TR 24731-1-2007]\]:

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

The tool Compass Rose /ROSE is able to detect violations of this recommendation. Specifically, Rose reports use of tmpnam(), tmpnam_s(), tmpfile(), and mktemp().

...

Wiki Markup
\[[Austin Group 08|AA. C References#Austin Group 08]\]
\[[HP 03|AA. C References#HP 03]\]
\[[ISO/IEC 9899-:1999|AA. C References#ISO/IEC 9899-1999]\] Sections 7.19.4.4, "The {{tmpnam}} function," 7.19.4.3, "The {{tmpfile}} function," and 7.19.5.3, "The {{fopen}} function"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "EWR Path Traversal"
\[[ISO/IEC TR 24731-1-:2007|AA. C References#ISO/IEC TR 24731-1-2007]\] Sections 6.5.1.2, "The {{tmpnam_s}} function," 6.5.1.1, "The {{tmpfile_s}} function," and 6.5.2.1, "The {{fopen_s}} function"
\[[Kennaway 00|AA. C References#Kennaway 00]\]
\[[Open Group 04|AA. C References#Open Group 04]\] [{{mktemp()}}|http://www.opengroup.org/onlinepubs/000095399/functions/mktemp.html], [{{mkstemp()}}|http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html], [{{open()}}|http://www.opengroup.org/onlinepubs/009695399/functions/open.html]
\[[Seacord 05a|AA. C References#Seacord 05a]\] Chapter 3, "File I/O", Chapter 7
\[[Wheeler 03|AA. C References#Wheeler 03]\] [Chapter 7, "Structure Program Internals and Approach"|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html#TEMPORARY-FILES]
\[[Viega 03|AA. C References#Viega 03]\] Section 2.1, "Creating Files for Temporary Use"

...