Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The ISO/IEC 9899-1999 C standard function fopen() is typically used to open an existing file or create a new one. However, fopen() does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file.

Non-Compliant Code Example: fopen()

In this example, an attempt is made to check whether a file exists before opening it for writing by trying to open the file for reading.

Code Block
bgColor#FFCCCC
/* ... */
FILE *fp = fopen("foo.txt","r");
if (!fp) { /* file does not exist */
  fp = fopen("foo.txt","w");
  /* ... */
  fclose(fp);
} else {
   /* file exists */
  fclose(fp);
}
/* ... */

Wiki Markup
However, this code suffers from a _Time of Check, Time of Use_ (or _TOCTOU_) vulnerability (see \[[Seacord 05|AA. C References#Seacord 05]\] Section 7.2).  On a shared multitasking system there is a window of opportunity between the first call of {{fopen()}} and the second call for a malicious attacker to, for example, create a link with the given filename to an existing file, so that the existing file is overwritten by the second call of {{fopen()}} and the subsequent writing to the file.

Non-Compliant Code Example: fopen_s() (ISO/IEC TR 24731-1)

The fopen_s() function defined in ISO/IEC TR 24731-1-2007 is designed to improve the security of the fopen() function. However, like fopen(), fopen_s() provides no mechanism to determine if an existing file has been opened for writing or a new file has been created. The code below contains the same TOCTOU race condition as in the first Non-Compliant Code Example.

Code Block
bgColor#FFCCCC
/* ... */
FILE *fptr;
errno_t res = fopen_s(&fptr,"foo.txt", "r");
if (res != 0) { /* file does not exist */
  res = fopen_s(&fptr,"foo.txt", "w");
  /* ... */
  fclose(fptr);
} else {
  fclose(fptr);
}
/* ... */

Compliant Solution: open() (POSIX)

Wiki Markup
The {{fopen()}} function does not indicate if an existing file has been opened for writing or a new file has been created. However, the {{open()}} function as defined in the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\] is available on many platforms and provides such a mechanism.  If the {{O_CREAT}} and {{O_EXCL}} flags are used together, the {{open()}} function fails when the file specified by {{file_name}} already exists.

Code Block
bgColor#ccccff
/* ... */
int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle Error */
}
/* ... */

Care should be observed when using O_EXCL with remote file systems as it does not work with NFS version 2. NFS version 3 added support for O_EXCL mode in open(); see IETF RFC 1813 Callaghan 95, in particular the EXCLUSIVE value to the mode argument of CREATE.

Compliant Solution: fdopen() (POSIX)

Wiki Markup
{{fdopen()}} \[[Open Group 04|AA. C References#Open Group 05]\] can be used in conjunction with {{open()}} to determine if a file is opened or created, and then associate a stream with the file descriptor.

Code Block
bgColor#ccccff
/* ... */
FILE *fp;
int fd;

fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle Error */
}

fp = fdopen(fd,"w");
if (fp == NULL) {
  /* Handle Error */
}
/* ... */

Risk Assessment

The ability to determine if an existing file has been opened, or a new file has been created provides greater assurance that the file accessed is the one that was intended.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO03-A

2 (medium)

2 (probable)

1 (high)

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files"
\[[ISO/IEC TR 24731-1-2007|AA. C References#SO/IEC TR 24731-1-2007]\] Section 6.5.2.1, "The fopen_s function"
\[[Open Group 04|AA. C References#Open Group 04]\]
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 7, "File I/O"


Section
borderfalse
Column
bgColorred
width10%

FIO02-A. Canonicalize file names originating from untrusted sources       09. Input Output (FIO)       FIO04-A. Detect and handle input and output errors

Column
bgColorred
width10%

Column
bgColorred
width10%

Section
bordertrue