SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 107

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki MarkupThe C99 tandard function {{The C fopen()}} is typically used to open an existing file or create a new one \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]. However, {{fopen()}} does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file.

For examples on how to just check for the existence of a file without actually opening it, please see FIO10-A. Take care when using the rename() function.

Non-Compliant Code Example: fopen()

function is used to open an existing file or create a new one. The C11 version of the fopen() and fopen_s() functions provides a mode flag, x, that provides the mechanism needed to determine if the file that is to be opened exists. Not using this mode flag can lead to a program overwriting or accessing an unintended file.

Noncompliant Code Example (fopen())

In this noncompliant code example, the file referenced by file_name is opened for writing. This example is noncompliant if the programmer's intent was to create a new file, but the referenced file already existsIn this example, an attempt is made to check whether a file exists before opening it for writing by trying to open the file for reading.

Code Block
bgColor#FFCCCC
langc
char
FILE *fp = fopen(file_name,"r");
ifFILE (!fp) { *fp;

/* Initialize file does not exist _name */
  
fp = fopen(file_name, "w");
  /* ... */
  fclose(fp);
} elseif (!fp) {
   /* fileHandle existserror */
  fclose(fp);
}

Wiki Markup
However, this code suffers from a _Time of Check, Time of Use_ (or _TOCTOU_) vulnerability (see \[[Seacord 05|AA. C References#Seacord 05]\] Section 7.2).  On a shared multitasking system there is a window of opportunity between the first call of {{fopen()}} and the second call for a malicious attacker to, for example, create a link with the given file name to an existing file so that the existing file is overwritten by the second call of {{fopen()}} and the subsequent writing to the file.

Non-Compliant Code Example: fopen_s() (ISO/IEC TR 24731-1)

}

Noncompliant Code Example (fopen_s(), C11 Annex K)

The C11 Annex K The fopen_s() function defined in ISO/IEC TR 24731-1:2007 is designed to improve the security of the fopen() function. However, like Like the fopen() function, fopen_s() provides no a mechanism to determine if an existing file has been opened for writing or a new file has been created. The code below contains the same TOCTOU race condition as the first non-compliant code example using fopen()whether the file exists. See below for use of the exclusive mode flag.

Code Block
bgColor#FFCCCC
langc
char *file_name;
FILE *fptrfp;

/* Initialize file_name */
errno_t res = fopen_s(&fptrfp, file_name, "rw");
if (res != 0) {
  /* Handle error */
}

Compliant Solution (fopen_s(), C11 Annex K)

The C Standard provides a new flag to address this problem. Subclause 7.21.5.3, paragraph 5 [ISO/IEC 9899:2011], states:

Opening a file with exclusive mode ('x' as the last character in the mode argument) fails if the file already exists or cannot be created. Otherwise, the file is created with exclusive (also known as non-shared) access to the extent that the underlying system supports exclusive access.

This option is also provided by the GNU C library [Loosemore 2007].

This compliant solution uses the x mode character to instruct fopen_s() to fail rather than open an existing file:

Code Block
bgColor#ccccff
langc
char *file_name;

/* Initialize file_name does not exist */
FILE *fp;
errno_t res = fopen_s(&fptrfp, file_name, "wwx");
if (res /* ... */!= 0) {
  fclose(fptr);
} else {
  fclose(fptr);
}

Compliant Solution: open() (POSIX)

/* Handle error */
}

Use of this option allows for the easy remediation of legacy code. However, note that Microsoft Visual Studio 2012 and earlier do not support the x mode character [MSDN].

Compliant Solution (open(), POSIX)

The open() function, as defined in the Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 [IEEE Std 1003.1:2013], is available on many platforms and provides finer control than fopen(). In particular, open() accepts the O_CREAT and O_EXCL flags. When used together, these flags instruct the open() function to fail if the file specified by file_name already Wiki MarkupThe {{open()}} function as defined in the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\] is available on many platforms and provides the control that {{fopen()}} does not provide. If the {{O_CREAT}} and {{O_EXCL}} flags are used together, the {{open()}} function fails when the file specified by {{file_name}} already exists.

Code Block
bgColor#ccccff
langc
char *file_name;
int new_file_mode;

/* Initialize file_name and new_file_mode */

int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle Errorerror */
}

Wiki MarkupCare should be observed taken when using {{O_EXCL}} with remote file systems as because it does not work with NFS version 2. NFS version 3 added support for {{O_EXCL}} mode in {{open()}}; see IETF RFC 1813, in particular the {{EXCLUSIVE}} value to the {{mode}} argument of {{CREATE}} \[[Callaghan 95|AA. C References#Callaghan 95]\].

Compliant Solution: fopen() (GNU)

Wiki Markup
Section 12.3 of the GNU C Library says: \[[Loosemore 07|AA. C References#Loosemore 07]\]

The GNU C library defines one additional character for use in opentype: the character `x' insists on creating a new file—if a file filename already exists, fopen fails rather than opening it. If you use `x' you are guaranteed that you will not clobber an existing file. This is equivalent to the O_EXCL option to the open function.

Code Block
bgColor#ccccff

FILE *fp = fopen(file_name,"wx");
if (!fp) {
  /* Handle Error */
}

Use of this non portable extension can allow for easy remediation of legacy code.

Compliant Solution: fdopen() (POSIX)

Wiki Markup
For code that operates on {{FILE}} pointers and not file descriptors, the POSIX {{fdopen()}} function \[[Open Group 04|AA. C References#Open Group 05]\] can be used to associate an open stream with the file descriptor returned by {{open()}}, as shown in this compliant solution.

. IETF RFC 1813 [Callaghan 1995] defines the EXCLUSIVE value to the mode argument of CREATE:

EXCLUSIVE specifies that the server is to follow exclusive creation semantics, using the verifier to ensure exclusive creation of the target. No attributes may be provided in this case, since the server may use the target file metadata to store the createverf3 verifier.

For examples of how to check for the existence of a file without opening it, see recommendation FIO10-C. Take care when using the rename() function.

Compliant Solution (fdopen(), POSIX)

For code that operates on FILE pointers and not file descriptors, the POSIX fdopen() function can be used to associate an open stream with the file descriptor returned by open(), as shown in this compliant solution [IEEE Std 1003.1:2013]:

Code Block
bgColor#ccccff
langc
char *file_name;
int new_file_mode;
Code Block
bgColor#ccccff
FILE *fp;
int fd;

/* Initialize file_name and new_file_mode */

fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle Errorerror */
}

fp = fdopen(fd, "w");
if (fp == NULL) {
  /* Handle error */
}

Compliant Solution (Windows)

The Win32 API CreateFile() allows a programmer to create or open a file depending on the flags passed in. Passing in the CREATE_NEW flag ensures the call fails if the file already exists. This compliant solution demonstrates how to open a file for reading and writing without sharing access to the file such that the call fails if the file already exists.

Code Block
bgColor#ccccff
langc
TCHAR *file_name;
HANDLE hFile = CreateFile(file_name, GENERIC_READ | GENERIC_WRITE, 0, 0, 
                          CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0);
if (INVALID_HANDLE_VALUE == hFile) {
  DWORD err = GetLastError();
  if (ERROR_FILE_EXISTS == err) {
    /* Handle file exists error */
  } else {
    /* Handle other Errorerror */
  }
}

Risk Assessment

The ability to determine if whether an existing file has been opened or a new file has been created provides greater assurance that the intended file is accessed, or perhaps more importantly, a file other than the intended file is not acted upon.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO03-

A

C

medium

Medium

probable

Probable

high

High

P4

L3

Automated Detection

Tool

Version

Checker

Description

Coverity6.5OPEN_ARGSFully implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5012
LDRA tool suite
Include Page
LDRA_V
LDRA_V
44 SEnhanced Enforcement

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

...

Related Guidelines

SEI CERT C++ Coding StandardVOID FIO03-CPP. Do not make assumptions about fopen() and file creation
ISO/IEC TR 24731-1:2007Section 6.5.2.1, "The fopen_s Function"

Bibliography

[Callaghan 1995]IETF RFC 1813 NFS Version 3 Protocol Specification
[IEEE Std 1003.1:2013]System Interfaces: open
[ISO/IEC 9899:2011]Subclause 7.21.5.3, "The fopen Function"
Subclause K.3.5.2.1,

...

"The

...

fopen_s

...

Function"
[Loosemore 2007]Section 12.3,

...

"Opening Streams"
[Seacord 2013]Chapter 8, "File I/O"


...

Image Added Image Added Image Added Streams"|http://www.gnu.org/software/libc/manual/html_node/Opening-Streams.html] \[[Open Group 04|AA. C References#Open Group 04]\] \[[Seacord 05|AA. C References#Seacord 05]\] Chapter 7, "File I/O"FIO02-A. Canonicalize path names originating from untrusted sources       09. Input Output (FIO)       FIO04-A. Detect and handle input and output errors