SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 31

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version Current

changes.mady.by.user Joerg Herter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

According to C99, Section subclause 5.2.1 , "Character sets"of the C Standard [ISO/IEC 9899:2011],

Two sets of characters and their associated collating sequences shall be defined: the set in which source files are written (the source character set), and the set interpreted in the execution environment (the execution character set). Each set is further divided into a basic character set, whose contents are given by this subclause, and a set of zero or more locale-specific members (which are not members of the basic character set) called extended characters. The combined set is also called the extended character set. The values of the members of the execution character set are implementation-defined.

...

There are several national variants of ASCII. ThereforeAs a result, the original ASCII is often referred as *is often called US-ASCII*. The international standard _ISO 646_ defines a character set similar to ISO/IEC 646-1991 defines a character set, similar to US-ASCII, but with code positions corresponding to US-ASCII characters {{@\[\]\{\|\}}} as "national use positions". It also gives some liberties with characters {{\#$^`\~}}. In _ISO 646_, several "national variants of ASCII" have been defined, assigning different letters and symbols to the "national use" positions. Thus, the characters that appear in those positions - including those in *US-ASCII* are somewhat unsafe in international data transfer. Consequently, due to the "national variants," some characters are less _safe_ than others--they might be transferred or interpreted positions [ISO/IEC 646-1991]. It also gives some liberties with particular characters (e.g., #$^`~).  In ISO/IEC 646-1991, several national variants of ASCII are defined, assigning different letters and symbols to the national use positions. Consequently, the characters that appear in those positions, including those in US-ASCII, are less portable in international data transfer. Because of the national variants, some characters are less portable than others: they might be transferred or interpreted incorrectly.

In addition to the letters of the English alphabet ("A " through " Z " and " a " through " z"), the digits ("0 " through " 9"), and the space, only the following characters can be regarded as safeare portable:

No Format

% & + , - . : = _

When naming files, variables, etc.and other objects, only these characters should be considered for use. This recommendation is related to STR02-AC. Sanitize data passed to complex subsystems.

File Names

File names containing particular characters can be troublesome and can cause can cause unexpected behavior leading to potential vulnerabilities.   If a program allows the allows the user to specify a filename file name in the creation or renaming of a file, certain checks should be made to disallow the following characters and patterns:

  • Leading dashes—Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
  • Control characters, such as newlines, carriage returns, and escapeescape—Control characters in a file name can cause unexpected results from shell scripts and in logging.
  • Spaces—Spaces can cause problems with scripts and when double quotes are not used to surround the file name.Spaces
  • Invalid character encodings—Character encodings can be a huge issue. (See MSC10-C. Character encoding: UTF8-related issues.)
  • Any characters other than letters, numbers, and punctuation designated above as safehere as portable—Other special characters are included in this recommendation because they are commonly used as separators, and having them in a file name can cause unexpected and potentially insecure behavior.

Also, many of the punctuation characters are not unconditionally safe for file names even of they are portably available.

Most of these characters or patterns are primarily a problem to scripts or automated parsing, but because they are not commonly used, it is best to disallow their use to reduce potential problems.   Interoperability concerns also exist because different operating systems handle filenames file names of this sort in different ways.  Leading dashes can cause programs when programs are called with this filename as a parameter, the first character or characters of the file might be taken to mean that its an option switch.  Control characters in a filename can cause unexpected results from shell scripts and in logging.  Spaces can again cause problems with scripts and anytime double quotes aren't used to surround the filename.  Character encodings can be a huge issue and are also discussed in MSC10-A. Character Encoding - UTF8 Related Issues.  Other special characters are included in this recommendation because they are commonly used as separators and having them in a filename can cause unexpected and potentially insecure behavior.

Non-Compliant Coding Example: Encoding

As a result of the influence of MS-DOS, file names of the form xxxxxxxx.xxx, where x denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive, and on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability resulting from a failure to deal appropriately with case-sensitivity issues [VU#439395].

Noncompliant Code Example (File Name 1)

In this noncompliant code exampleIn the following non-compliant code, unsafe characters are used as part of a filename.file name:

Code Block
bgColor#ffcccc
langc

#include <fcntl.h>
#include <sys/stat.h>

int main(void) {
   char *file_name = "&#xBB;&#xA3;???&#xAB;\xe5ngstr\xf6m";
   mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;

   int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, mode);
   if (fd == -1) {
      /* Handle Errorerror */
   }
}

An implementation is free to define its own mapping of the non- "safenonsafe" characters. For example, when tested run on a Red Hat Enterprise Linux distribution, the following filename resulted7.5, this noncompliant code example resulted in the following file name being revealed by the ls command:

Code Block

?ngstr?????m

Compliant Solution

...

(File Name 1)

Use a descriptive filename, file name containing only the subset of ASCII previously described above.:

Code Block
bgColor#ccccff
langc

#include <fcntl.h>
#include <sys/stat.h>

int main(void) {
   char *file_name = "name.ext";
   mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;

   int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, mode);
   if (fd == -1) {
      /* Handle Errorerror */
   }
}

...

Noncompliant Code Example

...

(File Name 2)

This noncompliant code example is derived from FIO30-C. Exclude user input from format strings, except that a newline is removed on the assumption that fgets() will include it:

Code Block
bgColor#FFCCCC
langc

char myFilename[1000];
const char const elimNewLn[] = "\n";

fgets(myFilename, sizeof(myFilename)-1, stdin);
myFilename[sizeof(myFilename)-1] = '\0';
myFilename[strcspn(myFilename, elimNewLn)] = '\0';

This example is derived from FIO30-C. Exclude user input from format strings except that a newline is removed on the assumption that fgets() will include it.  No checks are performed on the filename file name to prevent troublesome characters.   If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, they could  he or she could choose particular characters in the output filename file name to confuse the later process for malicious purposes.

Compliant Solution

...

(File Name 2)

In this compliant solution, the program rejects file names that violate the guidelines for selecting safe characters:

Code Block
bgColor#ccccFF
langc

char myFilename[1000];
const char const elimNewln[] = "\n";
const char const badChars[] = "-\n\r ,;'\\<\"";
do {
  fgets(myFilename, sizeof(myFilename)-1, stdin);
  myFilename[sizeof(myFilename)-1] ='\0';
  myFilename[strcspn(myFilename, elimNewln)]='\0';
} while ( (strcspn(myFilename, badChars))
           < (strlen(myFilename)));

In this solution, the program does not accept a filename that violates the guidelines above.  As the solution shows, you probably have to find each location in code by hand that a user is allowed to specify a filename and solve it with a similar check as aboveSimilarly, you must validate all file names originating from untrusted sources to ensure they contain only safe characters.

Risk Assessment

Failing to use only the subset of ASCII that is guaranteed to work can result in misinterpreted data.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC09-

A

C

low

Medium

unlikely

Unlikely

low

Medium

P3

P4

L3

Automated Detection

...

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

Reference

Wiki Markup
\[[Kuhn 06|AA. C References#Kuhn 06]\] UTF-8 and Unicode FAQ for Unix/Linux
\[[ISO/IEC 646-1991|AA. C References#ISO/IEC 646-1991]\] ISO 7-bit coded character set for information interchange
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 5.2.1, "Character sets"
\[[MISRA 04|AA. C References#MISRA 04]\] Rule 3.2, "The character set and the corresponding encoding shall be documented," and Rule 4.1, "Only those escape sequences that are defined in the ISO C standard shall be used"
\[[Wheeler 03|AA. C References#Wheeler03]\] 5.4 File Names

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

bitfield-name
character-constantenum-tag-spelling
enumeration-constant-name
function-like-macro-name
global-function-name
global-object-name
global-object-name-const
header-filename
implementation-filename
local-object-name
local-object-name-const
local-static-object-name
local-static-object-name-const
object-like-macro-name
static-function-name
static-object-name
static-object-name-const
string-literal
struct-member-name
struct-tag-spelling
typedef-name
union-member-name
union-tag-spelling

Partially checked
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0285, C0286, C0287, C0288, C0289, C0299


LDRA tool suite
Include Page
LDRA_V
LDRA_V

113 S

Partially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V
CERT_C-MSC09-a
Only use characters defined in the ISO C standard
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V

bitfield-name
character-constantenum-tag-spelling
enumeration-constant-name
function-like-macro-name
global-function-name
global-object-name
global-object-name-const
header-filename
implementation-filename
local-object-name
local-object-name-const
local-static-object-name
local-static-object-name-const
object-like-macro-name
static-function-name
static-object-name
static-object-name-const
string-literal
struct-member-name
struct-tag-spelling
typedef-name
union-member-name
union-tag-spelling

Partially checked
SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
S1578

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID MSC09-CPP. Character encoding: Use subset of ASCII for safety
CERT Oracle Secure Coding Standard for JavaIDS50-J. Use conservative file naming conventions
MISRA C:2012Directive 1.1 (required)
Rule 4.1 (required)
MITRE CWECWE-116, Improper encoding or escaping of output

Bibliography

[ISO/IEC 646-1991]"ISO 7-Bit Coded Character Set for Information Interchange"
[ISO/IEC 9899:2011]Subclause 5.2.1, "Character Sets"
[Kuhn 2006]"UTF-8 and Unicode FAQ for UNIX/Linux"
[VU#439395]
[Wheeler 2003Section 5.4, "File Names"


...

Image Added Image Added Image AddedMSC08-A. Library functions should validate their parameters      14. Miscellaneous (MSC)       MSC10-A. Character Encoding - UTF8 Related Issues