...
If the programmer's intent is not to remove an existing destination file, the POSIX access() function can be used to check for the existence of a file [Open Group 2004IEEE Std 1003.1:2013]. This compliant solution renames the source file only if the destination file does not exist:
...
The return value of remove() is deliberately not checked because it is expected to fail if the file does not exist. If the file exists but cannot be removed, the rename() call will also fail, and the error will be detected at that point. This is a valid exception (EXP12-C-EX1) to EXP12-C. Do not ignore values returned by functions.
...
Calling rename() has implementation-defined behavior when the new file name refers to an existing file. Incorrect use of rename() can result in a file being unexpectedly overwritten or other unexpected behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO10-C |
Medium |
Probable |
Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| CodeSonar |
|
|
|
| (customization) | Users can add a custom check for all uses of rename(). | ||||||||
| Helix QAC |
| C5015 | |||||||
| LDRA tool suite |
| 592 S | Fully Implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| IEEE Std 1003.1:2013] | XSH, System Interfaces, access |
| [MSDN] | rename() |
...