You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 30 Next »

The C standard identifies specific strings to use for the mode on calls to fopen() [[ISO/IEC 9899:1999]]. To be strictly conforming and portable, one of the strings from the following table (adapted from the C standard) must be used:

Strings to use for the mode on calls to fopen()

mode string

Result

r

open text file for reading

w

truncate to zero length or create text file for writing

a

append; open or create text file for writing at end-of-file

rb

open binary file for reading

wb

truncate to zero length or create binary file for writing

ab

append; open or create binary file for writing at end-of-file

r+

open text file for update (reading and writing)

w+

truncate to zero length or create text file for update

a+

append; open or create text file for update, writing at end-of-file

r+b or rb+

open binary file for update (reading and writing)

w+b or wb+

truncate to zero length or create binary file for update

a+b or ab+

append; open or create binary file for update, writing at end-of-file

If the mode string begins with one of these sequences, the implementation might choose to ignore the remaining characters, or it might use them to select different kinds of files.

An implementation may define additional mode strings, but only the modes shown in the table are fully portable and C99 compliant [[ISO/IEC 9899:1999]].

Risk Assessment

Using a mode string that is not recognized by an implementation may cause the call to fopen() to fail.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO11-C

medium

probable

medium

P8

L2

Automated Detection

Compass/ROSE can detect violations of this recommendation.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as FIO11-CPP. Take care when specifying the mode parameter of fopen().

References

[[ISO/IEC 9899:1999]] Section 7.9.15.3, "The fopen function"


      09. Input Output (FIO)      FIO12-C. Prefer setvbuf() to setbuf()

  • No labels