You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 114 Next »

The C99 fopen() function is used to open an existing file or create a new one [[ISO/IEC 9899:1999]]. However, fopen() does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file.

For examples on how to just check for the existence of a file without actually opening it, please see FIO10-A. Take care when using the rename() function.

Non-Compliant Code Example: fopen()

In this non-compliant coding example, the file referenced by file_name is opened for writing. This example is non-compliant, however, if the programmer's intent was to create a new file, but the reference file already exists.

char *file_name;
FILE *fp;

/* initialize file_name */

fp = fopen(file_name, "w");
if (!fp) {
  /* handle error */
}

Non-Compliant Code Example: fopen_s() (ISO/IEC TR 24731-1)

The fopen_s() function defined in ISO/IEC TR 24731-1:2007 is designed to improve the security of the fopen() function. However, like fopen(), fopen_s() provides no mechanism to determine if an existing file has been opened for writing or a new file has been created.

char *file_name;
FILE *fp;

/* initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
  /* handle error */
}

Compliant Solution: open() (POSIX)

The open() function as defined in the Open Group Base Specifications Issue 6 [[Open Group 04]] is available on many platforms and provides the control that fopen() does not provide. If the O_CREAT and O_EXCL flags are used together, the open() function fails if the file specified by file_name already exists.

char *file_name;
int new_file_mode;

/* initialize file_name and new_file_mode */

int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle Error */
}

Care should be observed when using O_EXCL with remote file systems as it does not work with NFS version 2. NFS version 3 added support for O_EXCL mode in open(). IETF RFC 1813 defines the EXCLUSIVE value to the mode argument of CREATE [[Callaghan 95]].

EXCLUSIVE specifies that the server is to follow exclusive creation semantics, using the verifier to ensure exclusive creation of the target. No attributes may be provided in this case, since the server may use the target file metadata to store the createverf3 verifier.

Compliant Solution: fopen() (GNU)

Section 12.3 of the GNU C Library says: [[Loosemore 07]]

The GNU C library defines one additional character for use in opentype: the character 'x' insists on creating a new file—if a file filename already exists, fopen fails rather than opening it. If you use 'x' you are guaranteed that you will not clobber an existing file. This is equivalent to the O_EXCL option to the open function.

char *file_name;

/* initialize file_name */

FILE *fp = fopen(file_name, "wx");
if (!fp) {
  /* Handle Error */
}

Use of this non portable extension can allow for easy remediation of legacy code.

Compliant Solution: fdopen() (POSIX)

For code that operates on FILE pointers and not file descriptors, the POSIX fdopen() function can be used to associate an open stream with the file descriptor returned by open(), as shown in this compliant solution [[Open Group 04]].

char *file_name;
int new_file_mode;
FILE *fp;
int fd;

/* initialize file_name and new_file_mode */

fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle Error */
}

fp = fdopen(fd, "w");
if (fp == NULL) {
  /* Handle Error */
}

Risk Assessment

The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that the intended file is accessed, or perhaps more importantly, a file other than the intended file is not acted upon.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO03-A

medium

probable

high

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899:1999]] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files"
[[ISO/IEC TR 24731-1:2007]] Section 6.5.2.1, "The fopen_s function"
[[Loosemore 07]] Section 12.3, "Opening Streams"
[[Open Group 04]]
[[Seacord 05a]] Chapter 7, "File I/O"


FIO02-A. Canonicalize path names originating from untrusted sources       09. Input Output (FIO)       FIO04-A. Detect and handle input and output errors

  • No labels