The ISO/IEC 9899-1999 C standard function fopen()
is typically used to open an existing file or create a new one. However, fopen()
does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file.
Non-Compliant Code Example: fopen()
In this example, an attempt is made to check whether a file exists before opening it for writing by trying to open the file for reading.
/* ... */ FILE *fp = fopen("foo.txt","r"); if (!fp) { /* file does not exist */ fp = fopen("foo.txt","w"); /* ... */ fclose(fp); } else { /* file exists */ fclose(fp); } /* ... */
However, this code suffers from a Time of Check, Time of Use (or TOCTOU) vulnerability (see [[Seacord 05]] Section 7.2). On a shared multitasking system there is a window of opportunity between the first call of fopen()
and the second call for a malicious attacker to, for example, create a link with the given filename to an existing file, so that the existing file is overwritten by the second call of fopen()
and the subsequent writing to the file.
Non-Compliant Code Example: fopen_s()
(ISO/IEC TR 24731-1)
The fopen_s()
function defined in ISO/IEC TR 24731-2006 is designed to improve the security of the fopen()
function. However, like fopen()
, fopen_s()
provides no mechanism to determine if an existing file has been opened for writing or a new file has been created. The code below contains the same TOCTOU race condition as in the first Non-Compliant Code Example.
/* ... */ FILE *fptr; errno_t res = fopen_s(&fptr,"foo.txt", "r"); if (res != 0) { /* file does not exist */ res = fopen_s(&fptr,"foo.txt", "w"); /* ... */ fclose(fptr); } else { fclose(fptr); } /* ... */
Compliant Solution: open()
(POSIX)
The fopen()
function does not indicate if an existing file has been opened for writing or a new file has been created. However, the open()
function as defined in the Open Group Base Specifications Issue 6 [[Open Group 04]] is available on many platforms and provides such a mechanism. If the O_CREAT
and O_EXCL
flags are used together, the open()
function fails when the file specified by file_name
already exists.
/* ... */ int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode); if (fd == -1) { /* Handle Error */ } /* ... */
Care should be observed when using O_EXCL
with remote file systems as it does not work with NFS version 2. NFS version 3 added support for O_EXCL
mode in open()
; see IETF RFC 1813 Callaghan 95, in particular the EXCLUSIVE
value to the mode
argument of CREATE
.
Compliant Solution: fdopen()
(POSIX)
fdopen()
[[Open Group 04]] can be used in conjunction with open()
to determine if a file is opened or created, and then associate a stream with the file descriptor.
/* ... */ FILE *fp; int fd; fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode); if (fd == -1) { /* Handle Error */ } fp = fdopen(fd,"w"); if (fp == NULL) { /* Handle Error */ } /* ... */
Risk Assessment
The ability to determine if an existing file has been opened, or a new file has been created provides greater assurance that the file accessed is the one that was intended.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
FIO03-A |
2 (medium) |
2 (probable) |
1 (high) |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files"
[[ISO/IEC TR 24731-2006]] Section 6.5.2.1, "The fopen_s function"
[[Open Group 04]]
[[Seacord 05]] Chapter 7, "File I/O"