The C99 [[ISO/IEC 9899-1999]] C standard function fopen() is typically used to open an existing file or create a new one. However, fopen() does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file.
Non-Compliant Code Example: fopen()
In this example, an attempt is made to check whether a file exists before opening it for writing by trying to open the file for reading.
/* ... */
FILE *fp = fopen(file_name,"r");
if (!fp) { /* file does not exist */
fp = fopen(file_name,"w");
/* ... */
fclose(fp);
} else {
/* file exists */
fclose(fp);
}
/* ... */
However, this code suffers from a Time of Check, Time of Use (or TOCTOU) vulnerability (see [[Seacord 05]] Section 7.2). On a shared multitasking system there is a window of opportunity between the first call of fopen() and the second call for a malicious attacker to, for example, create a link with the given filename to an existing file so that the existing file is overwritten by the second call of fopen() and the subsequent writing to the file.
Non-Compliant Code Example: fopen_s() (ISO/IEC TR 24731-1)
The fopen_s() function defined in ISO/IEC TR 24731-1-2007 is designed to improve the security of the fopen() function. However, like fopen(), fopen_s() provides no mechanism to determine if an existing file has been opened for writing or a new file has been created. The code below contains the same TOCTOU race condition as the first non-compliant code example using fopen().
/* ... */
FILE *fptr;
errno_t res = fopen_s(&fptr, file_name, "r");
if (res != 0) { /* file does not exist */
res = fopen_s(&fptr, file_name, "w");
/* ... */
fclose(fptr);
} else {
fclose(fptr);
}
/* ... */
Compliant Solution: open() (POSIX)
The open() function as defined in the Open Group Base Specifications Issue 6 [[Open Group 04]] is available on many platforms and provides the control that fopen() does not provide. If the O_CREAT and O_EXCL flags are used together, the open() function fails when the file specified by file_name already exists.
/* ... */
int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle Error */
}
/* ... */
Care should be observed when using O_EXCL with remote file systems as it does not work with NFS version 2. NFS version 3 added support for O_EXCL mode in open(); see IETF RFC 1813, in particular the EXCLUSIVE value to the mode argument of CREATE [[Callaghan 95]].
Compliant Solution: fdopen() (POSIX)
For code that operates on FILE pointers and not file descriptors, the POSIX fdopen() function [[Open Group 04]] can be used to associate an open stream with the file descriptor returned by open(), as shown in this compliant solution.
/* ... */
FILE *fp;
int fd;
fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle Error */
}
fp = fdopen(fd, "w");
if (fp == NULL) {
/* Handle Error */
}
/* ... */
Risk Assessment
The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that the intended file is accessed, or perhaps more importantly, a file other than the intended file is not acted upon.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO03-A |
medium |
probable |
high |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files"
[[ISO/IEC TR 24731-1-2007]] Section 6.5.2.1, "The fopen_s function"
[[Open Group 04]]
[[Seacord 05]] Chapter 7, "File I/O"