SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 21

changes.mady.by.user Lee Mancuso

Saved on

compared with

New Version 22

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
Invoking {{
According to its C99 definition, the effect of calling 
remove()}} on an open file is [implementation-defined|BB. Definitions#implementation-defined behavior].
Therefore
 Consequently, care must be taken when {{remove()}} is called on an open file.
It is often the case that removing a file that is open can help mitigate file input/output race conditions. In these cases, the intended implementations need to be considered and an alternate, more strongly defined function, such as The Open Group's unlink() should be used. To be strictly conforming and portable, remove() should not be called on an open 
 Removing an open file is sometimes recommended to hide the names of temporary files that may prone to attack (see \[[TMP30-C. Temporary files must created with unique and unpredictable file names]]). In these cases, the intended implementations need to be considered and an alternate, more strongly defined function, such as The Open Group's {{unlink()}} should be used. To be strictly conforming and portable, {{remove()}} should _not_ be called on an open file.

Non-Compliant Code Example

The following non-compliant code example illustrates a case where a file is removed after while it is first openedstill open.

Code Block
bgColor#FFcccc
FILE *file;

/* ... */

file = fopen("myfile", "w+");
if (fopen == NULL) {
  /* Handle error condition */
}

/* ... */

remove("myfile");

/* ... */

Some implementations will not remove "myfile" because the stream is still open.

Implementation Details

Code compiled using Microsoft , such as Visual Studio C++ 2005 compiled code running and run on Microsoft Windows XP, will not allow prevents the call to remove() to succeed, leaving the file resident on disk after execution has completed call from succeeding when the file is open, meaning that the file link will remain after execution completes.

Compliant Solution

The following compliant solution waits until the process has completed using the file to remove itdepends on programmer intent. If the programmer simply neglected to close the file before attempting to remove it, the file can simply be closed before the remove is attempted.

Code Block
bgColor#ccccff
FILE *file;

/* ... */

file = fopen("myfile", "w+");
if (fopen == NULL) {
  /* Handle error condition */
}

/* Finish using file... */

fclose("myfile");
remove("myfile");

It is not possible to (portably) remove the link from the file system while the file is open using remove(). While this may be possible on some implementations, it is important to document the dependency on implementation-defined behavior.

Compliant Solution (POSIX)

...

Code Block
bgColor#ccccff
#include <unistd.h>

FILE *file;

/* ... */

file = fopen("myfile", "w+");
if (fopen == NULL) {
  /* Handle error condition */
}
unlink("myfile");

/* ... */fclose("myfile");

Risk Assessment

Calling remove() on an open file has different implications for different implementations and may cause abnormal termination if the closed file is written to or read from, or may result in unintended information disclosure from not actually deleting a file as intended.

...