SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 72

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 73

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

File identification is less of an issue if applications maintain their files in secure directories, where they can only be accessed by the owner of the file and (possibly) by a system administrator. (see See recommedation FIO15-C. Ensure that file operations are performed in a secure directory.).

Noncompliant Code Example (Reopen)

...

The structure members st_mode, st_ino, st_dev, st_uid, st_gid, st_atime, st_ctime, and st_mtime should all have meaningful values for all file types on POSIX-compliant systems. The st_ino field contains the file serial number. The st_dev field identifies the device containing the file. The st_ino and st_dev, taken together, uniquely identify the file. The st_dev value is not necessarily consistent across reboots or system crashes, ; however, so you may not be able to use this field for file identification if there is a possibility of a system crash or reboot before you attempt to reopen a file.

It is necessary to call Call the fstat() function on an a file that is already opened file, rather than instead of calling stat() on a file name followed by open() to ensure . This ensures that the file for which the information is being collected is the same file that is already opened. See recommendation FIO01-C. Be careful using functions that use file names for identification for more information on avoiding race conditions resulting from the use of file names for identification.

It may also be necessary to call open() with O_NONBLOCK as per rule FIO32-C. Do not perform operations on devices that are only appropriate for files to ensure that the program does not hang when trying to open special files.

...

A simpler solution is to not reopen the file. In this code example, the file is opened once for both writing and reading. Once writing is complete, the fseek() function resets the file pointer to the beginning of the file, and its contents are read back. (see See recommendation FIO07-C. Prefer fseek() to rewind().).

Because the file is not reopened, the possibility of an attacker tampering with the file between the writes and subsequent reads is eliminated.

...

Be sure to use fflush() after writing data to the file, in accordance with rule FIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning call.

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO05-C

medium

probable

medium

P8

L2

Automated Detection

Tool

Version

Checker

Description

Section

Compass/ROSE

 

 

Section

could report possible violations of this rule merely by reporting any open() or fopen() call that did not have a subsequent call to fstat()

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

CERT This rule appears in the C++ Secure Coding Standard as : FIO05-CPP. Identify files using multiple file attributes.

...

Wiki Markup
\[[Drepper 06|AA. Bibliography#Drepper 06]\] Section 2.2.1 "Identification When Opening"
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files"

Wiki Markup
\[[ISO/IEC PDTRTR 24772|AA. Bibliography#ISO/IEC PDTRTR 24772]\]  "EWR Path Traversal"

MITRE CWE: CWE-37, "Path Issue - Slash Absolute Path"

MITRE CWE: CWE-38, "Path Issue - Backslash Absolute Path"

MITRE CWE: CWE-39, "Path Issue - Drive Letter or Windows Volume"

MITRE CWE: CWE-62, "UNIX Hard Link"

MITRE CWE: CWE-64, "Windows Shortcut Following (.LNK)"

MITRE CWE: CWE-65, "Windows Hard Link"

Bibliography

Wiki Markup
\[[Drepper 2006|AA. Bibliography#Drepper 06]\] Section 2.2.1 "Identification When Opening
\[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE ID 37|http://cwe.mitre.org/data/definitions/37.html], "Path Issue - Slash Absolute Path"; [CWE ID 38|http://cwe.mitre.org/data/definitions/38.html], "Path Issue - Backslash Absolute Path"; [CWE ID 39|http://cwe.mitre.org/data/definitions/39.html], "Path Issue - Drive Letter or Windows Volume"; [CWE ID 62|http://cwe.mitre.org/data/definitions/62.html], "UNIX Hard Link"; [CWE ID 64|http://cwe.mitre.org/data/definitions/64.html], "Windows Shortcut Following (.LNK)"; and [CWE ID 65|http://cwe.mitre.org/data/definitions/65.html], "Windows Hard Link"
\[[Open Group 042004|AA. Bibliography#Open Group 04]\] "The open function," and "The fstat function"
\[[Seacord 052005|AA. Bibliography#Seacord 05]\] Chapter 7, "File I/O"

...