SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 73

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 74

changes.mady.by.user Alex Volkovitsky

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
In this non-compliant example inspiredderived from by a [vulnerability|BB. Definitions#vulnerability] in OpenBSD's {{chpass}} program \[[NAI 98|AA. C References#NAI 98]\], a file containing sensitive data is opened for reading. The program then retrieves the registered editor from the {{EDITOR}} environment variable and executes it using the {{system()}} command. If, the {{system()}} command is implemented in a way that spawns a child process, then the child process inherits the file descriptors opened by its parent. As a result, the child process, in this example whatever program is specified by the {{EDITOR}} environment variable, will be able to access the contents of {{Sensitive.txtthe potentially sensitive file called {{file_name}}.

Code Block
bgColor#FFcccc
FILE* f;
char *editor;

f = fopen(file_name, "r");
if (f == NULL) {
  /* Handle fopen() error */
}
/* ... */
editor = getenv("EDITOR");
if (editor == NULL) {
  /* Handle getenv() error */
}
system(editor);

...

On UNIX-based systems, child processes are typically spawned using a form of fork() and exec() and the child process always receives copies of its parent's file descriptors. Under Microsoft Windows, the CreateProcess() function is typically used to start a child process. In Windows, file-handle inheritance is determined on a per-file bases. Additionally, the CreateProcess() function itself provides a mechanism to limit file-handle inheritance. As a result, the child process spawned by CreateProcess() may not receive copies of the parent process's open file handles.
Compliant Solution
To correct the Non-compliant code example, Sensitive.txt should In this compliant solution, file_name is be closed before launching the editor.
 Code Block
bgColor#ccccff
FILE* f;
char *editor;

f = fopen(file_name, "r");
if (f == NULL) {
  /* Handle fopen() error */
}
/* ... */
fclose(f);
f = NULL;
editor = getenv("EDITOR");
if (editor == NULL) {
  /* Handle getenv() error */
}
/* Sanitize environment before calling system()! */
system(editor);

 Wiki Markup
There are multipleSeveral security issues remain in this example. ComplyingCompliance with recommendations, such as \[[STR02-A. Sanitize data passed to complex subsystems]\] and \[[FIO02-A. Canonicalize path names originating from untrusted sources]\] canis helpnecessary to mitigate attack vectors used to exploit this vulnerabilityprevent exploitation. However, following these recommendations willdo not correctaddress the underlyingspecific issue addressedof byfile thisdescriptor rule:leakage the file descriptor leakaddressed here.
Compliant Solution (POSIX)
...