SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 81

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 82

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Deleted "I do not think this applies to file opens where the filename is a constant." from Automated Detection table

...

Tool

Version

Checker

Description

Fortify SCA

V. 5.0

 

 

Compass/ROSE

 

 

Could detect some violations of this rule. This rule applies only to untrusted file name strings, and ROSE cannot tell which strings are trusted and which are not. The best heuristic is to note if there is any verification of the file name before or after the fopen() call. If there is any verification, then the file opening should be preceded by an lstat() call and succeeded by an fstat() call. Although that does not enforce the rule completely, it does indicate that the coder is aware of the lstat-fopen-fstat idiom. I do not think this applies to file opens where the filename is a constant.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

ISO/IEC 9899:2011 Section 7.21.4, "Operations on files"

...

Sources

[Garfinkel 1996] Section 5.6, "Device files"
[Howard 2002] Chapter 11, "Canonical Representation Issues"
[Open Group 2004] open()

...