Page History

The ISO/IEC 9899-1999 C specification provides standard functions to manipulate files that are designed to avoid the details of the underlying system. However, file manipulation and file operations are inherently tied to the operating system. Many of the common vulnerabilities associated with file operations exist because the ISO/IEC 9899-1999 C specification lacks facilities to adequately interact with files and the file system, making it impossible to specify the correct behavior.

A better way to interact with files, in terms of security, is to use functions designed for the native system. Many implementation specific functions offer a level of control over file objects that the ISO/IEC 9899-1999 C specification does not.

Additionally, there are well-known recommendations for dealing with common file operations securely that use non-standard functions. This recommendation opens those options up to implementers of this standard.

Non-Compliant Example 1

The C99 standard function fopen()function is typically used to open an existing , and file or create a new files. However, one. The C11 version of the fopen() does not provide a way to test file existence potentially allowing a program to overwrite or access and unintended file.

In this example, a file name is supplied to fopen() to create and open for writing. Howerver, there is no gauruntee that the file referenced by file_name does not exist prior to calling fopen(). This may cause an unintended file to be overwritten.

function provides a mode flag, x, that provides the mechanism needed to determine if the file that is to be opened exists. Not using this mode flag can lead to a program overwriting or accessing an unintended file.

Noncompliant Code Example (fopen())

In this noncompliant code example, the file referenced by file_name is opened for writing. This example is noncompliant if the programmer's intent was to create a new file, but the referenced file already exists.

char *file_name;
FILE *fp;

/* Initialize file_name */

fp = fopen(file_name, "w");
if (!fp) {
  /* Handle error */
}

Compliant Solution (fopen("x"), C11)

Starting in C11 a new mode suffix ("x") was added to the fopen() function which causes fopen() to return NULL if the file already exists or cannot be created [ISO/IEC 9899:2011].

char *file_name;
FILE *fp;

/* Initialize file_name */

fp

...
FILE * fptr = fopen(file_name, "wwx");
if (!fptrfp) {
  /* Handle Errorerror */
}
...

Compliant Solution

...

(open(), POSIX)

The open() function (, as defined in the POSIX standard) provides a a way to test for file existence . If Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 [IEEE Std 1003.1:2013], is available on many platforms and provides finer control than fopen(). In particular, open() accepts the O_CREAT and O_EXCL flags are . When used together, these flags instruct the open() function will to fail if the file file specified by file_name already exists.

char *file_name;
int new_file_mode;

/* Initialize file_name and new_file_mode */

int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle error */
}

Care should be taken when using O_EXCL with remote file systems because it does not work with NFS version 2. NFS version 3 added support for O_EXCL mode in open(). IETF RFC 1813 [Callaghan 1995] defines the EXCLUSIVE value to the mode argument of CREATE:

EXCLUSIVE specifies that the server is to follow exclusive creation semantics, using the verifier to ensure exclusive creation of the target. No attributes may be provided in this case, since the server may use the target file metadata to store the createverf3 verifier.

For examples of how to check for the existence of a file without opening it, see recommendation FIO10-C. Take care when using the rename() function.

Compliant Solution (fdopen(), POSIX)

For code that operates on FILE pointers and not file descriptors, the POSIX fdopen() function can be used to associate an open stream with the file descriptor returned by open(), as shown in this compliant solution [IEEE Std 1003.1:2013]:

char *file_name;
int new_file_mode;
FILE *fp;
int fd;

/* Initialize file_name and new_file_mode */

fd = open(file_name, O_CREAT | O_EXCL | O_WR_ONLYWRONLY, 0600new_file_mode);
if (fd == -1) {
  /* Handle Error error */
}

fp = fdopen(fd, "w");
if (fp == NULL) {
  /* Handle error */
}

Compliant Solution (Windows)

The Win32 API  CreateFile() allows a programmer to create or open a file depending on the flags passed in. Passing in the CREATE_NEW flag ensures the call fails if the file already exists.

...

This compliant solution demonstrates how to open a file for reading and writing without sharing access to the file such that the call fails if the file already exists.

TCHAR *file_name;
HANDLE hFile = CreateFile(file_name, GENERIC_READ | GENERIC_WRITE, 0, 0, 
                          CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0);
if (INVALID_HANDLE_VALUE == hFile) {
  DWORD err = GetLastError();
  if (ERROR_FILE_EXISTS == err) {
    /* Handle file exists error */
  } else {
    /* Handle other error */
  }
}

Risk Assessment

The ability to determine whether an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted upon.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...

Image Added Image Added Image Added

References

...