SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 146

changes.mady.by.user John Benito

Saved on

compared with

New Version Current

changes.mady.by.user Richard W. Laughlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added section for C11 fopen("x") compliant solution.

The C fopen() function is used to open an existing file or create a new one. The C11 version of the fopen() and fopen_s() provides function provides a mode flag ', x' , that provides the mechanism needed to determine if the file that is to be opened exists.  Not Not using this mode flag can lead to a program overwriting or accessing an unintended file.

...

Code Block
bgColor#FFCCCC
langc
char *file_name;
FILE *fp;

/* Initialize file_name */

fp = fopen(file_name, "w");
if (!fp) {
  /* Handle error */
}

...

Compliant Solution (fopen

...

("x"), C11

...

)

The C11 Annex K fopen_s() function is designed to improve the security of Starting in C11 a new mode suffix ("x") was added to the fopen() function [ISO/IEC 9899:2011]. Like the C11  function which causes fopen(), the C11 Annex K fopen_s() provides a mechanism to determine to return NULL if the file exists.  See below for use of the exclusive mode flag.

Code Block
bgColor#FFCCCC
langc
char *file_name;
FILE *fp;

/* Initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
  /* Handle error */
}

Compliant Solution (fopen(), C11)

The C Standard provides a new flag to address this problem. Section 7.21.5.3, paragraph 5 already exists or cannot be created [ISO/IEC 9899:2011], states:

Opening a file with exclusive mode ('x' as the last character in the mode argument) fails if the file already exists or cannot be created. Otherwise, the file is created with exclusive (also known as non-shared) access to the extent that the underlying system supports exclusive access.

This option is also provided by the GNU C library [Loosemore 2007].

This compliant solution uses the x mode character to instruct fopen() to fail rather than open an existing file.

Code Block
bgColor#ccccff
langc
char *file_name;
FILE *fp;

/* Initialize file_name */

FILE *fp = fopen(file_name, "wx");
if (!fp) {
  /* Handle error */
}

...

Compliant Solution (open(), POSIX)
The open() function, as defined in the Open Group Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue  6 [Open Group 20047 [IEEE Std 1003.1:2013], is available on many platforms and provides finer control than fopen(). In particular, open() accepts the O_CREAT and O_EXCL flags. When used together, these flags instruct the open() function to fail if the file specified by file_name already exists.
...
EXCLUSIVE specifies that the server is to follow exclusive creation semantics, using the verifier to ensure exclusive creation of the target. No attributes may be provided in this case, since the server may use the target file metadata to store the createverf3 verifier.
For examples on of how to check for the existence of a file without opening it, see recommendation FIO10-C. Take care when using the rename() function.
...
For code that operates on FILE pointers and not file descriptors, the POSIX fdopen() function can be used to associate an open stream with the file descriptor returned by open(), as shown in this compliant solution [Open Group 2004].IEEE Std 1003.1:2013]:
 Code Block
bgColor#ccccff
langc
char *file_name;
int new_file_mode;
FILE *fp;
int fd;

/* Initialize file_name and new_file_mode */

fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle error */
}

fp = fdopen(fd, "w");
if (fp == NULL) {
  /* Handle error */
}

Compliant Solution (Windows)
The Win32 API  CreateFile()  allows a programmer to create or open a file depending on the flags passed in. Passing in the CREATE_NEW flag ensures the call fails if the file already exists. This compliant solution demonstrates how to open a file for reading and writing without sharing access to the file such that the call fails if the file already exists.
 Code Block
bgColor#ccccff
langc
TCHAR *file_name;
HANDLE hFile = CreateFile(file_name, GENERIC_READ | GENERIC_WRITE, 0, 0, 
                          CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0);
if (INVALID_HANDLE_VALUE == hFile) {
  DWORD err = GetLastError();
  if (ERROR_FILE_EXISTS == err) {
    /* Handle file exists error */
  } else {
    /* Handle other error */
  }
}
Risk Assessment
The ability to determine if whether an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted upon.
        
Recommendation
Severity
Likelihood
Remediation Cost
Detectable
Repairable
Priority
Level
FIO03-C
Medium
medium
Probable
probable
No
high
No
 P4 
 L3 
Automated Detection
     
Tool
Version
Checker
Description
Coverity6.5OPEN_ARGSFully 
 ImplementedPRQA QA-C Include PagePRQA_VPRQA_Vwarncall for fopen and fopen_s
implemented
Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C5012
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
44 SEnhanced Enforcement
Polyspace Bug Finder
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C: Rec. FIO03-CChecks for file not opened in exclusive mode
Partially implemented
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
   
SEI CERT C++ 
 Secure 
 Coding StandardVOID FIO03-CPP. Do not make assumptions about fopen() and file creation
ISO/IEC TR 24731-1:2007Section 6.5.2.1, "The fopen_s Function"
Bibliography
   
[Callaghan 1995]IETF RFC 1813 NFS Version 3 Protocol Specification
[
ISO/IEC 9899:2011]Section 7.21.5.3, "The fopen Function"
IEEE Std 1003.1:2013]System Interfaces: open
[ISO/IEC 9899:2011]
Annex K
Subclause 7.
3
21.5.
2.1
3, "The fopen
_s [
 Function"
[Loosemore 2007]Section 12.3, "Opening Streams"
[
Open Group 2004]
Seacord 2013]Chapter 8, "File I/O"
...

...
 Image Modified   Image Modified  Image Modified