Page History

The C fopen() function is used to open an existing file or create a new one. The C11 version of the fopen() and fopen_s() functions function provides a mode flag,   x, that provides the mechanism needed to determine if the file that is to be opened exists. Not using this mode flag can lead to a program overwriting or accessing an unintended file.

...

char *file_name;
FILE *fp;

/* Initialize file_name */

fp = fopen(file_name, "w");
if (!fp) {
  /* Handle error */
}

...

Compliant Solution (fopen

...

("x"), C11

...

)

The C11 Annex K fopen_s() function is designed to improve the security of Starting in C11 a new mode suffix ("x") was added to the fopen() function. Like the fopen() function, fopen_s() provides a mechanism to determine whether the file exists. See below for use of the exclusive mode flag.

char *file_name;
FILE *fp;

/* Initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
  /* Handle error */
}

Compliant Solution (fopen_s(), C11 Annex K)

The C Standard provides a new flag to address this problem. Subclause 7.21.5.3, paragraph 5  function which causes fopen() to return NULL if the file already exists or cannot be created [ISO/IEC 9899:2011], states:

Opening a file with exclusive mode ('x' as the last character in the mode argument) fails if the file already exists or cannot be created. Otherwise, the file is created with exclusive (also known as non-shared) access to the extent that the underlying system supports exclusive access.

This option is also provided by the GNU C library [Loosemore 2007].This compliant solution uses the x mode character to instruct fopen_s() to fail rather than open an existing file:

char *file_name;
FILE *fp;

/* Initialize file_name */

FILE *fp;
errno_t res = fopen(&fp, file_name, "wx");
if (res != 0fp) {
  /* Handle error */
}

Use of this option allows for the easy remediation of legacy code. However, note that Microsoft Visual Studio 2012 and earlier do not support the x mode character [MSDN].

Compliant Solution (open(), POSIX)

The open() function, as defined in the Open Group Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 6 [Open Group 20047 [IEEE Std 1003.1:2013], is available on many platforms and provides finer control than fopen(). In particular, open() accepts the O_CREAT and O_EXCL flags. When used together, these flags instruct the open() function to fail if the file specified by file_name already exists.

...

For code that operates on FILE pointers and not file descriptors, the POSIX fdopen() function can be used to associate an open stream with the file descriptor returned by open(), as shown in this compliant solution [Open Group 2004IEEE Std 1003.1:2013]:

char *file_name;
int new_file_mode;
FILE *fp;
int fd;

/* Initialize file_name and new_file_mode */

fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
  /* Handle error */
}

fp = fdopen(fd, "w");
if (fp == NULL) {
  /* Handle error */
}

...

The ability to determine whether an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted upon.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...

...

Image Modified Image Modified Image Modified