SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 161

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user Richard W. Laughlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added section for C11 fopen("x") compliant solution.

The C fopen() function is used to open an existing file or create a new one. The C11 version of the fopen() and fopen_s() functions function provides a mode flag,   x, that provides the mechanism needed to determine if the file that is to be opened exists. Not using this mode flag can lead to a program overwriting or accessing an unintended file.

...

Code Block
bgColor#FFCCCC
langc
char *file_name;
FILE *fp;

/* Initialize file_name */

fp = fopen(file_name, "w");
if (!fp) {
  /* Handle error */
}

...

Compliant Solution (fopen

...

("x"), C11

...

)

The C11 Annex K fopen_s() function is designed to improve the security of Starting in C11 a new mode suffix ("x") was added to the fopen() function. Like the fopen() function, fopen_s() provides a mechanism to determine whether the file exists. See below for use of the exclusive mode flag.

Code Block
bgColor#FFCCCC
langc
char *file_name;
FILE *fp;

/* Initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
  /* Handle error */
}

Compliant Solution (fopen_s(), C11 Annex K)

The C Standard provides a new flag to address this problem. Subclause 7.21.5.3, paragraph 5  function which causes fopen() to return NULL if the file already exists or cannot be created [ISO/IEC 9899:2011], states:

...

.

...

This option is also provided by the GNU C library [Loosemore 2007].

This compliant solution uses the x mode character to instruct fopen_s() to fail rather than open an existing file:

Code Block
bgColor#ccccff
langc
char *file_name;
FILE *fp;

/* Initialize file_name */

FILE *fp;
errno_t res = fopen_s(&fp, file_name, "wx");
if (res != 0fp) {
  /* Handle error */
}

...

Compliant Solution (open(), POSIX)
...
The ability to determine whether an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted upon.
        
Recommendation
Severity
Likelihood
Detectable
Remediation Cost
Repairable
Priority
Level
FIO03-C
Medium
Probable
No
High
No
 P4 
 L3 
Automated Detection
     
Tool
Version
Checker
Description
Coverity6.5OPEN_ARGSFully implemented
Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C5012
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
44 SEnhanced Enforcement
Polyspace Bug Finder
R2016aUse of non-secure temporary file
Temporary generated file name not secure
PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_vwarncall for fopen and fopen_s
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C: Rec. FIO03-CChecks for file not opened in exclusive mode
Partially implemented
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
   
SEI CERT C++ Coding StandardVOID FIO03-CPP. Do not make assumptions about fopen() and file creation
ISO/IEC TR 24731-1:2007Section 6.5.2.1, "The fopen_s Function"
Bibliography
   
[Callaghan 1995]IETF RFC 1813 NFS Version 3 Protocol Specification
[IEEE Std 1003.1:2013]System Interfaces: open
[ISO/IEC 9899:2011]Subclause 7.21.5
.3, "The fopen Function"
Subclause K
.3
.5.2.1
, "The fopen
_s
 Function"
[Loosemore 2007]Section 12.3, "Opening Streams"
[Seacord 2013]Chapter 8, "File I/O"
...

...
 Image Modified   Image Modified   Image Modified