The C fopen() function is used to open an existing file or create a new one. The C11 version of the fopen() and fopen_s() functions function provides a mode flag, x, that provides the mechanism needed to determine if the file that is to be opened exists. Not using this mode flag can lead to a program overwriting or accessing an unintended file.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
FILE *fp;
/* Initialize file_name */
fp = fopen(file_name, "w");
if (!fp) {
/* Handle error */
}
|
...
Compliant Solution (fopen
...
("x"), C11
...
)
The C11 Annex K fopen_s() function is designed to improve the security of Starting in C11 a new mode suffix ("x") was added to the fopen() function. Like the fopen() function, fopen_s() provides a mechanism to determine whether the file exists. See below for use of the exclusive mode flag.
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
FILE *fp;
/* Initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
/* Handle error */
}
|
Compliant Solution (fopen_s(), C11 Annex K)
The C Standard provides a new flag to address this problem. Subclause 7.21.5.3, paragraph 5 function which causes fopen() to return NULL if the file already exists or cannot be created [ISO/IEC 9899:2011], states:
Opening a file with exclusive mode ('x' as the last character in the mode argument) fails if the file already exists or cannot be created. Otherwise, the file is created with exclusive (also known as non-shared) access to the extent that the underlying system supports exclusive access.
This option is also provided by the GNU C library [Loosemore 2007].This compliant solution uses the x mode character to instruct fopen_s() to fail rather than open an existing file:
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name; FILE *fp; /* Initialize file_name */ FILE *fp; errno_t res fp = fopen_s(&fp, file_name, "wx"); if (res != 0fp) { /* Handle error */ } |
...
Compliant Solution (open(), POSIX)
...
Recommendation | Severity | Likelihood | Detectable | Remediation CostRepairable | Priority | Level |
|---|---|---|---|---|---|---|
FIO03-C | Medium | Probable | No | NoHigh | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Coverity | 6.5 | OPEN_ARGS | Fully implemented | ||||||
| Helix QAC |
| C5012 | |||||||
| LDRA tool suite |
| 44 S | Enhanced Enforcement | ||||||
| Polyspace Bug Finder |
| CERT C: Rec. FIO03-C | Checks for file not opened in exclusive mode |
...
| SEI CERT C++ Coding Standard | VOID FIO03-CPP. Do not make assumptions about fopen() and file creation | ISO/IEC TR 24731-1:2007 | Section 6.5.2.1, "The fopen_s Function" |
Bibliography
| [Callaghan 1995] | IETF RFC 1813 NFS Version 3 Protocol Specification |
| [IEEE Std 1003.1:2013] | System Interfaces: open |
| [ISO/IEC 9899:2011] | Subclause 7.21.5.3, "The fopen |
Subclause K.3.5.2.1, "The
fopen_s | Function" | |
| [Loosemore 2007] | Section 12.3, "Opening Streams" |
| [Seacord 2013] | Chapter 8, "File I/O" |
...