Invoking remove() on an open file is implementation-defined. Removing an open file is sometimes recommended to hide the names of temporary files that may be prone to attack. (see FIO43See FIO21-C. Handle Do not create temporary files securelyin shared directories.).
In cases requiring the removal of an open file, a more strongly defined function, such as the POSIX unlink() function, should be considered. To be strictly conforming and portable, remove() should not be called on an open file.
...
Noncompliant Code Example
The following non-compliant This noncompliant code example shows a case where a file is removed while it is still open.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name; FILE *file; /* ...Initialize file_name */ file = fopen(file_name, "w+"); if (fopenfile == NULL) { /* Handle error condition */ } /* ... */ if (remove(file_name); != 0) { /* Handle error condition */ } /* ... Continue performing I/O operations on file */ fclose(file); |
Some implementations will not remove "myfile" the file specified by file_name because the stream is still open.
Implementation Details
Code compiled using Microsoft Visual Studio C++ 2005 and run on compiled for Microsoft Windows XP prevents the remove() call from succeeding when the file is open, meaning that the file link will remain after execution completes.
Compliant Solution (POSIX)
...
This compliant solution uses the POSIX {{unlink()}} function to remove the file. The {{unlink()}} function is guaranteed to unlink the file from the file system hierarchy but keep the file on disk until all open instances of the file are closed ) is used \[[Open Group 04|AA. C References#Open Group 04]\][IEEE Std 1003.1:2013].
| Code Block | ||||
|---|---|---|---|---|
| ||||
FILE *file; char #include <unistd.h> FILE *file_name; /* ... Initialize file_name */ file = fopen(file_name, "w+"); if (fopenfile == NULL) { /* Handle error condition */ } if (unlink(file_name);) != 0) { /* Handle error condition */ } /* Continue performing I/O operations on file */ fclose(file); |
Note that there is a race window between the fopen() call and the unlink() call, which could be exploited. This exploitation can be mitigated if the operations occur in a secure directory; see FIO45-C. Avoid TOCTOU race conditions while accessing files for more information.
Risk Assessment
Calling remove() on an open file has different implications for different implementations and may cause abnormal termination if the removed file is written to or read from, or it may result in unintended information disclosure from files not deleted as intended.
Recommendation | Severity | Likelihood |
|---|
Detectable | Repairable | Priority | Level |
|---|---|---|---|
FIO08- |
C | Medium |
Probable |
No |
No | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| (customization) | Users can implement a custom check for calls to remove() on a file that is currently open. | ||||||
| Compass/ROSE | |||||||||
| Helix QAC |
| C5014 | |||||||
| LDRA tool suite |
| 81 D | Fully implemented | ||||||
| Polyspace Bug Finder |
| Checks for function remove() called on open file |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.4.1, "The remove function"
\[[Open Group 04|AA. C References#Open Group 04]\] [{{unlink()}}|http://www.opengroup.org/onlinepubs/000095399/functions/unlink.html] |
Related Guidelines
Bibliography
...
FIO07-A. Prefer fseek() to rewind() 09. Input Output (FIO) FIO09-A. Be careful with binary data when transferring data across systems