SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 89

changes.mady.by.user Liz Whiting

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

Many file-related vulnerabilities are exploited to cause a program to access an unintended file. Proper file identification is necessary to prevent exploitation.

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

FIO05-C

Medium

Probable

No

Medium

No

P8

P4

L2

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

 

 



Could report possible violations of this rule merely by reporting any open() or fopen() call that did not have a subsequent call to fstat()

LDRA tool suite
Include Page
LDRA_V
LDRA_V
44 SEnhanced Enforcement

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID FIO05-CPP. Identify files using multiple file attributes
ISO/IEC TR 24772:2013Path Traversal [EWR]
MITRE CWECWE-37, Path issue—Slash absolute path
CWE-38, Path Issue—Backslash absolute path
CWE-39, Path Issue—Drive letter or Windows volume
CWE-62, UNIX hard link
CWE-64, Windows shortcut following (.LNK)
CWE-65, Windows hard link

Bibliography

[Drepper 2006]Section 2.2.1 "Identification when Opening"
[IEEE Std 1003.1:2013]System Interfaces: open
System Interfaces: fstat
[Seacord 2013]Chapter 8, "File I/O"

...


...

Image Modified Image Modified Image Modified