The C99 C fopen() function is used to open an existing file or create a new one [ISO/IEC 9899:19992011]. However, in C99C, fopen() does not indicate if indicate whether an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
FILE *fp;
/* initialize file_name */
fp = fopen(file_name, "w");
if (!fp) {
/* Handle error */
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
FILE *fp;
/* initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
/* Handle error */
}
|
Compliant Solution (fopen(),
...
C11)
The new C1x The C standard provides a new flag to address this problem. Section 7.21.5.3, paragraph 5 has the followingpara. 5 [ISO/IEC 9899:2011], states:
Opening a file with exclusive mode ('x' as the last character in the mode argument) fails if the file already exists or cannot be created. Otherwise, the file is created with exclusive (also known as non-shared) access to the extent that the underlying system supports exclusive access.
This option is also provided by the GNU C library ( [Loosemore 2007]).
This compliant solution uses the x mode character to instruct fopen() to fail rather than open an existing functions.
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
/* initialize file_name */
FILE *fp = fopen(file_name, "wx");
if (!fp) {
/* Handle error */
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
int new_file_mode;
/* initialize file_name and new_file_mode */
int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle error */
}
|
Care should be taken when using O_EXCL with remote file systems because it does not work with NFS version 2. NFS version 3 added support for O_EXCL mode in open(). IETF RFC 1813 defines the EXCLUSIVE value to the mode argument of CREATE [Callaghan 1995].:
EXCLUSIVEspecifies that the server is to follow exclusive creation semantics, using the verifier to ensure exclusive creation of the target. No attributes may be provided in this case, since the server may use the target file metadata to store the createverf3 verifier.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
int new_file_mode;
FILE *fp;
int fd;
/* initialize file_name and new_file_mode */
fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle error */
}
fp = fdopen(fd, "w");
if (fp == NULL) {
/* Handle error */
}
|
...
CERT C++ Secure Coding Standard: FIO03-CPP. Do not make assumptions about fopen() and file creation
ISO/IEC 9899:1999 Section 2011 Section 7.1921.3, "Files," and Section 7.1921.4, "Operations on Filesfiles"
ISO/IEC TR 24731-1:2007 Section 6.5.2.1, "The fopen_s function"
...
[Loosemore 2007] Section 12.3, "Opening Streamsstreams"
[Open Group 2004]
[Seacord 2005a] Chapter 7, "File I/O"
...