The C99 tandard function fopen() is typically used to open an existing file or create a new one [[ISO/IEC 9899:1999]]. However, fopen() does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file.
For examples on how to just check for the existence of a file without actually opening it, please see FIO10-A. Take care when using the rename() function.
Non-Compliant Code Example: fopen()
In this example, an attempt is made to check whether a file exists before opening it for writing by trying to open the file for reading.
FILE *fp = fopen(file_name,"r");
if (!fp) { /* file does not exist */
fp = fopen(file_name,"w");
/* ... */
fclose(fp);
} else {
/* file exists */
fclose(fp);
}
However, this code suffers from a Time of Check, Time of Use (or TOCTOU) vulnerability (see [[Seacord 05]] Section 7.2). On a shared multitasking system there is a window of opportunity between the first call of fopen() and the second call for a malicious attacker to, for example, create a link with the given file name to an existing file so that the existing file is overwritten by the second call of fopen() and the subsequent writing to the file.
Non-Compliant Code Example: fopen_s() (ISO/IEC TR 24731-1)
The fopen_s() function defined in ISO/IEC TR 24731-1:2007 is designed to improve the security of the fopen() function. However, like fopen(), fopen_s() provides no mechanism to determine if an existing file has been opened for writing or a new file has been created. The code below contains the same TOCTOU race condition as the first non-compliant code example using fopen().
FILE *fptr;
errno_t res = fopen_s(&fptr, file_name, "r");
if (res != 0) { /* file does not exist */
res = fopen_s(&fptr, file_name, "w");
/* ... */
fclose(fptr);
} else {
fclose(fptr);
}
Compliant Solution: open() (POSIX)
The open() function as defined in the Open Group Base Specifications Issue 6 [[Open Group 04]] is available on many platforms and provides the control that fopen() does not provide. If the O_CREAT and O_EXCL flags are used together, the open() function fails when the file specified by file_name already exists.
int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle Error */
}
Care should be observed when using O_EXCL with remote file systems as it does not work with NFS version 2. NFS version 3 added support for O_EXCL mode in open(); see IETF RFC 1813, in particular the EXCLUSIVE value to the mode argument of CREATE [[Callaghan 95]].
Compliant Solution: fdopen() (POSIX)
For code that operates on FILE pointers and not file descriptors, the POSIX fdopen() function [[Open Group 04]] can be used to associate an open stream with the file descriptor returned by open(), as shown in this compliant solution.
FILE *fp;
int fd;
fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle Error */
}
fp = fdopen(fd, "w");
if (fp == NULL) {
/* Handle Error */
}
Risk Assessment
The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that the intended file is accessed, or perhaps more importantly, a file other than the intended file is not acted upon.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO03-A |
medium |
probable |
high |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899:1999]] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files"
[[ISO/IEC TR 24731-1:2007]] Section 6.5.2.1, "The fopen_s function"
[[Open Group 04]]
[[Seacord 05]] Chapter 7, "File I/O"
FIO02-A. Canonicalize path names originating from untrusted sources 09. Input Output (FIO) FIO04-A. Detect and handle input and output errors