Invoking remove() on an open file is implementation-defined. Consequently, care must be taken when remove() is called on an open file. Removing an open file is sometimes recommended to hide the names of temporary files that may prone to attack (see [[TMP30-C. Temporary files must created with unique and unpredictable file names]]). In these cases, the intended implementations need to be considered and an alternate, more strongly defined function, such as The Open Group's unlink() should be used. To be strictly conforming and portable, remove() should not be called on an open file.
Non-Compliant Code Example
The following non-compliant code example illustrates a case where a file is removed while it is still open.
FILE *file;
/* ... */
file = fopen("myfile", "w+");
if (fopen == NULL) {
/* Handle error condition */
}
/* ... */
remove("myfile");
/* ... */
Some implementations will not remove "myfile" because the stream is still open.
Implementation Details
Code compiled using Microsoft Visual Studio C++ 2005 and run on Microsoft Windows XP, prevents the remove() call from succeeding when the file is open, meaning that the file link will remain after execution completes.
Compliant Solution
The compliant solution depends on programmer intent. If the programmer simply neglected to close the file before attempting to remove it, the file can simply be closed before the remove is attempted.
FILE *file;
/* ... */
file = fopen("myfile", "w+");
if (fopen == NULL) {
/* Handle error condition */
}
/* ... */
fclose("myfile");
remove("myfile");
It is not possible to (portably) remove the link from the file system while the file is open using remove(). While this may be possible on some implementations, it is important to document the dependency on implementation-defined behavior.
Compliant Solution (POSIX)
In this compliant solution intended for POSIX environments, The Open Group's unlink() function (which is guaranteed by The Open Group Base Specifications Issue 6 to unlink the file from the file system hierarchy but keep the file on disk until all open instances of it are closed) is used.
#include <unistd.h>
FILE *file;
/* ... */
file = fopen("myfile", "w+");
if (fopen == NULL) {
/* Handle error condition */
}
unlink("myfile");
fclose("myfile");
Risk Assessment
Calling remove() on an open file has different implications for different implementations and may cause abnormal termination if the closed file is written to or read from, or may result in unintended information disclosure from not actually deleting a file as intended.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO08-A |
2 (medium) |
1 (unlikely) |
2 (medium) |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.19.4.1, "The remove function"
FIO07-A. Prefer fseek() to rewind() 09. Input Output (FIO) FIO09-A. fflush() should be called after writing to an output stream if data integrity is important