SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 55 Next »

Invoking remove() on an open file is implementation-defined. Removing an open file is sometimes recommended to hide the names of temporary files that may be prone to attack (see FIO43-C. Do not create temporary files in shared directories).

In cases requiring the removal of an open file, a more strongly defined function, such as the POSIX unlink() function, should be considered. To be strictly conforming and portable, remove() should not be called on an open file.

Noncompliant Code Example

The following noncompliant code example shows a case where a file is removed while it is still open.

char *file_name;
FILE *file;

/* initialize file_name */

file = fopen(file_name, "w+");
if (file == NULL) {
  /* Handle error condition */
}

/* ... */

if (remove(file_name) != 0) {
  /* Handle error condition */
}

/* continue performing I/O operations on file */

fclose(file);

Some implementations will not remove the file specified by file_name because the stream is still open.

Implementation Details

Code compiled using Microsoft Visual Studio C++ 2005 and run on Microsoft Windows XP prevents the remove() call from succeeding when the file is open, meaning that the file link will remain after execution completes.

Compliant Solution (POSIX)

This compliant solution uses the POSIX unlink() function to remove the file. The unlink() function is guaranteed to unlink the file from the file system hierarchy but keep the file on disk until all open instances of the file are closed [Open Group 04].

FILE *file;
char *file_name;

/* initialize file_name */

file = fopen(file_name, "w+");
if (file == NULL) {
  /* Handle error condition */
}

if (unlink(file_name) != 0) {
  /* Handle error condition */
}

/*... continue performing I/O operations on file ...*/

fclose(file);

Risk Assessment

Calling remove() on an open file has different implications for different implementations and may cause abnormal termination if the removed file is written to or read from, or may result in unintended information disclosure from files not deleted as intended.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO08-C

medium

probable

high

P4

L3

Automated Detection

Compass/ROSE can detect some violations of this rule.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as FIO08-CPP. Take care when calling remove() on an open file.

Bibliography

[ISO/IEC 9899:1999] Section 7.19.4.1, "The remove function"
[Open Group 04] unlink()

FIO07-C. Prefer fseek() to rewind()      09. Input Output (FIO)      

  • No labels