The C99 {{fopen()}} function is used to open an existing file or create a new one \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]. However, {{fopen()}} does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file. |
For examples on how to just check for the existence of a file without actually opening it, please see FIO10-A. Take care when using the rename() function.
fopen()In this example, an attempt is made to check whether a file exists before opening it for writing by trying to open the file for reading.
FILE *fp = fopen(file_name,"r");
if (!fp) { /* file does not exist */
fp = fopen(file_name,"w");
/* ... */
fclose(fp);
} else {
/* file exists */
fclose(fp);
}
|
However, this code suffers from a _Time of Check, Time of Use_ (or _TOCTOU_) vulnerability (see \[[Seacord 05|AA. C References#Seacord 05]\] Section 7.2). On a shared multitasking system there is a window of opportunity between the first call of {{fopen()}} and the second call for a malicious attacker to, for example, create a link with the given file name to an existing file so that the existing file is overwritten by the second call of {{fopen()}} and the subsequent writing to the file. |
fopen_s() (ISO/IEC TR 24731-1)The fopen_s() function defined in ISO/IEC TR 24731-1:2007 is designed to improve the security of the fopen() function. However, like fopen(), fopen_s() provides no mechanism to determine if an existing file has been opened for writing or a new file has been created. The code below contains the same TOCTOU race condition as the first non-compliant code example using fopen().
FILE *fptr;
errno_t res = fopen_s(&fptr, file_name, "r");
if (res != 0) { /* file does not exist */
res = fopen_s(&fptr, file_name, "w");
/* ... */
fclose(fptr);
} else {
fclose(fptr);
}
|
open() (POSIX)The {{open()}} function as defined in the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\] is available on many platforms and provides the control that {{fopen()}} does not provide. If the {{O_CREAT}} and {{O_EXCL}} flags are used together, the {{open()}} function fails if the file specified by {{file_name}} already exists. |
int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle Error */
}
|
Care should be observed when using {{O_EXCL}} with remote file systems as it does not work with NFS version 2. NFS version 3 added support for {{O_EXCL}} mode in {{open()}}; see IETF RFC 1813, in particular the {{EXCLUSIVE}} value to the {{mode}} argument of {{CREATE}} \[[Callaghan 95|AA. C References#Callaghan 95]\]. |
fopen() (GNU)Section 12.3 of the GNU C Library says: \[[Loosemore 07|AA. C References#Loosemore 07]\] |
The GNU C library defines one additional character for use in
opentype: the character 'x' insists on creating a new fileâ”if a filefilenamealready exists,fopenfails rather than opening it. If you use 'x' you are guaranteed that you will not clobber an existing file. This is equivalent to theO_EXCLoption to theopenfunction.
FILE *fp = fopen(file_name,"wx");
if (!fp) {
/* Handle Error */
}
|
Use of this non portable extension can allow for easy remediation of legacy code.
fdopen() (POSIX)For code that operates on {{FILE}} pointers and not file descriptors, the POSIX {{fdopen()}} function \[[Open Group 04|AA. C References#Open Group 05]\] can be used to associate an open stream with the file descriptor returned by {{open()}}, as shown in this compliant solution. |
FILE *fp;
int fd;
fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle Error */
}
fp = fdopen(fd, "w");
if (fp == NULL) {
/* Handle Error */
}
|
The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that the intended file is accessed, or perhaps more importantly, a file other than the intended file is not acted upon.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO03-A |
medium |
probable |
high |
P4 |
L3 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files"
\[[ISO/IEC TR 24731-1:2007|AA. C References#SO/IEC TR 24731-1-2007]\] Section 6.5.2.1, "The {{fopen_s}} function"
\[[Loosemore 07|AA. C References#Loosemore 07]\] [Section 12.3, "Opening Streams"|http://www.gnu.org/software/libc/manual/html_node/Opening-Streams.html]
\[[Open Group 04|AA. C References#Open Group 04]\]
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 7, "File I/O" |
FIO02-A. Canonicalize path names originating from untrusted sources 09. Input Output (FIO) FIO04-A. Detect and handle input and output errors