The C99 {{fopen()}} function is used to open an existing file or create a new one \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. However, {{fopen()}} does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file. |
fopen()
)In this noncompliant code example, the file referenced by file_name
is opened for writing. This example is noncompliant if the programmer's intent was to create a new file, but the referenced file already exists.
char *file_name; FILE *fp; /* initialize file_name */ fp = fopen(file_name, "w"); if (!fp) { /* Handle error */ } |
fopen_s()
, ISO/IEC TR 24731-1)The ISO/IEC TR 24731-1 {{fopen_s()}} function is designed to improve the security of the {{fopen()}} function \[[ISO/IEC TR 24731-1:2007|AA. Bibliography#SO/IEC TR 24731-1-2007]\]. However, like {{fopen()}}, {{fopen_s()}} provides no mechanism to determine if an existing file has been opened for writing or a new file has been created. |
char *file_name; FILE *fp; /* initialize file_name */ errno_t res = fopen_s(&fp, file_name, "w"); if (res != 0) { /* Handle error */ } |
open()
, POSIX)The {{open()}} function, as defined in the Open Group Base Specifications Issue 6 \[[Open Group 2004|AA. Bibliography#Open Group 04]\], is available on many platforms and provides finer control than {{fopen()}}. In particular, {{open()}} accepts the {{O_CREAT}} and {{O_EXCL}} flags. When used together, these flags instruct the {{open()}} function to fail if the file specified by {{file_name}} already exists. |
char *file_name; int new_file_mode; /* initialize file_name and new_file_mode */ int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode); if (fd == -1) { /* Handle error */ } |
Care should be taken when using {{O_EXCL}} with remote file systems because it does not work with NFS version 2. NFS version 3 added support for {{O_EXCL}} mode in {{open()}}. IETF RFC 1813 defines the {{EXCLUSIVE}} value to the {{mode}} argument of {{CREATE}} \[[Callaghan 1995|AA. Bibliography#Callaghan 95]\]. |
EXCLUSIVE
specifies that the server is to follow exclusive creation semantics, using the verifier to ensure exclusive creation of the target. No attributes may be provided in this case, since the server may use the target file metadata to store the createverf3 verifier.
For examples on how to check for the existence of a file without opening it, see recommendation FIO10-C. Take care when using the rename() function.
fopen()
, GNU)Section 12.3 of the GNU C Library says \[[Loosemore 2007|AA. Bibliography#Loosemore 07]\] |
The GNU C library defines an additional character for use in
opentype
: the character 'x
' insists on creating a new fileâ”if a filefilename
already exists,fopen
fails rather than opening it. If you use 'x
' you are guaranteed that you will not clobber an existing file. This is equivalent to theO_EXCL
option to theopen
function.
This compliant solution uses the x
mode character to instruct fopen()
to fail rather than open an existing functions.
char *file_name; /* initialize file_name */ FILE *fp = fopen(file_name, "wx"); if (!fp) { /* Handle error */ } |
Use of this (nonportable) extension allows for the easy remediation of legacy code.
fdopen()
, POSIX)For code that operates on {{FILE}} pointers and not file descriptors, the POSIX {{fdopen()}} function can be used to associate an open stream with the file descriptor returned by {{open()}}, as shown in this compliant solution \[[Open Group 2004|AA. Bibliography#Open Group 04]\]. |
char *file_name; int new_file_mode; FILE *fp; int fd; /* initialize file_name and new_file_mode */ fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode); if (fd == -1) { /* Handle error */ } fp = fdopen(fd, "w"); if (fp == NULL) { /* Handle error */ } |
The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted upon.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
FIO03-C |
medium |
probable |
high |
P4 |
L3 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
CERT C++ Secure Coding Standard: FIO03-CPP. Do not make assumptions about fopen() and file creation
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files" |
\[[ISO/IEC TR 24731-1:2007|AA. Bibliography#SO/IEC TR 24731-1-2007]\] Section 6.5.2.1, "The {{fopen_s}} function" |
\[[Loosemore 2007|AA. Bibliography#Loosemore 07]\] [Section 12.3, "Opening Streams"|http://www.gnu.org/software/libc/manual/html_node/Opening-Streams.html] \[[Open Group 2004|AA. Bibliography#Open Group 04]\] \[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 7, "File I/O" |
FIO02-C. Canonicalize path names originating from untrusted sources 09. Input Output (FIO) FIO04-C. Detect and handle input and output errors