Input/Output is a broad topic and includes all the functions defined in C99 Section 7.19, Input/output <stdio.h>" and related functions.
The security of I/O operations is dependent on the versions of the C library, the operating system, and the file system. Older libraries are generally more susceptible to security flaws than newer library versions. Different operating systems have different capabilities and mechanisms for managing file priviledges. There are numerous different file systems, including: File Allocation Table (FAT), FAT32, New Technology File System (NTFS), NetWare File System (NWFS), and the Unix File System (UFS). There are also many distributed file systems including: Andrew File System (AFS), Distributed File System (DFS), Microsoft DFS, and Network File System (NFS). These filesystems vary in their capabilities and priviliege mechanisms.
As a starting point, the I/O topic area describes the use of C99 standard functions. However, because these functions have been generalized to support multiple disparate operating and file systems, they cannot generally be used in a secure fashion. As a result, most of the rules and recommendations in this topic area recommend approaches that are specific to the operating system and file systems in use. Because of the imposed combinatorics, we are have not been able to provide compliant solutions for all operating sysetm and file system combintations. However, you should evaluate the applicability of the rules for operating system/file system combinations supported by your application.
FIO01-A. Prefer functions that do not rely on file names for identification
FIO02-A. Canonicalize file names originating from untrusted sources
FIO03-A. Do not make assumptions about fopen() and file creation
FIO04-A. Detect and handle input output errors
FIO05-A. Identify files using multiple file attributes
FIO06-A. Create files with appropriate access permissions
FIO07-A. Do not create temporary files in shared directories
FIO30-C. Exclude user input from format strings
FIO32-C. Temporary file names must be unique when the file is created
FIO33-C. Detect and handle input output errors resulting in undefined behavior
FIO34-C. Use int to capture the return value of character IO functions
FIO35-C. Use feof() and ferror() to detect end-of-file and file errors
FI036-C. Don't assume a newline character is read
FI037-C. Don't assume character data has been read
FI038-C. Do not use a copy of a FILE object for IO
FI039-C. Temporary file name generators must create unique file names
FI040-C. Temporary files must be opened with exclusive access
FI041-C. Temporary files must have an unpredictable name
FI042-C. Temporary files must be removed before the program exits
FIO43-C. Do not copy data from an unbounded source to a fixed-length array
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
3 (high) |
2 (likely) |
1 (high) |
P6 |
L2 |
|
3 (high) |
1 (unlikely) |
1 (high) |
P3 |
L3 |
|
3 (high) |
2 (probable) |
1 (high) |
P6 |
L2 |
|
2 (medium) |
2 (probable) |
1 (high) |
P4 |
L3 |
|
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
|
2 (high) |
2 (probable) |
2 (medium) |
P8 |
L2 |
|
2 (high) |
2 (probable) |
2 (medium) |
P8 |
L2 |
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
3 (high) |
3 (probable) |
3 (low) |
P27 |
L1 |
|
3 (high) |
2 (probable) |
1 (medium) |
P6 |
L2 |
|
1 (low) |
1 (low) |
3 (medium) |
P3 |
L3 |
|
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
|
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
|
1 (low) |
1 (unlikely) |
3 (low) |
P3 |
L3 |
|
3 (high) |
1 (unlikely) |
2 (medium) |
P6 |
L3 |
|
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
|
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
|
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
|
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
|
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
|
3 (high) |
3 (likely) |
2 (low) |
P18 |
L1 |