The C99 \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] C standard function {{fopen()}} is typically used to open an existing file or create a new one. However, {{fopen()}} does not indicate if an existing file has been opened for writing or a new file has been created. This may lead to a program overwriting or accessing an unintended file. |
fopen()In this example, an attempt is made to check whether a file exists before opening it for writing by trying to open the file for reading.
/* ... */
FILE *fp = fopen(file_name,"r");
if (!fp) { /* file does not exist */
fp = fopen(file_name,"w");
/* ... */
fclose(fp);
} else {
/* file exists */
fclose(fp);
}
/* ... */
|
However, this code suffers from a _Time of Check, Time of Use_ (or _TOCTOU_) vulnerability (see \[[Seacord 05|AA. C References#Seacord 05]\] Section 7.2). On a shared multitasking system there is a window of opportunity between the first call of {{fopen()}} and the second call for a malicious attacker to, for example, create a link with the given filename to an existing file so that the existing file is overwritten by the second call of {{fopen()}} and the subsequent writing to the file. |
fopen_s() (ISO/IEC TR 24731-1)The fopen_s() function defined in ISO/IEC TR 24731-1-2007 is designed to improve the security of the fopen() function. However, like fopen(), fopen_s() provides no mechanism to determine if an existing file has been opened for writing or a new file has been created. The code below contains the same TOCTOU race condition as the first non-compliant code example using fopen().
/* ... */
FILE *fptr;
errno_t res = fopen_s(&fptr,file_name, "r");
if (res != 0) { /* file does not exist */
res = fopen_s(&fptr,file_name, "w");
/* ... */
fclose(fptr);
} else {
fclose(fptr);
}
/* ... */
|
open() (POSIX)The {{open()}} function as defined in the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\] is available on many platforms and provides the control that {{fopen()}} does not provide. If the {{O_CREAT}} and {{O_EXCL}} flags are used together, the {{open()}} function fails when the file specified by {{file_name}} already exists. |
/* ... */
int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle Error */
}
/* ... */
|
Care should be observed when using {{O_EXCL}} with remote file systems as it does not work with NFS version 2. NFS version 3 added support for {{O_EXCL}} mode in {{open()}}; see IETF RFC 1813, in particular the {{EXCLUSIVE}} value to the {{mode}} argument of {{CREATE}} \[[Callaghan 95|AA. C References#Callaghan 95]\]. |
fdopen() (POSIX)For code that operates on {{FILE}} pointers and not file descriptors, the POSIX {{fdopen()}} function \[[Open Group 04|AA. C References#Open Group 05]\] can be used to associate an open stream with the file descriptor returned by {{open()}}, as shown in this compliant solution. |
/* ... */
FILE *fp;
int fd;
fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle Error */
}
fp = fdopen(fd, "w");
if (fp == NULL) {
/* Handle Error */
}
/* ... */
|
The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that the intended file is accessed, or perhaps more importantly, a file other than the intended file is not acted upon.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO03-A |
2 (medium) |
2 (probable) |
1 (high) |
P4 |
L3 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files" \[[ISO/IEC TR 24731-1-2007|AA. C References#SO/IEC TR 24731-1-2007]\] Section 6.5.2.1, "The fopen_s function" \[[Open Group 04|AA. C References#Open Group 04]\] \[[Seacord 05|AA. C References#Seacord 05]\] Chapter 7, "File I/O" |
|