Creating a file with overly permissive access permissions may allow an unprivileged user to access that file. Although access permissions are heavily dependent on the file system, many file-creation functions provide mechanisms to set (or at least influence) access permissions. When these functions are used to create files, appropriate access permissions should be specified to prevent unintended access.
When setting access permissions, it is important to make sure that an attacker is not able to alter them.
/* initialize file_name */
fp = fopen(file_name, "w");
/* Handle error */
The fopen() function does not allow the programmer to explicitly specify file access permissions. In the code example below, if the call to fopen() creates a new file, the access permissions are implementation-defined.
The above has been taken from CERN Computer Security website, https://www.securecoding.cert.org/confluence/display/cplusplus/FIO06-CPP.+Create+files+with+appropriate+access+permissions.
The above example maps to L in the Concept Map.
Path names, directory names, and file names may contain characters that make validation difficult and inaccurate. Furthermore, any path name component can be a symbolic link which further obscures the actual location or identity of a file. To simplify file name validation, it is recommended that names be translated into their canonical form. Canonicalizing file names makes it much easier to verify a path, directory, or file name by making it easier to compare names.
Because the canonical form can vary between operating systems and file systems, it is best to use operating-system-specific mechanisms for canonicalization.
Here is a function that ensures that a path name refers to a file in the user's home directory on POSIX systems.
In this example, argv contains a file name that originates from an untrusted source and is opened for writing. Before using this file name in file operations, it should be validated to ensure that it refers to an expected and valid file. Unfortunately, the file name referenced by argv may contain special characters, such as directory characters, that make validation difficult, if not impossible. Furthermore, any path name component in argv may be a symbolic link, resulting in the file name referring to an invalid file even though it passes validation.
If validation is not performed correctly, the call to fopen() may result in an unintended file being accessed.
The above has been taken from CERN Computer Security website, https://www.securecoding.cert.org/confluence/display/cplusplus/FIO02-CPP.+Canonicalize+path+names+originating+from+untrusted+sources.
The above example maps to K in the Concept Map.