 |
 |
Create files with appropriate access permissions.
Canonicalize path names originating from untrusted sources.
Create files with appropriate access permissions
Creating a file with overly permissive access permissions may allow an unprivileged user to access that file. Although access permissions are heavily dependent on the file system, many file-creation functions provide mechanisms to set (or at least influence) access permissions. When these functions are used to create files, appropriate access permissions should be specified to prevent unintended access.
When setting access permissions, it is important to make sure that an attacker is not able to alter them.
What You Should Not Do
char *file_name;
FILE *fp;
/* initialize file_name */
fp = fopen(file_name, "w");
if (!fp){
/* Handle error */
}
The fopen() function does not allow the programmer to explicitly specify file access permissions. In the code example below, if the call to fopen() creates a new file, the access permissions are implementation-defined.
What You Should Do
FILE *fp;
/* initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
/* Handle error */
}
The above has been taken from CERN Computer Security website, https://www.securecoding.cert.org/confluence/display/cplusplus/FIO06-CPP.+Create+files+with+appropriate+access+permissions.
Concept Map
The above example maps to L in the Concept Map.
Canonicalize path names originating from untrusted sources.
Path names, directory names, and file names may contain characters that make validation difficult and inaccurate. Furthermore, any path name component can be a symbolic link which further obscures the actual location or identity of a file. To simplify file name validation, it is recommended that names be translated into their canonical form. Canonicalizing file names makes it much easier to verify a path, directory, or file name by making it easier to compare names.
Because the canonical form can vary between operating systems and file systems, it is best to use operating-system-specific mechanisms for canonicalization.
What You Should Do
Here is a function that ensures that a path name refers to a file in the user's home directory on POSIX systems.
#include <unistd.h>
#include <string.h>
int verify_file(char *const filename) {
/* Get /etc/passwd entry for current user */
struct passwd *pwd = getpwuid(getuid());
if (pwd == NULL) {
/* Handle error */
return 0;
}
const unsigned int len = strlen( pwd->pw_dir);
if (strncmp( filename, pwd->pw_dir, len) != 0) {
return 0;
}
/* Make sure there is only one '/', immediately after homedir */
if (strrchr( filename, '/') == filename + len) {
return 1;
}
return 0;
}
What You Should Not Do
In this example, argv contains a file name that originates from an untrusted source and is opened for writing. Before using this file name in file operations, it should be validated to ensure that it refers to an expected and valid file. Unfortunately, the file name referenced by argv[1] may contain special characters, such as directory characters, that make validation difficult, if not impossible. Furthermore, any path name component in argv[1] may be a symbolic link, resulting in the file name referring to an invalid file even though it passes validation.
If validation is not performed correctly, the call to fopen() may result in an unintended file being accessed.
if (!verify_file(argv[1])) {
/* Handle error */
}
if (fopen(argv[1], "w") == NULL) {
/* Handle error */
}
/* ... */
The above has been taken from CERN Computer Security website, https://www.securecoding.cert.org/confluence/display/cplusplus/FIO02-CPP.+Canonicalize+path+names+originating+from+untrusted+sources.
Concept Map
The above example maps to K in the Concept Map.
This program is sponsored by NSF award #1303211