Many file related security vulnerabilities result from accessing a file different from the one intended. Often this type of error is the result of relying on a file name. If the underlying file object is manipulated in a way that causes a program operate on an unexpected file, unintended, corrupted, or malicious data may be accessed. This type of error is the premise for many vulnerabilities affecting UNIX symlinks and Windows shortcuts.
These types of vulnerabilities can be mitigated by using functions that operate on file descriptors rather than file names. Thus, it is recommended that files are accessed through file handles, versus filenames.
Non-Compliant Example 1
In this example, the function chmod(...) is called to set the permissions of a file. However, if the file file_name is has been changed from the time it was opened, the permissions may be changed on a different, unintended file .
if (chmod("file_name", new_mode) == -1) {
/* Handle Error */
}
/* Process file */
Compliant Solution 1
To correct the error, use the function fchmod(...) instead of chmod(...). The fchmod(...) operates on a file descriptor versus a file name. By using fchmod(...) it is no longer possible to change the target file between opening and changing the file's permissions.
if (fchmod(fd, new_mode) == -1) {
/* Handle Error */
}
/* Process file */