Main Content

Use of non-secure temporary file

Temporary generated file name not secure

expand all in page

Description

This defect occurs when you use temporary file routines that are not secure.

Risk

If an attacker guesses the file name generated by a standard temporary file routine, the attacker can:

  • Cause a race condition when you generate the file name.

  • Precreate a file of the same name, filled with malicious content. If your program reads the file, the attacker’s file can inject the malicious code.

  • Create a symbolic link to a file storing sensitive data. When your program writes to the temporary file, the sensitive data is deleted.

Fix

To create temporary files, use a more secure standard temporary file routine, such as mkstemp from POSIX.1-2001.

Also, when creating temporary files with routines that allow flags, such as mkostemp, use the exclusion flag O_EXCL to avoid race conditions.

Examples

expand all

#define _BSD_SOURCE
#define _XOPEN_SOURCE 
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int test_temp()
{
    char tpl[] = "abcXXXXXX";
    char suff_tpl[] = "abcXXXXXXsuff";
    char *filename = NULL;
    int fd;
    
    filename = tempnam("/var/tmp", "foo_");
    
    if (filename != NULL)
    {
        printf("generated tmp name (%s) in (%s:%s:%s)\n", 
               filename, getenv("TMPDIR") ? getenv("TMPDIR") : "$TMPDIR",
               "/var/tmp", P_tmpdir);
        
        fd = open(filename, O_CREAT, S_IRWXU|S_IRUSR);
        if (fd != -1)
        {
            close(fd);
            unlink(filename);
            return 1;
        }
    }
    return 0;
}

In this example, Bug Finder flags open because it tries to use an unsecure temporary file. The file is opened without exclusive privileges. An attacker can access the file causing various risks.

Correction — Add O_EXCL Flag

One possible correction is to add the O_EXCL flag when you open the temporary file.

#define _BSD_SOURCE
#define _XOPEN_SOURCE 
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int test_temp()
{
    char tpl[] = "abcXXXXXX";
    char suff_tpl[] = "abcXXXXXXsuff";
    char *filename = NULL;
    int fd;
    
    filename = tempnam("/var/tmp", "foo_");
    
    if (filename != NULL)
    {
        printf("generated tmp name (%s) in (%s:%s:%s)\n", 
               filename, getenv("TMPDIR") ? getenv("TMPDIR") : "$TMPDIR",
               "/var/tmp", P_tmpdir);
        
        fd = open(filename, O_CREAT|O_EXCL, S_IRWXU|S_IRUSR);
        if (fd != -1)
        {
            close(fd);
            unlink(filename);
            return 1;
        }
    }
    return 0;
}

Result Information

Group: Security
Language: C | C++
Default: Off
Command-Line Syntax: NON_SECURE_TEMP_FILE
Impact: High

Version History

Introduced in R2015b

See Also

|

Topics