CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO)

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a ...

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descript...

The product makes files or directories accessible to unauthorized actors, even though they should not be.

The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This ty...

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but ...

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an uni...

The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory na...

The product does not release or incorrectly releases a resource before it is made available for re-use.

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

During installation, installed file permissions are set to allow anyone to modify those files.

While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the ...

The product accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation, which can allow an attacker to traverse ...

The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary ...

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the ...

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to in...

The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intend...

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended co...

The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control ...

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 200...