C++: Add a third example for cpp/world-writable-file-creation.

Author: geoffw0

cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.c

@@ -9,3 +9,10 @@ void write_default_config_good() {
 	int out = creat(OUTFILE, S_IWUSR | S_IRUSR);
 	dprintf(out, DEFAULT_CONFIG);
 }
+
+void write_default_config_good_2() {
+	// GOOD - this allows only the current user to modify the file
+	int out = open(OUTFILE, O_WRONLY | O_CREAT, S_IWUSR | S_IRUSR);
+	FILE *fd = fdopen(out, "w");
+	fprintf(fd, DEFAULT_CONFIG);
+}

cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.qhelp

@@ -29,10 +29,11 @@ so it is important that they cannot be controlled by an attacker.
 </p>
 
 <p>
-The first example creates the default configuration file with the usual "default" Unix permissions, <code>0666</code>. This makes the 
+The first example creates the default configuration file with the usual "default" Unix permissions, <code>0666</code>. This makes the
 file world-writable, so that an attacker could write in their own configuration that would be read by the program. The second example uses
 more restrictive permissions: a combination of the standard Unix constants <code>S_IWUSR</code> and <code>S_IRUSR</code> which means that
-only the current user will have read and write access to the file.
+only the current user will have read and write access to the file. The third example shows another way to create a file with more restrictive
+permissions if a <code>FILE *</code> stream pointer is required rather than a file descriptor.
 </p>
 
 <sample src="DoNotCreateWorldWritable.c" />