1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Miscellaneous string-handling functions. Some are not required for
11 utilities and tests, and are cut out by the COMPILE_UTILITY macro. */
18 #ifndef COMPILE_UTILITY
19 /*************************************************
20 * Test for IP address *
21 *************************************************/
23 /* This used just to be a regular expression, but with IPv6 things are a bit
24 more complicated. If the address contains a colon, it is assumed to be a v6
25 address (assuming HAVE_IPV6 is set). If a mask is permitted and one is present,
26 and maskptr is not NULL, its offset is placed there.
30 maskptr NULL if no mask is permitted to follow
31 otherwise, points to an int where the offset of '/' is placed
32 if there is no / followed by trailing digits, *maskptr is set 0
33 errp NULL if no diagnostic information is required, and if the netmask
34 length should not be checked. Otherwise it is set pointing to a short
37 Returns: 0 if the string is not a textual representation of an IP address
38 4 if it is an IPv4 address
39 6 if it is an IPv6 address
41 The legacy string_is_ip_address() function follows below.
44 string_is_ip_addressX(const uschar *ip_addr, int *maskptr, const uschar **errp) {
45 struct addrinfo hints;
48 uschar *slash, *percent;
52 const uschar *addr = 0;
54 /* If there is a slash, but we didn't request a (optional) netmask,
55 we return failure, as we do if the mask isn't a pure numerical value,
56 or if it is negative. The actual length is checked later, once we know
57 the address family. */
58 if (slash = Ustrchr(ip_addr, '/'))
62 if (errp) *errp = "netmask found, but not requested";
67 mask = Ustrtol(slash+1, &rest, 10);
68 if (*rest || mask < 0)
70 if (errp) *errp = "netmask not numeric or <0";
74 *maskptr = slash - ip_addr; /* offset of the slash */
76 } else if (maskptr) *maskptr = 0; /* no slash found */
78 /* The interface-ID suffix (%<id>) is optional (for IPv6). If it
79 exists, we check it syntactically. Later, if we know the address
80 family is IPv4, we might reject it.
81 The interface-ID is mutually exclusive with the netmask, to the
82 best of my knowledge. */
83 if (percent = Ustrchr(ip_addr, '%'))
87 if (errp) *errp = "interface-ID and netmask are mutually exclusive";
90 for (uschar *p = percent+1; *p; p++)
91 if (!isalnum(*p) && !ispunct(*p))
93 if (errp) *errp = "interface-ID must match [[:alnum:][:punct:]]";
99 /* inet_pton() can't parse netmasks and interface IDs, so work on a shortened copy
100 allocated on the current stack */
102 ptrdiff_t l = endp - ip_addr;
105 if (errp) *errp = "rudiculous long ip address string";
108 addr = string_copyn(ip_addr, l);
109 } else addr = ip_addr;
112 union { /* we do not need this, but inet_pton() needs a place for storage */
117 af = Ustrchr(addr, ':') ? AF_INET6 : AF_INET;
118 if (!inet_pton(af, addr, &sa))
120 if (errp) *errp = af == AF_INET6 ? "IP address string not parsable as IPv6"
121 : "IP address string not parsable IPv4";
124 /* we do not check the values of the mask here, as
125 this is done on the callers side (but I don't understand why), so
126 actually I'd like to do it here, but it breaks at least 0002 */
130 if (errp && mask > 128)
132 *errp = "IPv6 netmask value must not be >128";
139 if (errp) *errp = "IPv4 address string must not have an interface-ID";
142 if (errp && mask > 32) {
143 *errp = "IPv4 netmask value must not be >32";
148 if (errp) *errp = "unknown address family (should not happen)";
154 string_is_ip_address(const uschar *ip_addr, int *maskptr) {
155 return string_is_ip_addressX(ip_addr, maskptr, 0);
158 #endif /* COMPILE_UTILITY */
161 /*************************************************
162 * Format message size *
163 *************************************************/
165 /* Convert a message size in bytes to printing form, rounding
166 according to the magnitude of the number. A value of zero causes
167 a string of spaces to be returned.
170 size the message size in bytes
171 buffer where to put the answer
173 Returns: pointer to the buffer
174 a string of exactly 5 characters is normally returned
178 string_format_size(int size, uschar *buffer)
180 if (size == 0) Ustrcpy(buffer, US" ");
181 else if (size < 1024) sprintf(CS buffer, "%5d", size);
182 else if (size < 10*1024)
183 sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
184 else if (size < 1024*1024)
185 sprintf(CS buffer, "%4dK", (size + 512)/1024);
186 else if (size < 10*1024*1024)
187 sprintf(CS buffer, "%4.1fM", (double)size / (1024.0 * 1024.0));
189 sprintf(CS buffer, "%4dM", (size + 512 * 1024)/(1024*1024));
195 #ifndef COMPILE_UTILITY
196 /*************************************************
197 * Convert a number to base 62 format *
198 *************************************************/
200 /* Convert a long integer into an ASCII base 62 string. For Cygwin the value of
201 BASE_62 is actually 36. Always return exactly 6 characters plus a NUL, in a
202 static area. This is enough for a 32b input, for 62 (for 64b we would want 11+nul);
203 but with 36 we lose half the input range of a 32b input.
205 Argument: a long integer
206 Returns: pointer to base 62 string
210 string_base62_32(unsigned long int value)
212 static uschar yield[7];
213 uschar * p = yield + sizeof(yield) - 1;
217 *--p = base62_chars[value % BASE_62];
224 string_base62_64(unsigned long int value)
226 static uschar yield[12];
227 uschar * p = yield + sizeof(yield) - 1;
232 *--p = base62_chars[value % BASE_62];
239 #endif /* COMPILE_UTILITY */
243 /*************************************************
244 * Interpret escape sequence *
245 *************************************************/
247 /* This function is called from several places where escape sequences are to be
248 interpreted in strings.
251 pp points a pointer to the initiating "\" in the string;
252 the pointer gets updated to point to the final character
253 If the backslash is the last character in the string, it
255 Returns: the value of the character escape
259 string_interpret_escape(const uschar **pp)
261 #ifdef COMPILE_UTILITY
262 const uschar *hex_digits= CUS"0123456789abcdef";
265 const uschar *p = *pp;
267 if (ch == '\0') return **pp;
268 if (isdigit(ch) && ch != '8' && ch != '9')
271 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
273 ch = ch * 8 + *(++p) - '0';
274 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
275 ch = ch * 8 + *(++p) - '0';
280 case 'b': ch = '\b'; break;
281 case 'f': ch = '\f'; break;
282 case 'n': ch = '\n'; break;
283 case 'r': ch = '\r'; break;
284 case 't': ch = '\t'; break;
285 case 'v': ch = '\v'; break;
291 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
292 if (isxdigit(p[1])) ch = ch * 16 +
293 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
303 #ifndef COMPILE_UTILITY
304 /*************************************************
305 * Ensure string is printable *
306 *************************************************/
308 /* This function is called for critical strings. It checks for any
309 non-printing characters, and if any are found, it makes a new copy
310 of the string with suitable escape sequences. It is most often called by the
311 macro string_printing(), which sets flags to 0.
315 flags Bit 0: convert tabs. Bit 1: convert spaces.
317 Returns: string with non-printers encoded as printing sequences
321 string_printing2(const uschar *s, int flags)
323 int nonprintcount = 0;
332 || flags & SP_TAB && c == '\t'
333 || flags & SP_SPACE && c == ' '
338 if (nonprintcount == 0) return s;
340 /* Get a new block of store guaranteed big enough to hold the
343 tt = ss = store_get(length + nonprintcount * 3 + 1, s);
345 /* Copy everything, escaping non printers. */
351 && (!(flags & SP_TAB) || c != '\t')
352 && (!(flags & SP_SPACE) || c != ' ')
360 case '\n': *tt++ = 'n'; break;
361 case '\r': *tt++ = 'r'; break;
362 case '\b': *tt++ = 'b'; break;
363 case '\v': *tt++ = 'v'; break;
364 case '\f': *tt++ = 'f'; break;
365 case '\t': *tt++ = 't'; break;
366 default: sprintf(CS tt, "%03o", *t); tt += 3; break;
374 #endif /* COMPILE_UTILITY */
376 /*************************************************
377 * Undo printing escapes in string *
378 *************************************************/
380 /* This function is the reverse of string_printing2. It searches for
381 backslash characters and if any are found, it makes a new copy of the
382 string with escape sequences parsed. Otherwise it returns the original
388 Returns: string with printing escapes parsed back
392 string_unprinting(uschar *s)
394 uschar *p, *q, *r, *ss;
397 p = Ustrchr(s, '\\');
400 len = Ustrlen(s) + 1;
401 ss = store_get(len, s);
415 *q++ = string_interpret_escape((const uschar **)&p);
420 r = Ustrchr(p, '\\');
446 #if (defined(HAVE_LOCAL_SCAN) || defined(EXPAND_DLFUNC)) \
447 && !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY)
448 /*************************************************
449 * Copy and save string *
450 *************************************************/
453 Argument: string to copy
454 Returns: copy of string in new store with the same taint status
458 string_copy_function(const uschar * s)
460 return string_copy_taint(s, s);
463 /* As above, but explicitly specifying the result taint status
467 string_copy_taint_function(const uschar * s, const void * proto_mem)
469 return string_copy_taint(s, proto_mem);
474 /*************************************************
475 * Copy and save string, given length *
476 *************************************************/
478 /* It is assumed the data contains no zeros. A zero is added
483 n number of characters
485 Returns: copy of string in new store
489 string_copyn_function(const uschar * s, int n)
491 return string_copyn(s, n);
496 /*************************************************
497 * Copy and save string in malloc'd store *
498 *************************************************/
500 /* This function assumes that memcpy() is faster than strcpy().
502 Argument: string to copy
503 Returns: copy of string in new store
507 string_copy_malloc(const uschar * s)
509 int len = Ustrlen(s) + 1;
510 uschar * ss = store_malloc(len);
517 /*************************************************
518 * Copy string if long, inserting newlines *
519 *************************************************/
521 /* If the given string is longer than 75 characters, it is copied, and within
522 the copy, certain space characters are converted into newlines.
524 Argument: pointer to the string
525 Returns: pointer to the possibly altered string
529 string_split_message(uschar * msg)
533 if (!msg || Ustrlen(msg) <= 75) return msg;
534 s = ss = msg = string_copy(msg);
539 while (i < 75 && *ss && *ss != '\n') ss++, i++;
551 if (t[-1] == ':') { tt = t; break; }
556 if (!tt) /* Can't split behind - try ahead */
561 if (*t == ' ' || *t == '\n')
567 if (!tt) break; /* Can't find anywhere to split */
578 /*************************************************
579 * Copy returned DNS domain name, de-escaping *
580 *************************************************/
582 /* If a domain name contains top-bit characters, some resolvers return
583 the fully qualified name with those characters turned into escapes. The
584 convention is a backslash followed by _decimal_ digits. We convert these
585 back into the original binary values. This will be relevant when
586 allow_utf8_domains is set true and UTF-8 characters are used in domain
587 names. Backslash can also be used to escape other characters, though we
588 shouldn't come across them in domain names.
590 Argument: the domain name string
591 Returns: copy of string in new store, de-escaped
595 string_copy_dnsdomain(uschar * s)
598 uschar * ss = yield = store_get(Ustrlen(s) + 1, GET_TAINTED); /* always treat as tainted */
604 else if (isdigit(s[1]))
606 *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
618 #ifndef COMPILE_UTILITY
619 /*************************************************
620 * Copy space-terminated or quoted string *
621 *************************************************/
623 /* This function copies from a string until its end, or until whitespace is
624 encountered, unless the string begins with a double quote, in which case the
625 terminating quote is sought, and escaping within the string is done. The length
626 of a de-quoted string can be no longer than the original, since escaping always
627 turns n characters into 1 character.
629 Argument: pointer to the pointer to the first character, which gets updated
630 Returns: the new string
634 string_dequote(const uschar ** sptr)
636 const uschar * s = * sptr;
639 /* First find the end of the string */
642 while (*s && !isspace(*s)) s++;
646 while (*s && *s != '\"')
648 if (*s == '\\') (void)string_interpret_escape(&s);
654 /* Get enough store to copy into */
656 t = yield = store_get(s - *sptr + 1, *sptr);
662 while (*s && !isspace(*s)) *t++ = *s++;
666 while (*s && *s != '\"')
668 *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
674 /* Update the pointer and return the terminated copy */
680 #endif /* COMPILE_UTILITY */
684 /*************************************************
685 * Format a string and save it *
686 *************************************************/
688 /* The formatting is done by string_vformat, which checks the length of
689 everything. Taint is taken from the worst of the arguments.
692 format a printf() format - deliberately char * rather than uschar *
693 because it will most usually be a literal string
694 func caller, for debug
695 line caller, for debug
696 ... arguments for format
698 Returns: pointer to fresh piece of store containing sprintf'ed string
702 string_sprintf_trc(const char * format, const uschar * func, unsigned line, ...)
704 #ifdef COMPILE_UTILITY
705 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
706 gstring gs = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
711 unsigned flags = SVFMT_REBUFFER|SVFMT_EXTEND;
716 g = string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
721 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
722 "string_sprintf expansion was longer than %d; format string was (%s)\n"
723 " called from %s %d\n",
724 STRING_SPRINTF_BUFFER_SIZE, format, func, line);
726 #ifdef COMPILE_UTILITY
727 return string_copyn(g->s, g->ptr);
729 gstring_release_unused(g);
730 return string_from_gstring(g);
736 /*************************************************
737 * Case-independent strncmp() function *
738 *************************************************/
744 n number of characters to compare
746 Returns: < 0, = 0, or > 0, according to the comparison
750 strncmpic(const uschar * s, const uschar * t, int n)
754 int c = tolower(*s++) - tolower(*t++);
761 /*************************************************
762 * Case-independent strcmp() function *
763 *************************************************/
770 Returns: < 0, = 0, or > 0, according to the comparison
774 strcmpic(const uschar * s, const uschar * t)
778 int c = tolower(*s++) - tolower(*t++);
779 if (c != 0) return c;
785 /*************************************************
786 * Case-independent strstr() function *
787 *************************************************/
789 /* The third argument specifies whether whitespace is required
790 to follow the matched string.
794 t substring to search for
795 space_follows if TRUE, match only if whitespace follows
797 Returns: pointer to substring in string, or NULL if not found
801 strstric_c(const uschar * s, const uschar * t, BOOL space_follows)
803 const uschar * p = t;
804 const uschar * yield = NULL;
805 int cl = tolower(*p);
806 int cu = toupper(*p);
810 if (*s == cl || *s == cu)
812 if (!yield) yield = s;
815 if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield;
836 strstric(uschar * s, uschar * t, BOOL space_follows)
838 return US strstric_c(s, t, space_follows);
842 #ifdef COMPILE_UTILITY
843 /* Dummy version for this function; it should never be called */
845 gstring_grow(gstring * g, int count)
853 #ifndef COMPILE_UTILITY
854 /*************************************************
855 * Get next string from separated list *
856 *************************************************/
858 /* Leading and trailing space is removed from each item. The separator in the
859 list is controlled by the int pointed to by the separator argument as follows:
861 If the value is > 0 it is used as the separator. This is typically used for
862 sublists such as slash-separated options. The value is always a printing
865 (If the value is actually > UCHAR_MAX there is only one item in the list.
866 This is used for some cases when called via functions that sometimes
867 plough through lists, and sometimes are given single items.)
869 If the value is <= 0, the string is inspected for a leading <x, where x is an
870 ispunct() or an iscntrl() character. If found, x is used as the separator. If
873 (a) if separator == 0, ':' is used
874 (b) if separator <0, -separator is used
876 In all cases the value of the separator that is used is written back to the
877 int so that it is used on subsequent calls as we progress through the list.
879 A literal ispunct() separator can be represented in an item by doubling, but
880 there is no way to include an iscntrl() separator as part of the data.
883 listptr points to a pointer to the current start of the list; the
884 pointer gets updated to point after the end of the next item
885 separator a pointer to the separator character in an int (see above)
886 buffer where to put a copy of the next string in the list; or
887 NULL if the next string is returned in new memory
888 Note that if the list is tainted then a provided buffer must be
889 also (else we trap, with a message referencing the callsite).
890 If we do the allocation, taint is handled there.
891 buflen when buffer is not NULL, the size of buffer; otherwise ignored
893 func caller, for debug
894 line caller, for debug
896 Returns: pointer to buffer, containing the next substring,
897 or NULL if no more substrings
901 string_nextinlist_trc(const uschar ** listptr, int * separator, uschar * buffer,
902 int buflen, const uschar * func, int line)
904 int sep = *separator;
905 const uschar * s = *listptr;
910 /* This allows for a fixed specified separator to be an iscntrl() character,
911 but at the time of implementation, this is never the case. However, it's best
912 to be conservative. */
914 while (isspace(*s) && *s != sep) s++;
916 /* A change of separator is permitted, so look for a leading '<' followed by an
917 allowed character. */
921 if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
925 while (isspace(*s) && *s != sep) s++;
928 sep = sep ? -sep : ':';
932 /* An empty string has no list elements */
934 if (!*s) return NULL;
936 /* Note whether whether or not the separator is an iscntrl() character. */
938 sep_is_special = iscntrl(sep);
940 /* Handle the case when a buffer is provided. */
941 /*XXX need to also deal with qouted-requirements mismatch */
946 if (is_tainted(s) && !is_tainted(buffer))
947 die_tainted(US"string_nextinlist", func, line);
950 if (*s == sep && (*(++s) != sep || sep_is_special)) break;
951 if (p < buflen - 1) buffer[p++] = *s;
953 while (p > 0 && isspace(buffer[p-1])) p--;
957 /* Handle the case when a buffer is not provided. */
963 /* We know that *s != 0 at this point. However, it might be pointing to a
964 separator, which could indicate an empty string, or (if an ispunct()
965 character) could be doubled to indicate a separator character as data at the
966 start of a string. Avoid getting working memory for an empty item. */
969 if (*++s != sep || sep_is_special)
972 return string_copy(US"");
975 /* Not an empty string; the first character is guaranteed to be a data
981 for (ss = s + 1; *ss && *ss != sep; ) ss++;
982 g = string_catn(g, s, ss-s);
984 if (!*s || *++s != sep || sep_is_special) break;
987 /* Trim trailing spaces from the returned string */
989 /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */
990 while ( g->ptr > 0 && isspace(g->s[g->ptr-1])
991 && (g->ptr == 1 || g->s[g->ptr-2] != '\\') )
993 buffer = string_from_gstring(g);
994 gstring_release_unused_trc(g, CCS func, line);
997 /* Update the current pointer and return the new string */
1004 static const uschar *
1005 Ustrnchr(const uschar * s, int c, unsigned * len)
1007 unsigned siz = *len;
1010 if (!*s) return NULL;
1023 /************************************************
1024 * Add element to separated list *
1025 ************************************************/
1026 /* This function is used to build a list, returning an allocated null-terminated
1027 growable string. The given element has any embedded separator characters
1030 Despite having the same growable-string interface as string_cat() the list is
1031 always returned null-terminated.
1034 list expanding-string for the list that is being built, or NULL
1035 if this is a new list that has no contents yet
1036 sep list separator character
1037 ele new element to be appended to the list
1039 Returns: pointer to the start of the list, changed if copied for expansion.
1043 string_append_listele(gstring * list, uschar sep, const uschar * ele)
1047 if (list && list->ptr)
1048 list = string_catn(list, &sep, 1);
1050 while((sp = Ustrchr(ele, sep)))
1052 list = string_catn(list, ele, sp-ele+1);
1053 list = string_catn(list, &sep, 1);
1056 list = string_cat(list, ele);
1057 (void) string_from_gstring(list);
1063 string_append_listele_n(gstring * list, uschar sep, const uschar * ele,
1068 if (list && list->ptr)
1069 list = string_catn(list, &sep, 1);
1071 while((sp = Ustrnchr(ele, sep, &len)))
1073 list = string_catn(list, ele, sp-ele+1);
1074 list = string_catn(list, &sep, 1);
1078 list = string_catn(list, ele, len);
1079 (void) string_from_gstring(list);
1085 /* A slightly-bogus listmaker utility; the separator is a string so
1086 can be multiple chars - there is no checking for the element content
1087 containing any of the separator. */
1090 string_append2_listele_n(gstring * list, const uschar * sepstr,
1091 const uschar * ele, unsigned len)
1093 if (list && list->ptr)
1094 list = string_cat(list, sepstr);
1096 list = string_catn(list, ele, len);
1097 (void) string_from_gstring(list);
1103 /************************************************/
1104 /* Add more space to a growable-string. The caller should check
1105 first if growth is required. The gstring struct is modified on
1106 return; specifically, the string-base-pointer may have been changed.
1109 g the growable-string
1110 count amount needed for g->ptr to increase by
1114 gstring_grow(gstring * g, int count)
1117 int oldsize = g->size;
1119 /* Mostly, string_cat() is used to build small strings of a few hundred
1120 characters at most. There are times, however, when the strings are very much
1121 longer (for example, a lookup that returns a vast number of alias addresses).
1122 To try to keep things reasonable, we use increments whose size depends on the
1123 existing length of the string. */
1125 unsigned inc = oldsize < 4096 ? 127 : 1023;
1127 if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
1128 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1129 "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
1131 if (count <= 0) return;
1133 if (count >= INT_MAX/2 - g->ptr)
1134 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1135 "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
1137 g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
1139 /* Try to extend an existing allocation. If the result of calling
1140 store_extend() is false, either there isn't room in the current memory block,
1141 or this string is not the top item on the dynamic store stack. We then have
1142 to get a new chunk of store and copy the old string. When building large
1143 strings, it is helpful to call store_release() on the old string, to release
1144 memory blocks that have become empty. (The block will be freed if the string
1145 is at its start.) However, we can do this only if we know that the old string
1146 was the last item on the dynamic memory stack. This is the case if it matches
1149 if (!store_extend(g->s, oldsize, g->size))
1150 g->s = store_newblock(g->s, g->size, p);
1155 /*************************************************
1156 * Add chars to string *
1157 *************************************************/
1158 /* This function is used when building up strings of unknown length. Room is
1159 always left for a terminating zero to be added to the string that is being
1160 built. This function does not require the string that is being added to be NUL
1161 terminated, because the number of characters to add is given explicitly. It is
1162 sometimes called to extract parts of other strings.
1165 g growable-string that is being built, or NULL if not assigned yet
1166 s points to characters to add
1167 count count of characters to add; must not exceed the length of s, if s
1170 Returns: growable string, changed if copied for expansion.
1171 Note that a NUL is not added, though space is left for one. This is
1172 because string_cat() is often called multiple times to build up a
1173 string - there's no point adding the NUL till the end.
1174 NULL is a possible return.
1177 /* coverity[+alloc] */
1180 string_catn(gstring * g, const uschar * s, int count)
1185 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1186 "internal error in string_catn (count %d)", count);
1187 if (count == 0) return g;
1189 /*debug_printf("string_catn '%.*s'\n", count, s);*/
1192 unsigned inc = count < 4096 ? 127 : 1023;
1193 unsigned size = ((count + inc) & ~inc) + 1; /* round up requested count */
1194 g = string_get_tainted(size, s);
1196 else if (!g->s) /* should not happen */
1198 g->s = string_copyn(s, count);
1200 g->size = count; /*XXX suboptimal*/
1203 else if (is_incompatible(g->s, s))
1205 /* debug_printf("rebuf A\n"); */
1206 gstring_rebuffer(g, s);
1209 if (g->ptr < 0 || g->ptr > g->size)
1210 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1211 "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
1214 if (count >= g->size - p)
1215 gstring_grow(g, count);
1217 /* Because we always specify the exact number of characters to copy, we can
1218 use memcpy(), which is likely to be more efficient than strncopy() because the
1219 latter has to check for zero bytes. */
1221 memcpy(g->s + p, s, count);
1228 string_cat(gstring * g, const uschar * s)
1230 return string_catn(g, s, Ustrlen(s));
1235 /*************************************************
1236 * Append strings to another string *
1237 *************************************************/
1239 /* This function can be used to build a string from many other strings.
1240 It calls string_cat() to do the dirty work.
1243 g growable-string that is being built, or NULL if not yet assigned
1244 count the number of strings to append
1245 ... "count" uschar* arguments, which must be valid zero-terminated
1248 Returns: growable string, changed if copied for expansion.
1249 The string is not zero-terminated - see string_cat() above.
1252 __inline__ gstring *
1253 string_append(gstring * g, int count, ...)
1257 va_start(ap, count);
1260 uschar * t = va_arg(ap, uschar *);
1261 g = string_cat(g, t);
1271 /*************************************************
1272 * Format a string with length checks *
1273 *************************************************/
1275 /* This function is used to format a string with checking of the length of the
1276 output for all conversions. It protects Exim from absent-mindedness when
1277 calling functions like debug_printf and string_sprintf, and elsewhere. There
1278 are two different entry points to what is actually the same function, depending
1279 on whether the variable length list of data arguments are given explicitly or
1282 The formats are the usual printf() ones, with some omissions (never used) and
1283 three additions for strings: %S forces lower case, %T forces upper case, and
1284 %#s or %#S prints nothing for a NULL string. Without the # "NULL" is printed
1285 (useful in debugging). There is also the addition of %D and %M, which insert
1286 the date in the form used for datestamped log files.
1289 buffer a buffer in which to put the formatted string
1290 buflen the length of the buffer
1291 format the format string - deliberately char * and not uschar *
1292 ... or ap variable list of supplementary arguments
1294 Returns: TRUE if the result fitted in the buffer
1298 string_format_trc(uschar * buffer, int buflen,
1299 const uschar * func, unsigned line, const char * format, ...)
1301 gstring g = { .size = buflen, .ptr = 0, .s = buffer }, * gp;
1303 va_start(ap, format);
1304 gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1314 /* Build or append to a growing-string, sprintf-style.
1318 func called-from function name, for debug
1319 line called-from file line number, for debug
1320 limit maximum string size
1322 format printf-like format string
1323 ap variable-args pointer
1326 SVFMT_EXTEND buffer can be created or exteded as needed
1327 SVFMT_REBUFFER buffer can be recopied to tainted mem as needed
1328 SVFMT_TAINT_NOCHK do not check inputs for taint
1330 If the "extend" flag is true, the string passed in can be NULL,
1331 empty, or non-empty. Growing is subject to an overall limit given
1332 by the limit argument.
1334 If the "extend" flag is false, the string passed in may not be NULL,
1335 will not be grown, and is usable in the original place after return.
1336 The return value can be NULL to signify overflow.
1338 Field width: decimal digits, or *
1339 Precision: dot, followed by decimal digits or *
1340 Length modifiers: h L l ll z
1341 Conversion specifiers: n d o u x X p f e E g G % c s S T Y D M
1343 Returns the possibly-new (if copy for growth or taint-handling was needed)
1344 string, not nul-terminated.
1348 string_vformat_trc(gstring * g, const uschar * func, unsigned line,
1349 unsigned size_limit, unsigned flags, const char * format, va_list ap)
1351 enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
1353 int width, precision, off, lim, need;
1354 const char * fp = format; /* Deliberately not unsigned */
1356 string_datestamp_offset = -1; /* Datestamp not inserted */
1357 string_datestamp_length = 0; /* Datestamp not inserted */
1358 string_datestamp_type = 0; /* Datestamp not inserted */
1360 #ifdef COMPILE_UTILITY
1361 assert(!(flags & SVFMT_EXTEND));
1365 /* Ensure we have a string, to save on checking later */
1366 if (!g) g = string_get(16);
1368 if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, format))
1370 #ifndef MACRO_PREDEF
1371 if (!(flags & SVFMT_REBUFFER))
1372 die_tainted(US"string_vformat", func, line);
1374 /* debug_printf("rebuf B\n"); */
1375 gstring_rebuffer(g, format);
1377 #endif /*!COMPILE_UTILITY*/
1379 lim = g->size - 1; /* leave one for a nul */
1380 off = g->ptr; /* remember initial offset in gstring */
1382 /* Scan the format and handle the insertions */
1386 int length = L_NORMAL;
1389 const char *null = "NULL"; /* ) These variables */
1390 const char *item_start, *s; /* ) are deliberately */
1391 char newformat[16]; /* ) not unsigned */
1392 char * gp = CS g->s + g->ptr; /* ) */
1394 /* Non-% characters just get copied verbatim */
1398 /* Avoid string_copyn() due to COMPILE_UTILITY */
1399 if ((need = g->ptr + 1) > lim)
1401 if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
1405 g->s[g->ptr++] = (uschar) *fp++;
1409 /* Deal with % characters. Pick off the width and precision, for checking
1410 strings, skipping over the flag and modifier characters. */
1413 width = precision = -1;
1415 if (strchr("-+ #0", *(++fp)) != NULL)
1417 if (*fp == '#') null = "";
1421 if (isdigit((uschar)*fp))
1423 width = *fp++ - '0';
1424 while (isdigit((uschar)*fp)) width = width * 10 + *fp++ - '0';
1426 else if (*fp == '*')
1428 width = va_arg(ap, int);
1435 precision = va_arg(ap, int);
1439 for (precision = 0; isdigit((uschar)*fp); fp++)
1440 precision = precision*10 + *fp - '0';
1442 /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
1445 { fp++; length = L_SHORT; }
1446 else if (*fp == 'L')
1447 { fp++; length = L_LONGDOUBLE; }
1448 else if (*fp == 'l')
1450 { fp += 2; length = L_LONGLONG; }
1452 { fp++; length = L_LONG; }
1453 else if (*fp == 'z')
1454 { fp++; length = L_SIZE; }
1456 /* Handle each specific format type. */
1461 nptr = va_arg(ap, int *);
1462 *nptr = g->ptr - off;
1470 width = length > L_LONG ? 24 : 12;
1471 if ((need = g->ptr + width) > lim)
1473 if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
1474 gstring_grow(g, width);
1476 gp = CS g->s + g->ptr;
1478 strncpy(newformat, item_start, fp - item_start);
1479 newformat[fp - item_start] = 0;
1481 /* Short int is promoted to int when passing through ..., so we must use
1482 int for va_arg(). */
1488 g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
1490 g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
1492 g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
1494 g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
1501 if ((need = g->ptr + 24) > lim)
1503 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1504 gstring_grow(g, 24);
1506 gp = CS g->s + g->ptr;
1508 /* sprintf() saying "(nil)" for a null pointer seems unreliable.
1509 Handle it explicitly. */
1510 if ((ptr = va_arg(ap, void *)))
1512 strncpy(newformat, item_start, fp - item_start);
1513 newformat[fp - item_start] = 0;
1514 g->ptr += sprintf(gp, newformat, ptr);
1517 g->ptr += sprintf(gp, "(nil)");
1521 /* %f format is inherently insecure if the numbers that it may be
1522 handed are unknown (e.g. 1e300). However, in Exim, %f is used for
1523 printing load averages, and these are actually stored as integers
1524 (load average * 1000) so the size of the numbers is constrained.
1525 It is also used for formatting sending rates, where the simplicity
1526 of the format prevents overflow. */
1533 if (precision < 0) precision = 6;
1534 if ((need = g->ptr + precision + 8) > lim)
1536 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1537 gstring_grow(g, precision+8);
1539 gp = CS g->s + g->ptr;
1541 strncpy(newformat, item_start, fp - item_start);
1542 newformat[fp-item_start] = 0;
1543 if (length == L_LONGDOUBLE)
1544 g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
1546 g->ptr += sprintf(gp, newformat, va_arg(ap, double));
1552 if ((need = g->ptr + 1) > lim)
1554 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1558 g->s[g->ptr++] = (uschar) '%';
1562 if ((need = g->ptr + 1) > lim)
1564 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1568 g->s[g->ptr++] = (uschar) va_arg(ap, int);
1571 case 'D': /* Insert daily datestamp for log file names */
1572 s = CS tod_stamp(tod_log_datestamp_daily);
1573 string_datestamp_offset = g->ptr; /* Passed back via global */
1574 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1575 string_datestamp_type = tod_log_datestamp_daily;
1576 slen = string_datestamp_length;
1579 case 'M': /* Insert monthly datestamp for log file names */
1580 s = CS tod_stamp(tod_log_datestamp_monthly);
1581 string_datestamp_offset = g->ptr; /* Passed back via global */
1582 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1583 string_datestamp_type = tod_log_datestamp_monthly;
1584 slen = string_datestamp_length;
1587 case 'Y': /* gstring pointer */
1589 gstring * zg = va_arg(ap, gstring *);
1590 if (zg) { s = CS zg->s; slen = zg->ptr; }
1591 else { s = null; slen = Ustrlen(s); }
1592 goto INSERT_GSTRING;
1596 case 'S': /* Forces *lower* case */
1597 case 'T': /* Forces *upper* case */
1598 s = va_arg(ap, char *);
1603 INSERT_GSTRING: /* Coome to from %Y above */
1605 if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, s))
1606 if (flags & SVFMT_REBUFFER)
1608 /* debug_printf("%s %d: untainted workarea, tainted %%s :- rebuffer\n", __FUNCTION__, __LINE__); */
1609 gstring_rebuffer(g, s);
1610 gp = CS g->s + g->ptr;
1612 #ifndef MACRO_PREDEF
1614 die_tainted(US"string_vformat", func, line);
1617 INSERT_STRING: /* Come to from %D or %M above */
1620 BOOL truncated = FALSE;
1622 /* If the width is specified, check that there is a precision
1623 set; if not, set it to the width to prevent overruns of long
1628 if (precision < 0) precision = width;
1631 /* If a width is not specified and the precision is specified, set
1632 the width to the precision, or the string length if shorted. */
1634 else if (precision >= 0)
1635 width = precision < slen ? precision : slen;
1637 /* If neither are specified, set them both to the string length. */
1640 width = precision = slen;
1642 if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
1644 if (g->ptr == lim) return NULL;
1648 width = precision = lim - g->ptr - 1;
1649 if (width < 0) width = 0;
1650 if (precision < 0) precision = 0;
1653 else if (need > lim)
1655 gstring_grow(g, width);
1657 gp = CS g->s + g->ptr;
1660 g->ptr += sprintf(gp, "%*.*s", width, precision, s);
1662 while (*gp) { *gp = tolower(*gp); gp++; }
1663 else if (fp[-1] == 'T')
1664 while (*gp) { *gp = toupper(*gp); gp++; }
1666 if (truncated) return NULL;
1670 /* Some things are never used in Exim; also catches junk. */
1673 strncpy(newformat, item_start, fp - item_start);
1674 newformat[fp-item_start] = 0;
1675 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
1676 "in \"%s\" in \"%s\"", newformat, format);
1681 if (g->ptr > g->size)
1682 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1683 "string_format internal error: caller %s %d", func, line);
1689 #ifndef COMPILE_UTILITY
1690 /*************************************************
1691 * Generate an "open failed" message *
1692 *************************************************/
1694 /* This function creates a message after failure to open a file. It includes a
1695 string supplied as data, adds the strerror() text, and if the failure was
1696 "Permission denied", reads and includes the euid and egid.
1699 format a text format string - deliberately not uschar *
1700 func caller, for debug
1701 line caller, for debug
1702 ... arguments for the format string
1704 Returns: a message, in dynamic store
1708 string_open_failed_trc(const uschar * func, unsigned line,
1709 const char * format, ...)
1712 gstring * g = string_get(1024);
1714 g = string_catn(g, US"failed to open ", 15);
1716 /* Use the checked formatting routine to ensure that the buffer
1717 does not overflow. It should not, since this is called only for internally
1718 specified messages. If it does, the message just gets truncated, and there
1719 doesn't seem much we can do about that. */
1721 va_start(ap, format);
1722 (void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1723 SVFMT_REBUFFER, format, ap);
1726 g = string_catn(g, US": ", 2);
1727 g = string_cat(g, US strerror(errno));
1729 if (errno == EACCES)
1731 int save_errno = errno;
1732 g = string_fmt_append(g, " (euid=%ld egid=%ld)",
1733 (long int)geteuid(), (long int)getegid());
1736 gstring_release_unused(g);
1737 return string_from_gstring(g);
1744 /* qsort(3), currently used to sort the environment variables
1745 for -bP environment output, needs a function to compare two pointers to string
1746 pointers. Here it is. */
1749 string_compare_by_pointer(const void *a, const void *b)
1751 return Ustrcmp(* CUSS a, * CUSS b);
1753 #endif /* COMPILE_UTILITY */
1758 /*************************************************
1759 **************************************************
1760 * Stand-alone test program *
1761 **************************************************
1762 *************************************************/
1769 printf("Testing is_ip_address\n");
1772 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1775 buffer[Ustrlen(buffer) - 1] = 0;
1776 printf("%d\n", string_is_ip_address(buffer, NULL));
1777 printf("%d %d %s\n", string_is_ip_address(buffer, &offset), offset, buffer);
1780 printf("Testing string_nextinlist\n");
1782 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1784 uschar *list = buffer;
1792 sep1 = sep2 = list[1];
1799 uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));
1800 uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);
1802 if (item1 == NULL && item2 == NULL) break;
1803 if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)
1805 printf("***ERROR\nitem1=\"%s\"\nitem2=\"%s\"\n",
1806 (item1 == NULL)? "NULL" : CS item1,
1807 (item2 == NULL)? "NULL" : CS item2);
1810 else printf(" \"%s\"\n", CS item1);
1814 /* This is a horrible lash-up, but it serves its purpose. */
1816 printf("Testing string_format\n");
1818 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1821 long long llargs[3];
1827 BOOL countset = FASE;
1831 buffer[Ustrlen(buffer) - 1] = 0;
1833 s = Ustrchr(buffer, ',');
1834 if (s == NULL) s = buffer + Ustrlen(buffer);
1836 Ustrncpy(format, buffer, s - buffer);
1837 format[s-buffer] = 0;
1844 s = Ustrchr(ss, ',');
1845 if (s == NULL) s = ss + Ustrlen(ss);
1849 Ustrncpy(outbuf, ss, s-ss);
1850 if (Ustrchr(outbuf, '.') != NULL)
1853 dargs[n++] = Ustrtod(outbuf, NULL);
1855 else if (Ustrstr(outbuf, "ll") != NULL)
1858 llargs[n++] = strtoull(CS outbuf, NULL, 10);
1862 args[n++] = (void *)Uatoi(outbuf);
1866 else if (Ustrcmp(ss, "*") == 0)
1868 args[n++] = (void *)(&count);
1874 uschar *sss = malloc(s - ss + 1);
1875 Ustrncpy(sss, ss, s-ss);
1882 if (!dflag && !llflag)
1883 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1884 args[0], args[1], args[2])? "True" : "False");
1887 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1888 dargs[0], dargs[1], dargs[2])? "True" : "False");
1890 else printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1891 llargs[0], llargs[1], llargs[2])? "True" : "False");
1893 printf("%s\n", CS outbuf);
1894 if (countset) printf("count=%d\n", count);
1901 /* End of string.c */