1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Miscellaneous string-handling functions. Some are not required for
11 utilities and tests, and are cut out by the COMPILE_UTILITY macro. */
18 #ifndef COMPILE_UTILITY
19 /*************************************************
20 * Test for IP address *
21 *************************************************/
23 /* This used just to be a regular expression, but with IPv6 things are a bit
24 more complicated. If the address contains a colon, it is assumed to be a v6
25 address (assuming HAVE_IPV6 is set). If a mask is permitted and one is present,
26 and maskptr is not NULL, its offset is placed there.
30 maskptr NULL if no mask is permitted to follow
31 otherwise, points to an int where the offset of '/' is placed
32 if there is no / followed by trailing digits, *maskptr is set 0
33 errp NULL if no diagnostic information is required, and if the netmask
34 length should not be checked. Otherwise it is set pointing to a short
37 Returns: 0 if the string is not a textual representation of an IP address
38 4 if it is an IPv4 address
39 6 if it is an IPv6 address
41 The legacy string_is_ip_address() function follows below.
45 string_is_ip_addressX(const uschar * ip_addr, int * maskptr, const uschar ** errp)
47 uschar * slash, * percent, * endp = NULL;
49 const uschar * addr = NULL;
51 union { /* we do not need this, but inet_pton() needs a place for storage */
56 /* If there is a slash, but we didn't request a (optional) netmask,
57 we return failure, as we do if the mask isn't a pure numerical value,
58 or if it is negative. The actual length is checked later, once we know
59 the address family. */
61 if (slash = Ustrchr(ip_addr, '/'))
67 if (errp) *errp = US"netmask found, but not requested";
71 mask = Ustrtol(slash+1, &rest, 10);
72 if (*rest || mask < 0)
74 if (errp) *errp = US"netmask not numeric or <0";
78 *maskptr = slash - ip_addr; /* offset of the slash */
82 *maskptr = 0; /* no slash found */
84 /* The interface-ID suffix (%<id>) is optional (for IPv6). If it
85 exists, we check it syntactically. Later, if we know the address
86 family is IPv4, we might reject it.
87 The interface-ID is mutually exclusive with the netmask, to the
88 best of my knowledge. */
90 if (percent = Ustrchr(ip_addr, '%'))
94 if (errp) *errp = US"interface-ID and netmask are mutually exclusive";
97 for (uschar *p = percent+1; *p; p++)
98 if (!isalnum(*p) && !ispunct(*p))
100 if (errp) *errp = US"interface-ID must match [[:alnum:][:punct:]]";
106 /* inet_pton() can't parse netmasks and interface IDs, so work on a shortened copy
107 allocated on the current stack */
111 ptrdiff_t l = endp - ip_addr;
114 if (errp) *errp = US"rudiculous long ip address string";
117 addr = string_copyn(ip_addr, l);
122 af = Ustrchr(addr, ':') ? AF_INET6 : AF_INET;
123 if (!inet_pton(af, CCS addr, &sa))
125 if (errp) *errp = af == AF_INET6 ? US"IP address string not parsable as IPv6"
126 : US"IP address string not parsable IPv4";
130 /* we do not check the values of the mask here, as
131 this is done on the callers side (but I don't understand why), so
132 actually I'd like to do it here, but it breaks at least testcase 0002 */
137 if (errp && mask > 128)
139 *errp = US"IPv6 netmask value must not be >128";
146 if (errp) *errp = US"IPv4 address string must not have an interface-ID";
149 if (errp && mask > 32)
151 *errp = US"IPv4 netmask value must not be >32";
156 if (errp) *errp = US"unknown address family (should not happen)";
163 string_is_ip_address(const uschar * ip_addr, int * maskptr)
165 return string_is_ip_addressX(ip_addr, maskptr, NULL);
168 #endif /* COMPILE_UTILITY */
171 /*************************************************
172 * Format message size *
173 *************************************************/
175 /* Convert a message size in bytes to printing form, rounding
176 according to the magnitude of the number. A value of zero causes
177 a string of spaces to be returned.
180 size the message size in bytes
181 buffer where to put the answer
183 Returns: pointer to the buffer
184 a string of exactly 5 characters is normally returned
188 string_format_size(int size, uschar *buffer)
190 if (size == 0) Ustrcpy(buffer, US" ");
191 else if (size < 1024) sprintf(CS buffer, "%5d", size);
192 else if (size < 10*1024)
193 sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
194 else if (size < 1024*1024)
195 sprintf(CS buffer, "%4dK", (size + 512)/1024);
196 else if (size < 10*1024*1024)
197 sprintf(CS buffer, "%4.1fM", (double)size / (1024.0 * 1024.0));
199 sprintf(CS buffer, "%4dM", (size + 512 * 1024)/(1024*1024));
205 #ifndef COMPILE_UTILITY
206 /*************************************************
207 * Convert a number to base 62 format *
208 *************************************************/
210 /* Convert a long integer into an ASCII base 62 string. For Cygwin the value of
211 BASE_62 is actually 36. Always return exactly 6 characters plus a NUL, in a
212 static area. This is enough for a 32b input, for 62 (for 64b we would want 11+nul);
213 but with 36 we lose half the input range of a 32b input.
215 Argument: a long integer
216 Returns: pointer to base 62 string
220 string_base62_32(unsigned long int value)
222 static uschar yield[7];
223 uschar * p = yield + sizeof(yield) - 1;
227 *--p = base62_chars[value % BASE_62];
234 string_base62_64(unsigned long int value)
236 static uschar yield[12];
237 uschar * p = yield + sizeof(yield) - 1;
242 *--p = base62_chars[value % BASE_62];
249 #endif /* COMPILE_UTILITY */
253 /*************************************************
254 * Interpret escape sequence *
255 *************************************************/
257 /* This function is called from several places where escape sequences are to be
258 interpreted in strings.
261 pp points a pointer to the initiating "\" in the string;
262 the pointer gets updated to point to the final character
263 If the backslash is the last character in the string, it
265 Returns: the value of the character escape
269 string_interpret_escape(const uschar **pp)
271 #ifdef COMPILE_UTILITY
272 const uschar *hex_digits= CUS"0123456789abcdef";
275 const uschar *p = *pp;
277 if (ch == '\0') return **pp;
278 if (isdigit(ch) && ch != '8' && ch != '9')
281 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
283 ch = ch * 8 + *(++p) - '0';
284 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
285 ch = ch * 8 + *(++p) - '0';
290 case 'b': ch = '\b'; break;
291 case 'f': ch = '\f'; break;
292 case 'n': ch = '\n'; break;
293 case 'r': ch = '\r'; break;
294 case 't': ch = '\t'; break;
295 case 'v': ch = '\v'; break;
301 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
302 if (isxdigit(p[1])) ch = ch * 16 +
303 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
313 #ifndef COMPILE_UTILITY
314 /*************************************************
315 * Ensure string is printable *
316 *************************************************/
318 /* This function is called for critical strings. It checks for any
319 non-printing characters, and if any are found, it makes a new copy
320 of the string with suitable escape sequences. It is most often called by the
321 macro string_printing(), which sets flags to 0.
325 flags Bit 0: convert tabs. Bit 1: convert spaces.
327 Returns: string with non-printers encoded as printing sequences
331 string_printing2(const uschar *s, int flags)
333 int nonprintcount = 0;
342 || flags & SP_TAB && c == '\t'
343 || flags & SP_SPACE && c == ' '
348 if (nonprintcount == 0) return s;
350 /* Get a new block of store guaranteed big enough to hold the
353 tt = ss = store_get(length + nonprintcount * 3 + 1, s);
355 /* Copy everything, escaping non printers. */
361 && (!(flags & SP_TAB) || c != '\t')
362 && (!(flags & SP_SPACE) || c != ' ')
370 case '\n': *tt++ = 'n'; break;
371 case '\r': *tt++ = 'r'; break;
372 case '\b': *tt++ = 'b'; break;
373 case '\v': *tt++ = 'v'; break;
374 case '\f': *tt++ = 'f'; break;
375 case '\t': *tt++ = 't'; break;
376 default: sprintf(CS tt, "%03o", *t); tt += 3; break;
384 #endif /* COMPILE_UTILITY */
386 /*************************************************
387 * Undo printing escapes in string *
388 *************************************************/
390 /* This function is the reverse of string_printing2. It searches for
391 backslash characters and if any are found, it makes a new copy of the
392 string with escape sequences parsed. Otherwise it returns the original
398 Returns: string with printing escapes parsed back
402 string_unprinting(uschar *s)
404 uschar *p, *q, *r, *ss;
407 p = Ustrchr(s, '\\');
410 len = Ustrlen(s) + 1;
411 ss = store_get(len, s);
425 *q++ = string_interpret_escape((const uschar **)&p);
430 r = Ustrchr(p, '\\');
456 #if (defined(HAVE_LOCAL_SCAN) || defined(EXPAND_DLFUNC)) \
457 && !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY)
458 /*************************************************
459 * Copy and save string *
460 *************************************************/
463 Argument: string to copy
464 Returns: copy of string in new store with the same taint status
468 string_copy_function(const uschar * s)
470 return string_copy_taint(s, s);
473 /* As above, but explicitly specifying the result taint status
477 string_copy_taint_function(const uschar * s, const void * proto_mem)
479 return string_copy_taint(s, proto_mem);
484 /*************************************************
485 * Copy and save string, given length *
486 *************************************************/
488 /* It is assumed the data contains no zeros. A zero is added
493 n number of characters
495 Returns: copy of string in new store
499 string_copyn_function(const uschar * s, int n)
501 return string_copyn(s, n);
506 /*************************************************
507 * Copy and save string in malloc'd store *
508 *************************************************/
510 /* This function assumes that memcpy() is faster than strcpy().
512 Argument: string to copy
513 Returns: copy of string in new store
517 string_copy_malloc(const uschar * s)
519 int len = Ustrlen(s) + 1;
520 uschar * ss = store_malloc(len);
527 /*************************************************
528 * Copy string if long, inserting newlines *
529 *************************************************/
531 /* If the given string is longer than 75 characters, it is copied, and within
532 the copy, certain space characters are converted into newlines.
534 Argument: pointer to the string
535 Returns: pointer to the possibly altered string
539 string_split_message(uschar * msg)
543 if (!msg || Ustrlen(msg) <= 75) return msg;
544 s = ss = msg = string_copy(msg);
549 while (i < 75 && *ss && *ss != '\n') ss++, i++;
561 if (t[-1] == ':') { tt = t; break; }
566 if (!tt) /* Can't split behind - try ahead */
571 if (*t == ' ' || *t == '\n')
577 if (!tt) break; /* Can't find anywhere to split */
588 /*************************************************
589 * Copy returned DNS domain name, de-escaping *
590 *************************************************/
592 /* If a domain name contains top-bit characters, some resolvers return
593 the fully qualified name with those characters turned into escapes. The
594 convention is a backslash followed by _decimal_ digits. We convert these
595 back into the original binary values. This will be relevant when
596 allow_utf8_domains is set true and UTF-8 characters are used in domain
597 names. Backslash can also be used to escape other characters, though we
598 shouldn't come across them in domain names.
600 Argument: the domain name string
601 Returns: copy of string in new store, de-escaped
605 string_copy_dnsdomain(uschar * s)
608 uschar * ss = yield = store_get(Ustrlen(s) + 1, GET_TAINTED); /* always treat as tainted */
614 else if (isdigit(s[1]))
616 *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
628 #ifndef COMPILE_UTILITY
629 /*************************************************
630 * Copy space-terminated or quoted string *
631 *************************************************/
633 /* This function copies from a string until its end, or until whitespace is
634 encountered, unless the string begins with a double quote, in which case the
635 terminating quote is sought, and escaping within the string is done. The length
636 of a de-quoted string can be no longer than the original, since escaping always
637 turns n characters into 1 character.
639 Argument: pointer to the pointer to the first character, which gets updated
640 Returns: the new string
644 string_dequote(const uschar ** sptr)
646 const uschar * s = * sptr;
649 /* First find the end of the string */
656 while (*s && *s != '\"')
658 if (*s == '\\') (void)string_interpret_escape(&s);
664 /* Get enough store to copy into */
666 t = yield = store_get(s - *sptr + 1, *sptr);
672 while (*s && !isspace(*s)) *t++ = *s++;
676 while (*s && *s != '\"')
678 *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
684 /* Update the pointer and return the terminated copy */
690 #endif /* COMPILE_UTILITY */
694 /*************************************************
695 * Format a string and save it *
696 *************************************************/
698 /* The formatting is done by string_vformat, which checks the length of
699 everything. Taint is taken from the worst of the arguments.
702 format a printf() format - deliberately char * rather than uschar *
703 because it will most usually be a literal string
704 func caller, for debug
705 line caller, for debug
706 ... arguments for format
708 Returns: pointer to fresh piece of store containing sprintf'ed string
712 string_sprintf_trc(const char * format, const uschar * func, unsigned line, ...)
714 #ifdef COMPILE_UTILITY
715 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
716 gstring gs = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
721 unsigned flags = SVFMT_REBUFFER|SVFMT_EXTEND;
726 g = string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
731 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
732 "string_sprintf expansion was longer than %d; format string was (%s)\n"
733 " called from %s %d\n",
734 STRING_SPRINTF_BUFFER_SIZE, format, func, line);
736 #ifdef COMPILE_UTILITY
737 return string_copyn(g->s, g->ptr);
739 gstring_release_unused(g);
740 return string_from_gstring(g);
746 /*************************************************
747 * Case-independent strncmp() function *
748 *************************************************/
754 n number of characters to compare
756 Returns: < 0, = 0, or > 0, according to the comparison
760 strncmpic(const uschar * s, const uschar * t, int n)
764 int c = tolower(*s++) - tolower(*t++);
771 /*************************************************
772 * Case-independent strcmp() function *
773 *************************************************/
780 Returns: < 0, = 0, or > 0, according to the comparison
784 strcmpic(const uschar * s, const uschar * t)
788 int c = tolower(*s++) - tolower(*t++);
789 if (c != 0) return c;
795 /*************************************************
796 * Case-independent strstr() function *
797 *************************************************/
799 /* The third argument specifies whether whitespace is required
800 to follow the matched string.
804 t substring to search for
805 space_follows if TRUE, match only if whitespace follows
807 Returns: pointer to substring in string, or NULL if not found
811 strstric_c(const uschar * s, const uschar * t, BOOL space_follows)
813 const uschar * p = t;
814 const uschar * yield = NULL;
815 int cl = tolower(*p);
816 int cu = toupper(*p);
820 if (*s == cl || *s == cu)
822 if (!yield) yield = s;
825 if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield;
846 strstric(uschar * s, uschar * t, BOOL space_follows)
848 return US strstric_c(s, t, space_follows);
852 #ifdef COMPILE_UTILITY
853 /* Dummy version for this function; it should never be called */
855 gstring_grow(gstring * g, int count)
863 #ifndef COMPILE_UTILITY
864 /*************************************************
865 * Get next string from separated list *
866 *************************************************/
868 /* Leading and trailing space is removed from each item. The separator in the
869 list is controlled by the int pointed to by the separator argument as follows:
871 If the value is > 0 it is used as the separator. This is typically used for
872 sublists such as slash-separated options. The value is always a printing
875 (If the value is actually > UCHAR_MAX there is only one item in the list.
876 This is used for some cases when called via functions that sometimes
877 plough through lists, and sometimes are given single items.)
879 If the value is <= 0, the string is inspected for a leading <x, where x is an
880 ispunct() or an iscntrl() character. If found, x is used as the separator. If
883 (a) if separator == 0, ':' is used
884 (b) if separator <0, -separator is used
886 In all cases the value of the separator that is used is written back to the
887 int so that it is used on subsequent calls as we progress through the list.
889 A literal ispunct() separator can be represented in an item by doubling, but
890 there is no way to include an iscntrl() separator as part of the data.
893 listptr points to a pointer to the current start of the list; the
894 pointer gets updated to point after the end of the next item
895 separator a pointer to the separator character in an int (see above)
896 buffer where to put a copy of the next string in the list; or
897 NULL if the next string is returned in new memory
898 Note that if the list is tainted then a provided buffer must be
899 also (else we trap, with a message referencing the callsite).
900 If we do the allocation, taint is handled there.
901 buflen when buffer is not NULL, the size of buffer; otherwise ignored
903 func caller, for debug
904 line caller, for debug
906 Returns: pointer to buffer, containing the next substring,
907 or NULL if no more substrings
911 string_nextinlist_trc(const uschar ** listptr, int * separator, uschar * buffer,
912 int buflen, const uschar * func, int line)
914 int sep = *separator;
915 const uschar * s = *listptr;
920 /* This allows for a fixed specified separator to be an iscntrl() character,
921 but at the time of implementation, this is never the case. However, it's best
922 to be conservative. */
924 while (isspace(*s) && *s != sep) s++;
926 /* A change of separator is permitted, so look for a leading '<' followed by an
927 allowed character. */
931 if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
935 while (isspace(*s) && *s != sep) s++;
938 sep = sep ? -sep : ':';
942 /* An empty string has no list elements */
944 if (!*s) return NULL;
946 /* Note whether whether or not the separator is an iscntrl() character. */
948 sep_is_special = iscntrl(sep);
950 /* Handle the case when a buffer is provided. */
951 /*XXX need to also deal with qouted-requirements mismatch */
956 if (is_tainted(s) && !is_tainted(buffer))
957 die_tainted(US"string_nextinlist", func, line);
960 if (*s == sep && (*(++s) != sep || sep_is_special)) break;
961 if (p < buflen - 1) buffer[p++] = *s;
963 while (p > 0 && isspace(buffer[p-1])) p--;
967 /* Handle the case when a buffer is not provided. */
973 /* We know that *s != 0 at this point. However, it might be pointing to a
974 separator, which could indicate an empty string, or (if an ispunct()
975 character) could be doubled to indicate a separator character as data at the
976 start of a string. Avoid getting working memory for an empty item. */
979 if (*++s != sep || sep_is_special)
982 return string_copy(US"");
985 /* Not an empty string; the first character is guaranteed to be a data
991 for (ss = s + 1; *ss && *ss != sep; ) ss++;
992 g = string_catn(g, s, ss-s);
994 if (!*s || *++s != sep || sep_is_special) break;
997 /* Trim trailing spaces from the returned string */
999 /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */
1000 while ( g->ptr > 0 && isspace(g->s[g->ptr-1])
1001 && (g->ptr == 1 || g->s[g->ptr-2] != '\\') )
1003 buffer = string_from_gstring(g);
1004 gstring_release_unused_trc(g, CCS func, line);
1007 /* Update the current pointer and return the new string */
1014 static const uschar *
1015 Ustrnchr(const uschar * s, int c, unsigned * len)
1017 unsigned siz = *len;
1020 if (!*s) return NULL;
1033 /************************************************
1034 * Add element to separated list *
1035 ************************************************/
1036 /* This function is used to build a list, returning an allocated null-terminated
1037 growable string. The given element has any embedded separator characters
1040 Despite having the same growable-string interface as string_cat() the list is
1041 always returned null-terminated.
1044 list expanding-string for the list that is being built, or NULL
1045 if this is a new list that has no contents yet
1046 sep list separator character
1047 ele new element to be appended to the list
1049 Returns: pointer to the start of the list, changed if copied for expansion.
1053 string_append_listele(gstring * list, uschar sep, const uschar * ele)
1057 if (list && list->ptr)
1058 list = string_catn(list, &sep, 1);
1060 while((sp = Ustrchr(ele, sep)))
1062 list = string_catn(list, ele, sp-ele+1);
1063 list = string_catn(list, &sep, 1);
1066 list = string_cat(list, ele);
1067 (void) string_from_gstring(list);
1073 string_append_listele_n(gstring * list, uschar sep, const uschar * ele,
1078 if (list && list->ptr)
1079 list = string_catn(list, &sep, 1);
1081 while((sp = Ustrnchr(ele, sep, &len)))
1083 list = string_catn(list, ele, sp-ele+1);
1084 list = string_catn(list, &sep, 1);
1088 list = string_catn(list, ele, len);
1089 (void) string_from_gstring(list);
1095 /* A slightly-bogus listmaker utility; the separator is a string so
1096 can be multiple chars - there is no checking for the element content
1097 containing any of the separator. */
1100 string_append2_listele_n(gstring * list, const uschar * sepstr,
1101 const uschar * ele, unsigned len)
1103 if (list && list->ptr)
1104 list = string_cat(list, sepstr);
1106 list = string_catn(list, ele, len);
1107 (void) string_from_gstring(list);
1113 /************************************************/
1114 /* Add more space to a growable-string. The caller should check
1115 first if growth is required. The gstring struct is modified on
1116 return; specifically, the string-base-pointer may have been changed.
1119 g the growable-string
1120 count amount needed for g->ptr to increase by
1124 gstring_grow(gstring * g, int count)
1127 int oldsize = g->size;
1129 /* Mostly, string_cat() is used to build small strings of a few hundred
1130 characters at most. There are times, however, when the strings are very much
1131 longer (for example, a lookup that returns a vast number of alias addresses).
1132 To try to keep things reasonable, we use increments whose size depends on the
1133 existing length of the string. */
1135 unsigned inc = oldsize < 4096 ? 127 : 1023;
1137 if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
1138 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1139 "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
1141 if (count <= 0) return;
1143 if (count >= INT_MAX/2 - g->ptr)
1144 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1145 "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
1147 g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
1149 /* Try to extend an existing allocation. If the result of calling
1150 store_extend() is false, either there isn't room in the current memory block,
1151 or this string is not the top item on the dynamic store stack. We then have
1152 to get a new chunk of store and copy the old string. When building large
1153 strings, it is helpful to call store_release() on the old string, to release
1154 memory blocks that have become empty. (The block will be freed if the string
1155 is at its start.) However, we can do this only if we know that the old string
1156 was the last item on the dynamic memory stack. This is the case if it matches
1159 if (!store_extend(g->s, oldsize, g->size))
1160 g->s = store_newblock(g->s, g->size, p);
1165 /*************************************************
1166 * Add chars to string *
1167 *************************************************/
1168 /* This function is used when building up strings of unknown length. Room is
1169 always left for a terminating zero to be added to the string that is being
1170 built. This function does not require the string that is being added to be NUL
1171 terminated, because the number of characters to add is given explicitly. It is
1172 sometimes called to extract parts of other strings.
1175 g growable-string that is being built, or NULL if not assigned yet
1176 s points to characters to add
1177 count count of characters to add; must not exceed the length of s, if s
1180 Returns: growable string, changed if copied for expansion.
1181 Note that a NUL is not added, though space is left for one. This is
1182 because string_cat() is often called multiple times to build up a
1183 string - there's no point adding the NUL till the end.
1184 NULL is a possible return.
1187 /* coverity[+alloc] */
1190 string_catn(gstring * g, const uschar * s, int count)
1195 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1196 "internal error in string_catn (count %d)", count);
1197 if (count == 0) return g;
1199 /*debug_printf("string_catn '%.*s'\n", count, s);*/
1202 unsigned inc = count < 4096 ? 127 : 1023;
1203 unsigned size = ((count + inc) & ~inc) + 1; /* round up requested count */
1204 g = string_get_tainted(size, s);
1206 else if (!g->s) /* should not happen */
1208 g->s = string_copyn(s, count);
1210 g->size = count; /*XXX suboptimal*/
1213 else if (is_incompatible(g->s, s))
1215 /* debug_printf("rebuf A\n"); */
1216 gstring_rebuffer(g, s);
1219 if (g->ptr < 0 || g->ptr > g->size)
1220 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1221 "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
1224 if (count >= g->size - p)
1225 gstring_grow(g, count);
1227 /* Because we always specify the exact number of characters to copy, we can
1228 use memcpy(), which is likely to be more efficient than strncopy() because the
1229 latter has to check for zero bytes. */
1231 memcpy(g->s + p, s, count);
1238 /*************************************************
1239 * Append strings to another string *
1240 *************************************************/
1242 /* This function can be used to build a string from many other strings.
1243 It calls string_cat() to do the dirty work.
1246 g growable-string that is being built, or NULL if not yet assigned
1247 count the number of strings to append
1248 ... "count" uschar* arguments, which must be valid zero-terminated
1251 Returns: growable string, changed if copied for expansion.
1252 The string is not zero-terminated - see string_cat() above.
1255 __inline__ gstring *
1256 string_append(gstring * g, int count, ...)
1260 va_start(ap, count);
1263 uschar * t = va_arg(ap, uschar *);
1264 g = string_cat(g, t);
1274 /*************************************************
1275 * Format a string with length checks *
1276 *************************************************/
1278 /* This function is used to format a string with checking of the length of the
1279 output for all conversions. It protects Exim from absent-mindedness when
1280 calling functions like debug_printf and string_sprintf, and elsewhere. There
1281 are two different entry points to what is actually the same function, depending
1282 on whether the variable length list of data arguments are given explicitly or
1285 The formats are the usual printf() ones, with some omissions (never used) and
1286 three additions for strings: %S forces lower case, %T forces upper case, and
1287 %#s or %#S prints nothing for a NULL string. Without the # "NULL" is printed
1288 (useful in debugging). There is also the addition of %D and %M, which insert
1289 the date in the form used for datestamped log files.
1292 buffer a buffer in which to put the formatted string
1293 buflen the length of the buffer
1294 format the format string - deliberately char * and not uschar *
1295 ... or ap variable list of supplementary arguments
1297 Returns: TRUE if the result fitted in the buffer
1301 string_format_trc(uschar * buffer, int buflen,
1302 const uschar * func, unsigned line, const char * format, ...)
1304 gstring g = { .size = buflen, .ptr = 0, .s = buffer }, * gp;
1306 va_start(ap, format);
1307 gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1317 /* Build or append to a growing-string, sprintf-style.
1321 func called-from function name, for debug
1322 line called-from file line number, for debug
1323 limit maximum string size
1325 format printf-like format string
1326 ap variable-args pointer
1329 SVFMT_EXTEND buffer can be created or extended as needed
1330 SVFMT_REBUFFER buffer can be recopied to tainted mem as needed
1331 SVFMT_TAINT_NOCHK do not check inputs for taint
1333 If the "extend" flag is true, the string passed in can be NULL,
1334 empty, or non-empty. Growing is subject to an overall limit given
1335 by the limit argument.
1337 If the "extend" flag is false, the string passed in may not be NULL,
1338 will not be grown, and is usable in the original place after return.
1339 The return value can be NULL to signify overflow.
1341 Field width: decimal digits, or *
1342 Precision: dot, followed by decimal digits or *
1343 Length modifiers: h L l ll z
1344 Conversion specifiers: n d o u x X p f e E g G % c s S T W V Y D M
1345 Alternate-form: %#s is silent about a null string
1347 Returns the possibly-new (if copy for growth or taint-handling was needed)
1348 string, not nul-terminated.
1352 string_vformat_trc(gstring * g, const uschar * func, unsigned line,
1353 unsigned size_limit, unsigned flags, const char * format, va_list ap)
1355 enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
1357 int width, precision, off, lim, need;
1358 const char * fp = format; /* Deliberately not unsigned */
1360 string_datestamp_offset = -1; /* Datestamp not inserted */
1361 string_datestamp_length = 0; /* Datestamp not inserted */
1362 string_datestamp_type = 0; /* Datestamp not inserted */
1364 #ifdef COMPILE_UTILITY
1365 assert(!(flags & SVFMT_EXTEND));
1369 /* Ensure we have a string, to save on checking later */
1370 if (!g) g = string_get(16);
1372 if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, format))
1374 #ifndef MACRO_PREDEF
1375 if (!(flags & SVFMT_REBUFFER))
1376 die_tainted(US"string_vformat", func, line);
1378 /* debug_printf("rebuf B\n"); */
1379 gstring_rebuffer(g, format);
1381 #endif /*!COMPILE_UTILITY*/
1383 lim = g->size - 1; /* leave one for a nul */
1384 off = g->ptr; /* remember initial offset in gstring */
1386 /* Scan the format and handle the insertions */
1390 int length = L_NORMAL;
1393 const char *null = "NULL"; /* ) These variables */
1394 const char *item_start, *s; /* ) are deliberately */
1395 char newformat[16]; /* ) not unsigned */
1396 char * gp = CS g->s + g->ptr; /* ) */
1398 /* Non-% characters just get copied verbatim */
1402 /* Avoid string_copyn() due to COMPILE_UTILITY */
1403 if ((need = g->ptr + 1) > lim)
1405 if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
1409 g->s[g->ptr++] = (uschar) *fp++;
1413 /* Deal with % characters. Pick off the width and precision, for checking
1414 strings, skipping over the flag and modifier characters. */
1417 width = precision = -1;
1419 if (strchr("-+ #0", *(++fp)) != NULL)
1421 if (*fp == '#') null = "";
1425 if (isdigit((uschar)*fp))
1427 width = *fp++ - '0';
1428 while (isdigit((uschar)*fp)) width = width * 10 + *fp++ - '0';
1430 else if (*fp == '*')
1432 width = va_arg(ap, int);
1439 precision = va_arg(ap, int);
1443 for (precision = 0; isdigit((uschar)*fp); fp++)
1444 precision = precision*10 + *fp - '0';
1446 /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
1449 { fp++; length = L_SHORT; }
1450 else if (*fp == 'L')
1451 { fp++; length = L_LONGDOUBLE; }
1452 else if (*fp == 'l')
1454 { fp += 2; length = L_LONGLONG; }
1456 { fp++; length = L_LONG; }
1457 else if (*fp == 'z')
1458 { fp++; length = L_SIZE; }
1460 /* Handle each specific format type. */
1465 nptr = va_arg(ap, int *);
1466 *nptr = g->ptr - off;
1474 width = length > L_LONG ? 24 : 12;
1475 if ((need = g->ptr + width) > lim)
1477 if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
1478 gstring_grow(g, width);
1480 gp = CS g->s + g->ptr;
1482 strncpy(newformat, item_start, fp - item_start);
1483 newformat[fp - item_start] = 0;
1485 /* Short int is promoted to int when passing through ..., so we must use
1486 int for va_arg(). */
1492 g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
1494 g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
1496 g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
1498 g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
1505 if ((need = g->ptr + 24) > lim)
1507 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1508 gstring_grow(g, 24);
1510 gp = CS g->s + g->ptr;
1512 /* sprintf() saying "(nil)" for a null pointer seems unreliable.
1513 Handle it explicitly. */
1514 if ((ptr = va_arg(ap, void *)))
1516 strncpy(newformat, item_start, fp - item_start);
1517 newformat[fp - item_start] = 0;
1518 g->ptr += sprintf(gp, newformat, ptr);
1521 g->ptr += sprintf(gp, "(nil)");
1525 /* %f format is inherently insecure if the numbers that it may be
1526 handed are unknown (e.g. 1e300). However, in Exim, %f is used for
1527 printing load averages, and these are actually stored as integers
1528 (load average * 1000) so the size of the numbers is constrained.
1529 It is also used for formatting sending rates, where the simplicity
1530 of the format prevents overflow. */
1537 if (precision < 0) precision = 6;
1538 if ((need = g->ptr + precision + 8) > lim)
1540 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1541 gstring_grow(g, precision+8);
1543 gp = CS g->s + g->ptr;
1545 strncpy(newformat, item_start, fp - item_start);
1546 newformat[fp-item_start] = 0;
1547 if (length == L_LONGDOUBLE)
1548 g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
1550 g->ptr += sprintf(gp, newformat, va_arg(ap, double));
1556 if ((need = g->ptr + 1) > lim)
1558 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1562 g->s[g->ptr++] = (uschar) '%';
1566 if ((need = g->ptr + 1) > lim)
1568 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1572 g->s[g->ptr++] = (uschar) va_arg(ap, int);
1575 case 'D': /* Insert daily datestamp for log file names */
1576 s = CS tod_stamp(tod_log_datestamp_daily);
1577 string_datestamp_offset = g->ptr; /* Passed back via global */
1578 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1579 string_datestamp_type = tod_log_datestamp_daily;
1580 slen = string_datestamp_length;
1583 case 'M': /* Insert monthly datestamp for log file names */
1584 s = CS tod_stamp(tod_log_datestamp_monthly);
1585 string_datestamp_offset = g->ptr; /* Passed back via global */
1586 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1587 string_datestamp_type = tod_log_datestamp_monthly;
1588 slen = string_datestamp_length;
1591 case 'Y': /* gstring pointer */
1593 gstring * zg = va_arg(ap, gstring *);
1594 if (zg) { s = CS zg->s; slen = gstring_length(zg); }
1595 else { s = null; slen = Ustrlen(s); }
1596 goto INSERT_GSTRING;
1598 #ifndef COMPILE_UTILITY
1599 case 'V': /* Maybe convert ascii-art to UTF-8 chars */
1601 gstring * zg = NULL;
1602 s = va_arg(ap, char *);
1603 if (IS_DEBUG(D_noutf8))
1605 zg = string_catn(zg, CUS (*s == 'K' ? "|" : s), 1);
1607 for ( ; *s; s++) switch (*s)
1609 case '\\': zg = string_catn(zg, US UTF8_UP_RIGHT, 3); break;
1610 case '/': zg = string_catn(zg, US UTF8_DOWN_RIGHT, 3); break;
1612 case '_': zg = string_catn(zg, US UTF8_HORIZ, 3); break;
1613 case '|': zg = string_catn(zg, US UTF8_VERT, 3); break;
1614 case 'K': zg = string_catn(zg, US UTF8_VERT_RIGHT, 3); break;
1615 case '<': zg = string_catn(zg, US UTF8_LEFT_TRIANGLE, 3); break;
1616 case '>': zg = string_catn(zg, US UTF8_RIGHT_TRIANGLE, 3); break;
1617 default: zg = string_catn(zg, CUS s, 1); break;
1623 slen = gstring_length(zg);
1624 goto INSERT_GSTRING;
1627 case 'W': /* Maybe mark up ctrls, spaces & newlines */
1628 s = va_arg(ap, char *);
1629 if (s && !IS_DEBUG(D_noutf8))
1631 gstring * zg = NULL;
1635 /* Take a given precision as applying to the input; expand
1636 it for the transformed result */
1638 if (p >= 0 && --p < 0) break;
1642 zg = string_catn(zg, CUS UTF8_LIGHT_SHADE, 3);
1643 if (precision >= 0) precision += 2;
1646 zg = string_catn(zg, CUS UTF8_L_ARROW_HOOK "\n", 4);
1647 if (precision >= 0) precision += 3;
1651 { /* base of UTF8 symbols for ASCII control chars */
1652 uschar ctrl_symbol[3] = {[0]=0xe2, [1]=0x90, [2]=0x80};
1653 ctrl_symbol[2] |= *s;
1654 zg = string_catn(zg, ctrl_symbol, 3);
1655 if (precision >= 0) precision += 2;
1658 zg = string_catn(zg, CUS s, 1);
1662 if (zg) { s = CS zg->s; slen = gstring_length(zg); }
1663 else { s = ""; slen = 0; }
1670 goto INSERT_GSTRING;
1674 case 'S': /* Forces *lower* case */
1675 case 'T': /* Forces *upper* case */
1676 s = va_arg(ap, char *);
1681 INSERT_GSTRING: /* Come to from %Y above */
1683 if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, s))
1684 if (flags & SVFMT_REBUFFER)
1686 /* debug_printf("%s %d: untainted workarea, tainted %%s :- rebuffer\n", __FUNCTION__, __LINE__); */
1687 gstring_rebuffer(g, s);
1688 gp = CS g->s + g->ptr;
1690 #ifndef MACRO_PREDEF
1692 die_tainted(US"string_vformat", func, line);
1695 INSERT_STRING: /* Come to from %D or %M above */
1698 BOOL truncated = FALSE;
1700 /* If the width is specified, check that there is a precision
1701 set; if not, set it to the width to prevent overruns of long
1706 if (precision < 0) precision = width;
1709 /* If a width is not specified and the precision is specified, set
1710 the width to the precision, or the string length if shorter. */
1712 else if (precision >= 0)
1713 width = precision < slen ? precision : slen;
1715 /* If neither are specified, set them both to the string length. */
1718 width = precision = slen;
1720 if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
1722 if (g->ptr == lim) return NULL;
1726 width = precision = lim - g->ptr - 1;
1727 if (width < 0) width = 0;
1728 if (precision < 0) precision = 0;
1731 else if (need > lim)
1733 gstring_grow(g, width);
1735 gp = CS g->s + g->ptr;
1738 g->ptr += sprintf(gp, "%*.*s", width, precision, s);
1740 while (*gp) { *gp = tolower(*gp); gp++; }
1741 else if (fp[-1] == 'T')
1742 while (*gp) { *gp = toupper(*gp); gp++; }
1744 if (truncated) return NULL;
1748 /* Some things are never used in Exim; also catches junk. */
1751 strncpy(newformat, item_start, fp - item_start);
1752 newformat[fp-item_start] = 0;
1753 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
1754 "in \"%s\" in \"%s\"", newformat, format);
1759 if (g->ptr > g->size)
1760 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1761 "string_format internal error: caller %s %d", func, line);
1767 #ifndef COMPILE_UTILITY
1768 /*************************************************
1769 * Generate an "open failed" message *
1770 *************************************************/
1772 /* This function creates a message after failure to open a file. It includes a
1773 string supplied as data, adds the strerror() text, and if the failure was
1774 "Permission denied", reads and includes the euid and egid.
1777 format a text format string - deliberately not uschar *
1778 func caller, for debug
1779 line caller, for debug
1780 ... arguments for the format string
1782 Returns: a message, in dynamic store
1786 string_open_failed_trc(const uschar * func, unsigned line,
1787 const char * format, ...)
1790 gstring * g = string_get(1024);
1792 g = string_catn(g, US"failed to open ", 15);
1794 /* Use the checked formatting routine to ensure that the buffer
1795 does not overflow. It should not, since this is called only for internally
1796 specified messages. If it does, the message just gets truncated, and there
1797 doesn't seem much we can do about that. */
1799 va_start(ap, format);
1800 (void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1801 SVFMT_REBUFFER, format, ap);
1804 g = string_catn(g, US": ", 2);
1805 g = string_cat(g, US strerror(errno));
1807 if (errno == EACCES)
1809 int save_errno = errno;
1810 g = string_fmt_append(g, " (euid=%ld egid=%ld)",
1811 (long int)geteuid(), (long int)getegid());
1814 gstring_release_unused(g);
1815 return string_from_gstring(g);
1822 /* qsort(3), currently used to sort the environment variables
1823 for -bP environment output, needs a function to compare two pointers to string
1824 pointers. Here it is. */
1827 string_compare_by_pointer(const void *a, const void *b)
1829 return Ustrcmp(* CUSS a, * CUSS b);
1831 #endif /* COMPILE_UTILITY */
1836 /*************************************************
1837 **************************************************
1838 * Stand-alone test program *
1839 **************************************************
1840 *************************************************/
1847 printf("Testing is_ip_address\n");
1850 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1853 buffer[Ustrlen(buffer) - 1] = 0;
1854 printf("%d\n", string_is_ip_address(buffer, NULL));
1855 printf("%d %d %s\n", string_is_ip_address(buffer, &offset), offset, buffer);
1858 printf("Testing string_nextinlist\n");
1860 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1862 uschar *list = buffer;
1870 sep1 = sep2 = list[1];
1877 uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));
1878 uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);
1880 if (item1 == NULL && item2 == NULL) break;
1881 if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)
1883 printf("***ERROR\nitem1=\"%s\"\nitem2=\"%s\"\n",
1884 (item1 == NULL)? "NULL" : CS item1,
1885 (item2 == NULL)? "NULL" : CS item2);
1888 else printf(" \"%s\"\n", CS item1);
1892 /* This is a horrible lash-up, but it serves its purpose. */
1894 printf("Testing string_format\n");
1896 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1899 long long llargs[3];
1905 BOOL countset = FASE;
1909 buffer[Ustrlen(buffer) - 1] = 0;
1911 s = Ustrchr(buffer, ',');
1912 if (s == NULL) s = buffer + Ustrlen(buffer);
1914 Ustrncpy(format, buffer, s - buffer);
1915 format[s-buffer] = 0;
1922 s = Ustrchr(ss, ',');
1923 if (s == NULL) s = ss + Ustrlen(ss);
1927 Ustrncpy(outbuf, ss, s-ss);
1928 if (Ustrchr(outbuf, '.') != NULL)
1931 dargs[n++] = Ustrtod(outbuf, NULL);
1933 else if (Ustrstr(outbuf, "ll") != NULL)
1936 llargs[n++] = strtoull(CS outbuf, NULL, 10);
1940 args[n++] = (void *)Uatoi(outbuf);
1944 else if (Ustrcmp(ss, "*") == 0)
1946 args[n++] = (void *)(&count);
1952 uschar *sss = malloc(s - ss + 1);
1953 Ustrncpy(sss, ss, s-ss);
1960 if (!dflag && !llflag)
1961 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1962 args[0], args[1], args[2])? "True" : "False");
1965 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1966 dargs[0], dargs[1], dargs[2])? "True" : "False");
1968 else printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1969 llargs[0], llargs[1], llargs[2])? "True" : "False");
1971 printf("%s\n", CS outbuf);
1972 if (countset) printf("count=%d\n", count);
1979 /* End of string.c */