1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 - 2021 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Miscellaneous string-handling functions. Some are not required for
10 utilities and tests, and are cut out by the COMPILE_UTILITY macro. */
17 #ifndef COMPILE_UTILITY
18 /*************************************************
19 * Test for IP address *
20 *************************************************/
22 /* This used just to be a regular expression, but with IPv6 things are a bit
23 more complicated. If the address contains a colon, it is assumed to be a v6
24 address (assuming HAVE_IPV6 is set). If a mask is permitted and one is present,
25 and maskptr is not NULL, its offset is placed there.
29 maskptr NULL if no mask is permitted to follow
30 otherwise, points to an int where the offset of '/' is placed
31 if there is no / followed by trailing digits, *maskptr is set 0
33 Returns: 0 if the string is not a textual representation of an IP address
34 4 if it is an IPv4 address
35 6 if it is an IPv6 address
39 string_is_ip_address(const uschar *s, int *maskptr)
43 /* If an optional mask is permitted, check for it. If found, pass back the
48 const uschar *ss = s + Ustrlen(s);
50 if (s != ss && isdigit(*(--ss)))
52 while (ss > s && isdigit(ss[-1])) ss--;
53 if (ss > s && *(--ss) == '/') *maskptr = ss - s;
57 /* A colon anywhere in the string => IPv6 address */
59 if (Ustrchr(s, ':') != NULL)
61 BOOL had_double_colon = FALSE;
66 /* An IPv6 address must start with hex digit or double colon. A single
69 if (*s == ':' && *(++s) != ':') return 0;
71 /* Now read up to 8 components consisting of up to 4 hex digits each. There
72 may be one and only one appearance of double colon, which implies any number
73 of binary zero bits. The number of preceding components is held in count. */
75 for (int count = 0; count < 8; count++)
77 /* If the end of the string is reached before reading 8 components, the
78 address is valid provided a double colon has been read. This also applies
79 if we hit the / that introduces a mask or the % that introduces the
80 interface specifier (scope id) of a link-local address. */
82 if (*s == 0 || *s == '%' || *s == '/') return had_double_colon ? yield : 0;
84 /* If a component starts with an additional colon, we have hit a double
85 colon. This is permitted to appear once only, and counts as at least
86 one component. The final component may be of this form. */
90 if (had_double_colon) return 0;
91 had_double_colon = TRUE;
96 /* If the remainder of the string contains a dot but no colons, we
97 can expect a trailing IPv4 address. This is valid if either there has
98 been no double-colon and this is the 7th component (with the IPv4 address
99 being the 7th & 8th components), OR if there has been a double-colon
100 and fewer than 6 components. */
102 if (Ustrchr(s, ':') == NULL && Ustrchr(s, '.') != NULL)
104 if ((!had_double_colon && count != 6) ||
105 (had_double_colon && count > 6)) return 0;
111 /* Check for at least one and not more than 4 hex digits for this
114 if (!isxdigit(*s++)) return 0;
115 if (isxdigit(*s) && isxdigit(*(++s)) && isxdigit(*(++s))) s++;
117 /* If the component is terminated by colon and there is more to
118 follow, skip over the colon. If there is no more to follow the address is
121 if (*s == ':' && *(++s) == 0) return 0;
124 /* If about to handle a trailing IPv4 address, drop through. Otherwise
125 all is well if we are at the end of the string or at the mask or at a percent
126 sign, which introduces the interface specifier (scope id) of a link local
130 return (*s == 0 || *s == '%' ||
131 (*s == '/' && maskptr != NULL && *maskptr != 0))? yield : 0;
134 /* Test for IPv4 address, which may be the tail-end of an IPv6 address. */
136 for (int i = 0; i < 4; i++)
141 if (i != 0 && *s++ != '.') return 0;
142 n = strtol(CCS s, CSS &end, 10);
143 if (n > 255 || n < 0 || end <= s || end > s+3) return 0;
147 return !*s || (*s == '/' && maskptr && *maskptr != 0) ? yield : 0;
149 #endif /* COMPILE_UTILITY */
152 /*************************************************
153 * Format message size *
154 *************************************************/
156 /* Convert a message size in bytes to printing form, rounding
157 according to the magnitude of the number. A value of zero causes
158 a string of spaces to be returned.
161 size the message size in bytes
162 buffer where to put the answer
164 Returns: pointer to the buffer
165 a string of exactly 5 characters is normally returned
169 string_format_size(int size, uschar *buffer)
171 if (size == 0) Ustrcpy(buffer, US" ");
172 else if (size < 1024) sprintf(CS buffer, "%5d", size);
173 else if (size < 10*1024)
174 sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
175 else if (size < 1024*1024)
176 sprintf(CS buffer, "%4dK", (size + 512)/1024);
177 else if (size < 10*1024*1024)
178 sprintf(CS buffer, "%4.1fM", (double)size / (1024.0 * 1024.0));
180 sprintf(CS buffer, "%4dM", (size + 512 * 1024)/(1024*1024));
186 #ifndef COMPILE_UTILITY
187 /*************************************************
188 * Convert a number to base 62 format *
189 *************************************************/
191 /* Convert a long integer into an ASCII base 62 string. For Cygwin the value of
192 BASE_62 is actually 36. Always return exactly 6 characters plus zero, in a
195 Argument: a long integer
196 Returns: pointer to base 62 string
200 string_base62(unsigned long int value)
202 static uschar yield[7];
203 uschar *p = yield + sizeof(yield) - 1;
207 *(--p) = base62_chars[value % BASE_62];
212 #endif /* COMPILE_UTILITY */
216 /*************************************************
217 * Interpret escape sequence *
218 *************************************************/
220 /* This function is called from several places where escape sequences are to be
221 interpreted in strings.
224 pp points a pointer to the initiating "\" in the string;
225 the pointer gets updated to point to the final character
226 If the backslash is the last character in the string, it
228 Returns: the value of the character escape
232 string_interpret_escape(const uschar **pp)
234 #ifdef COMPILE_UTILITY
235 const uschar *hex_digits= CUS"0123456789abcdef";
238 const uschar *p = *pp;
240 if (ch == '\0') return **pp;
241 if (isdigit(ch) && ch != '8' && ch != '9')
244 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
246 ch = ch * 8 + *(++p) - '0';
247 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
248 ch = ch * 8 + *(++p) - '0';
253 case 'b': ch = '\b'; break;
254 case 'f': ch = '\f'; break;
255 case 'n': ch = '\n'; break;
256 case 'r': ch = '\r'; break;
257 case 't': ch = '\t'; break;
258 case 'v': ch = '\v'; break;
264 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
265 if (isxdigit(p[1])) ch = ch * 16 +
266 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
276 #ifndef COMPILE_UTILITY
277 /*************************************************
278 * Ensure string is printable *
279 *************************************************/
281 /* This function is called for critical strings. It checks for any
282 non-printing characters, and if any are found, it makes a new copy
283 of the string with suitable escape sequences. It is most often called by the
284 macro string_printing(), which sets flags to 0.
288 flags Bit 0: convert tabs. Bit 1: convert spaces.
290 Returns: string with non-printers encoded as printing sequences
294 string_printing2(const uschar *s, int flags)
296 int nonprintcount = 0;
305 || flags & SP_TAB && c == '\t'
306 || flags & SP_SPACE && c == ' '
311 if (nonprintcount == 0) return s;
313 /* Get a new block of store guaranteed big enough to hold the
316 tt = ss = store_get(length + nonprintcount * 3 + 1, is_tainted(s));
318 /* Copy everything, escaping non printers. */
324 && (!(flags & SP_TAB) || c != '\t')
325 && (!(flags & SP_SPACE) || c != ' ')
333 case '\n': *tt++ = 'n'; break;
334 case '\r': *tt++ = 'r'; break;
335 case '\b': *tt++ = 'b'; break;
336 case '\v': *tt++ = 'v'; break;
337 case '\f': *tt++ = 'f'; break;
338 case '\t': *tt++ = 't'; break;
339 default: sprintf(CS tt, "%03o", *t); tt += 3; break;
347 #endif /* COMPILE_UTILITY */
349 /*************************************************
350 * Undo printing escapes in string *
351 *************************************************/
353 /* This function is the reverse of string_printing2. It searches for
354 backslash characters and if any are found, it makes a new copy of the
355 string with escape sequences parsed. Otherwise it returns the original
361 Returns: string with printing escapes parsed back
365 string_unprinting(uschar *s)
367 uschar *p, *q, *r, *ss;
370 p = Ustrchr(s, '\\');
373 len = Ustrlen(s) + 1;
374 ss = store_get(len, is_tainted(s));
388 *q++ = string_interpret_escape((const uschar **)&p);
393 r = Ustrchr(p, '\\');
419 #if (defined(HAVE_LOCAL_SCAN) || defined(EXPAND_DLFUNC)) \
420 && !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY)
421 /*************************************************
422 * Copy and save string *
423 *************************************************/
426 Argument: string to copy
427 Returns: copy of string in new store with the same taint status
431 string_copy_function(const uschar *s)
433 return string_copy_taint(s, is_tainted(s));
436 /* As above, but explicitly specifying the result taint status
440 string_copy_taint_function(const uschar * s, BOOL tainted)
442 return string_copy_taint(s, tainted);
447 /*************************************************
448 * Copy and save string, given length *
449 *************************************************/
451 /* It is assumed the data contains no zeros. A zero is added
456 n number of characters
458 Returns: copy of string in new store
462 string_copyn_function(const uschar * s, int n)
464 return string_copyn(s, n);
469 /*************************************************
470 * Copy and save string in malloc'd store *
471 *************************************************/
473 /* This function assumes that memcpy() is faster than strcpy().
475 Argument: string to copy
476 Returns: copy of string in new store
480 string_copy_malloc(const uschar * s)
482 int len = Ustrlen(s) + 1;
483 uschar * ss = store_malloc(len);
490 /*************************************************
491 * Copy string if long, inserting newlines *
492 *************************************************/
494 /* If the given string is longer than 75 characters, it is copied, and within
495 the copy, certain space characters are converted into newlines.
497 Argument: pointer to the string
498 Returns: pointer to the possibly altered string
502 string_split_message(uschar * msg)
506 if (!msg || Ustrlen(msg) <= 75) return msg;
507 s = ss = msg = string_copy(msg);
512 while (i < 75 && *ss && *ss != '\n') ss++, i++;
524 if (t[-1] == ':') { tt = t; break; }
529 if (!tt) /* Can't split behind - try ahead */
534 if (*t == ' ' || *t == '\n')
540 if (!tt) break; /* Can't find anywhere to split */
551 /*************************************************
552 * Copy returned DNS domain name, de-escaping *
553 *************************************************/
555 /* If a domain name contains top-bit characters, some resolvers return
556 the fully qualified name with those characters turned into escapes. The
557 convention is a backslash followed by _decimal_ digits. We convert these
558 back into the original binary values. This will be relevant when
559 allow_utf8_domains is set true and UTF-8 characters are used in domain
560 names. Backslash can also be used to escape other characters, though we
561 shouldn't come across them in domain names.
563 Argument: the domain name string
564 Returns: copy of string in new store, de-escaped
568 string_copy_dnsdomain(uschar * s)
571 uschar * ss = yield = store_get(Ustrlen(s) + 1, TRUE); /* always treat as tainted */
577 else if (isdigit(s[1]))
579 *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
591 #ifndef COMPILE_UTILITY
592 /*************************************************
593 * Copy space-terminated or quoted string *
594 *************************************************/
596 /* This function copies from a string until its end, or until whitespace is
597 encountered, unless the string begins with a double quote, in which case the
598 terminating quote is sought, and escaping within the string is done. The length
599 of a de-quoted string can be no longer than the original, since escaping always
600 turns n characters into 1 character.
602 Argument: pointer to the pointer to the first character, which gets updated
603 Returns: the new string
607 string_dequote(const uschar ** sptr)
609 const uschar * s = * sptr;
612 /* First find the end of the string */
615 while (*s && !isspace(*s)) s++;
619 while (*s && *s != '\"')
621 if (*s == '\\') (void)string_interpret_escape(&s);
627 /* Get enough store to copy into */
629 t = yield = store_get(s - *sptr + 1, is_tainted(*sptr));
635 while (*s && !isspace(*s)) *t++ = *s++;
639 while (*s && *s != '\"')
641 *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
647 /* Update the pointer and return the terminated copy */
653 #endif /* COMPILE_UTILITY */
657 /*************************************************
658 * Format a string and save it *
659 *************************************************/
661 /* The formatting is done by string_vformat, which checks the length of
662 everything. Taint is taken from the worst of the arguments.
665 format a printf() format - deliberately char * rather than uschar *
666 because it will most usually be a literal string
667 func caller, for debug
668 line caller, for debug
669 ... arguments for format
671 Returns: pointer to fresh piece of store containing sprintf'ed string
675 string_sprintf_trc(const char * format, const uschar * func, unsigned line, ...)
677 #ifdef COMPILE_UTILITY
678 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
679 gstring gs = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
684 unsigned flags = SVFMT_REBUFFER|SVFMT_EXTEND;
689 g = string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
694 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
695 "string_sprintf expansion was longer than %d; format string was (%s)\n"
696 " called from %s %d\n",
697 STRING_SPRINTF_BUFFER_SIZE, format, func, line);
699 #ifdef COMPILE_UTILITY
700 return string_copyn(g->s, g->ptr);
702 gstring_release_unused(g);
703 return string_from_gstring(g);
709 /*************************************************
710 * Case-independent strncmp() function *
711 *************************************************/
717 n number of characters to compare
719 Returns: < 0, = 0, or > 0, according to the comparison
723 strncmpic(const uschar * s, const uschar * t, int n)
727 int c = tolower(*s++) - tolower(*t++);
734 /*************************************************
735 * Case-independent strcmp() function *
736 *************************************************/
743 Returns: < 0, = 0, or > 0, according to the comparison
747 strcmpic(const uschar * s, const uschar * t)
751 int c = tolower(*s++) - tolower(*t++);
752 if (c != 0) return c;
758 /*************************************************
759 * Case-independent strstr() function *
760 *************************************************/
762 /* The third argument specifies whether whitespace is required
763 to follow the matched string.
767 t substring to search for
768 space_follows if TRUE, match only if whitespace follows
770 Returns: pointer to substring in string, or NULL if not found
774 strstric_c(const uschar * s, const uschar * t, BOOL space_follows)
776 const uschar * p = t;
777 const uschar * yield = NULL;
778 int cl = tolower(*p);
779 int cu = toupper(*p);
783 if (*s == cl || *s == cu)
785 if (!yield) yield = s;
788 if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield;
809 strstric(uschar * s, uschar * t, BOOL space_follows)
811 return US strstric_c(s, t, space_follows);
815 #ifdef COMPILE_UTILITY
816 /* Dummy version for this function; it should never be called */
818 gstring_grow(gstring * g, int count)
826 #ifndef COMPILE_UTILITY
827 /*************************************************
828 * Get next string from separated list *
829 *************************************************/
831 /* Leading and trailing space is removed from each item. The separator in the
832 list is controlled by the int pointed to by the separator argument as follows:
834 If the value is > 0 it is used as the separator. This is typically used for
835 sublists such as slash-separated options. The value is always a printing
838 (If the value is actually > UCHAR_MAX there is only one item in the list.
839 This is used for some cases when called via functions that sometimes
840 plough through lists, and sometimes are given single items.)
842 If the value is <= 0, the string is inspected for a leading <x, where x is an
843 ispunct() or an iscntrl() character. If found, x is used as the separator. If
846 (a) if separator == 0, ':' is used
847 (b) if separator <0, -separator is used
849 In all cases the value of the separator that is used is written back to the
850 int so that it is used on subsequent calls as we progress through the list.
852 A literal ispunct() separator can be represented in an item by doubling, but
853 there is no way to include an iscntrl() separator as part of the data.
856 listptr points to a pointer to the current start of the list; the
857 pointer gets updated to point after the end of the next item
858 separator a pointer to the separator character in an int (see above)
859 buffer where to put a copy of the next string in the list; or
860 NULL if the next string is returned in new memory
861 Note that if the list is tainted then a provided buffer must be
862 also (else we trap, with a message referencing the callsite).
863 If we do the allocation, taint is handled there.
864 buflen when buffer is not NULL, the size of buffer; otherwise ignored
866 func caller, for debug
867 line caller, for debug
869 Returns: pointer to buffer, containing the next substring,
870 or NULL if no more substrings
874 string_nextinlist_trc(const uschar ** listptr, int * separator, uschar * buffer,
875 int buflen, const uschar * func, int line)
877 int sep = *separator;
878 const uschar * s = *listptr;
883 /* This allows for a fixed specified separator to be an iscntrl() character,
884 but at the time of implementation, this is never the case. However, it's best
885 to be conservative. */
887 while (isspace(*s) && *s != sep) s++;
889 /* A change of separator is permitted, so look for a leading '<' followed by an
890 allowed character. */
894 if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
898 while (isspace(*s) && *s != sep) s++;
901 sep = sep ? -sep : ':';
905 /* An empty string has no list elements */
907 if (!*s) return NULL;
909 /* Note whether whether or not the separator is an iscntrl() character. */
911 sep_is_special = iscntrl(sep);
913 /* Handle the case when a buffer is provided. */
918 if (is_tainted(s) && !is_tainted(buffer))
919 die_tainted(US"string_nextinlist", func, line);
922 if (*s == sep && (*(++s) != sep || sep_is_special)) break;
923 if (p < buflen - 1) buffer[p++] = *s;
925 while (p > 0 && isspace(buffer[p-1])) p--;
929 /* Handle the case when a buffer is not provided. */
935 /* We know that *s != 0 at this point. However, it might be pointing to a
936 separator, which could indicate an empty string, or (if an ispunct()
937 character) could be doubled to indicate a separator character as data at the
938 start of a string. Avoid getting working memory for an empty item. */
941 if (*++s != sep || sep_is_special)
944 return string_copy(US"");
947 /* Not an empty string; the first character is guaranteed to be a data
953 for (ss = s + 1; *ss && *ss != sep; ) ss++;
954 g = string_catn(g, s, ss-s);
956 if (!*s || *++s != sep || sep_is_special) break;
959 /* Trim trailing spaces from the returned string */
961 /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */
962 while ( g->ptr > 0 && isspace(g->s[g->ptr-1])
963 && (g->ptr == 1 || g->s[g->ptr-2] != '\\') )
965 buffer = string_from_gstring(g);
966 gstring_release_unused_trc(g, CCS func, line);
969 /* Update the current pointer and return the new string */
976 static const uschar *
977 Ustrnchr(const uschar * s, int c, unsigned * len)
982 if (!*s) return NULL;
995 /************************************************
996 * Add element to separated list *
997 ************************************************/
998 /* This function is used to build a list, returning an allocated null-terminated
999 growable string. The given element has any embedded separator characters
1002 Despite having the same growable-string interface as string_cat() the list is
1003 always returned null-terminated.
1006 list expanding-string for the list that is being built, or NULL
1007 if this is a new list that has no contents yet
1008 sep list separator character
1009 ele new element to be appended to the list
1011 Returns: pointer to the start of the list, changed if copied for expansion.
1015 string_append_listele(gstring * list, uschar sep, const uschar * ele)
1019 if (list && list->ptr)
1020 list = string_catn(list, &sep, 1);
1022 while((sp = Ustrchr(ele, sep)))
1024 list = string_catn(list, ele, sp-ele+1);
1025 list = string_catn(list, &sep, 1);
1028 list = string_cat(list, ele);
1029 (void) string_from_gstring(list);
1035 string_append_listele_n(gstring * list, uschar sep, const uschar * ele,
1040 if (list && list->ptr)
1041 list = string_catn(list, &sep, 1);
1043 while((sp = Ustrnchr(ele, sep, &len)))
1045 list = string_catn(list, ele, sp-ele+1);
1046 list = string_catn(list, &sep, 1);
1050 list = string_catn(list, ele, len);
1051 (void) string_from_gstring(list);
1057 /* A slightly-bogus listmaker utility; the separator is a string so
1058 can be multiple chars - there is no checking for the element content
1059 containing any of the separator. */
1062 string_append2_listele_n(gstring * list, const uschar * sepstr,
1063 const uschar * ele, unsigned len)
1065 if (list && list->ptr)
1066 list = string_cat(list, sepstr);
1068 list = string_catn(list, ele, len);
1069 (void) string_from_gstring(list);
1075 /************************************************/
1076 /* Add more space to a growable-string. The caller should check
1077 first if growth is required. The gstring struct is modified on
1078 return; specifically, the string-base-pointer may have been changed.
1081 g the growable-string
1082 count amount needed for g->ptr to increase by
1086 gstring_grow(gstring * g, int count)
1089 int oldsize = g->size;
1090 BOOL tainted = is_tainted(g->s);
1092 /* Mostly, string_cat() is used to build small strings of a few hundred
1093 characters at most. There are times, however, when the strings are very much
1094 longer (for example, a lookup that returns a vast number of alias addresses).
1095 To try to keep things reasonable, we use increments whose size depends on the
1096 existing length of the string. */
1098 unsigned inc = oldsize < 4096 ? 127 : 1023;
1100 if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
1101 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1102 "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
1104 if (count <= 0) return;
1106 if (count >= INT_MAX/2 - g->ptr)
1107 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1108 "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
1110 g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
1112 /* Try to extend an existing allocation. If the result of calling
1113 store_extend() is false, either there isn't room in the current memory block,
1114 or this string is not the top item on the dynamic store stack. We then have
1115 to get a new chunk of store and copy the old string. When building large
1116 strings, it is helpful to call store_release() on the old string, to release
1117 memory blocks that have become empty. (The block will be freed if the string
1118 is at its start.) However, we can do this only if we know that the old string
1119 was the last item on the dynamic memory stack. This is the case if it matches
1122 if (!store_extend(g->s, tainted, oldsize, g->size))
1123 g->s = store_newblock(g->s, tainted, g->size, p);
1128 /*************************************************
1129 * Add chars to string *
1130 *************************************************/
1131 /* This function is used when building up strings of unknown length. Room is
1132 always left for a terminating zero to be added to the string that is being
1133 built. This function does not require the string that is being added to be NUL
1134 terminated, because the number of characters to add is given explicitly. It is
1135 sometimes called to extract parts of other strings.
1138 g growable-string that is being built, or NULL if not assigned yet
1139 s points to characters to add
1140 count count of characters to add; must not exceed the length of s, if s
1143 Returns: growable string, changed if copied for expansion.
1144 Note that a NUL is not added, though space is left for one. This is
1145 because string_cat() is often called multiple times to build up a
1146 string - there's no point adding the NUL till the end.
1147 NULL is a possible return.
1150 /* coverity[+alloc] */
1153 string_catn(gstring * g, const uschar *s, int count)
1156 BOOL srctaint = is_tainted(s);
1159 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1160 "internal error in string_catn (count %d)", count);
1161 if (count == 0) return g;
1165 unsigned inc = count < 4096 ? 127 : 1023;
1166 unsigned size = ((count + inc) & ~inc) + 1; /* round up requested count */
1167 g = string_get_tainted(size, srctaint);
1169 else if (srctaint && !is_tainted(g->s))
1170 gstring_rebuffer(g);
1172 if (g->ptr < 0 || g->ptr > g->size)
1173 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1174 "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
1177 if (count >= g->size - p)
1178 gstring_grow(g, count);
1180 /* Because we always specify the exact number of characters to copy, we can
1181 use memcpy(), which is likely to be more efficient than strncopy() because the
1182 latter has to check for zero bytes. */
1184 memcpy(g->s + p, s, count);
1191 string_cat(gstring * g, const uschar * s)
1193 return string_catn(g, s, Ustrlen(s));
1198 /*************************************************
1199 * Append strings to another string *
1200 *************************************************/
1202 /* This function can be used to build a string from many other strings.
1203 It calls string_cat() to do the dirty work.
1206 g growable-string that is being built, or NULL if not yet assigned
1207 count the number of strings to append
1208 ... "count" uschar* arguments, which must be valid zero-terminated
1211 Returns: growable string, changed if copied for expansion.
1212 The string is not zero-terminated - see string_cat() above.
1215 __inline__ gstring *
1216 string_append(gstring * g, int count, ...)
1220 va_start(ap, count);
1223 uschar * t = va_arg(ap, uschar *);
1224 g = string_cat(g, t);
1234 /*************************************************
1235 * Format a string with length checks *
1236 *************************************************/
1238 /* This function is used to format a string with checking of the length of the
1239 output for all conversions. It protects Exim from absent-mindedness when
1240 calling functions like debug_printf and string_sprintf, and elsewhere. There
1241 are two different entry points to what is actually the same function, depending
1242 on whether the variable length list of data arguments are given explicitly or
1245 The formats are the usual printf() ones, with some omissions (never used) and
1246 three additions for strings: %S forces lower case, %T forces upper case, and
1247 %#s or %#S prints nothing for a NULL string. Without the # "NULL" is printed
1248 (useful in debugging). There is also the addition of %D and %M, which insert
1249 the date in the form used for datestamped log files.
1252 buffer a buffer in which to put the formatted string
1253 buflen the length of the buffer
1254 format the format string - deliberately char * and not uschar *
1255 ... or ap variable list of supplementary arguments
1257 Returns: TRUE if the result fitted in the buffer
1261 string_format_trc(uschar * buffer, int buflen,
1262 const uschar * func, unsigned line, const char * format, ...)
1264 gstring g = { .size = buflen, .ptr = 0, .s = buffer }, * gp;
1266 va_start(ap, format);
1267 gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1277 /* Build or append to a growing-string, sprintf-style.
1281 func called-from function name, for debug
1282 line called-from file line number, for debug
1283 limit maximum string size
1285 format printf-like format string
1286 ap variable-args pointer
1289 SVFMT_EXTEND buffer can be created or exteded as needed
1290 SVFMT_REBUFFER buffer can be recopied to tainted mem as needed
1291 SVFMT_TAINT_NOCHK do not check inputs for taint
1293 If the "extend" flag is true, the string passed in can be NULL,
1294 empty, or non-empty. Growing is subject to an overall limit given
1295 by the limit argument.
1297 If the "extend" flag is false, the string passed in may not be NULL,
1298 will not be grown, and is usable in the original place after return.
1299 The return value can be NULL to signify overflow.
1301 Returns the possibly-new (if copy for growth or taint-handling was needed)
1302 string, not nul-terminated.
1306 string_vformat_trc(gstring * g, const uschar * func, unsigned line,
1307 unsigned size_limit, unsigned flags, const char * format, va_list ap)
1309 enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
1311 int width, precision, off, lim, need;
1312 const char * fp = format; /* Deliberately not unsigned */
1313 BOOL dest_tainted = FALSE;
1315 string_datestamp_offset = -1; /* Datestamp not inserted */
1316 string_datestamp_length = 0; /* Datestamp not inserted */
1317 string_datestamp_type = 0; /* Datestamp not inserted */
1319 #ifdef COMPILE_UTILITY
1320 assert(!(flags & SVFMT_EXTEND));
1324 /* Ensure we have a string, to save on checking later */
1325 if (!g) g = string_get(16);
1326 else if (!(flags & SVFMT_TAINT_NOCHK)) dest_tainted = is_tainted(g->s);
1328 if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(format))
1330 #ifndef MACRO_PREDEF
1331 if (!(flags & SVFMT_REBUFFER))
1332 die_tainted(US"string_vformat", func, line);
1334 gstring_rebuffer(g);
1335 dest_tainted = TRUE;
1337 #endif /*!COMPILE_UTILITY*/
1339 lim = g->size - 1; /* leave one for a nul */
1340 off = g->ptr; /* remember initial offset in gstring */
1342 /* Scan the format and handle the insertions */
1346 int length = L_NORMAL;
1349 const char *null = "NULL"; /* ) These variables */
1350 const char *item_start, *s; /* ) are deliberately */
1351 char newformat[16]; /* ) not unsigned */
1352 char * gp = CS g->s + g->ptr; /* ) */
1354 /* Non-% characters just get copied verbatim */
1358 /* Avoid string_copyn() due to COMPILE_UTILITY */
1359 if ((need = g->ptr + 1) > lim)
1361 if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
1365 g->s[g->ptr++] = (uschar) *fp++;
1369 /* Deal with % characters. Pick off the width and precision, for checking
1370 strings, skipping over the flag and modifier characters. */
1373 width = precision = -1;
1375 if (strchr("-+ #0", *(++fp)) != NULL)
1377 if (*fp == '#') null = "";
1381 if (isdigit((uschar)*fp))
1383 width = *fp++ - '0';
1384 while (isdigit((uschar)*fp)) width = width * 10 + *fp++ - '0';
1386 else if (*fp == '*')
1388 width = va_arg(ap, int);
1395 precision = va_arg(ap, int);
1399 for (precision = 0; isdigit((uschar)*fp); fp++)
1400 precision = precision*10 + *fp - '0';
1402 /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
1405 { fp++; length = L_SHORT; }
1406 else if (*fp == 'L')
1407 { fp++; length = L_LONGDOUBLE; }
1408 else if (*fp == 'l')
1410 { fp += 2; length = L_LONGLONG; }
1412 { fp++; length = L_LONG; }
1413 else if (*fp == 'z')
1414 { fp++; length = L_SIZE; }
1416 /* Handle each specific format type. */
1421 nptr = va_arg(ap, int *);
1422 *nptr = g->ptr - off;
1430 width = length > L_LONG ? 24 : 12;
1431 if ((need = g->ptr + width) > lim)
1433 if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
1434 gstring_grow(g, width);
1436 gp = CS g->s + g->ptr;
1438 strncpy(newformat, item_start, fp - item_start);
1439 newformat[fp - item_start] = 0;
1441 /* Short int is promoted to int when passing through ..., so we must use
1442 int for va_arg(). */
1448 g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
1450 g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
1452 g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
1454 g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
1461 if ((need = g->ptr + 24) > lim)
1463 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1464 gstring_grow(g, 24);
1466 gp = CS g->s + g->ptr;
1468 /* sprintf() saying "(nil)" for a null pointer seems unreliable.
1469 Handle it explicitly. */
1470 if ((ptr = va_arg(ap, void *)))
1472 strncpy(newformat, item_start, fp - item_start);
1473 newformat[fp - item_start] = 0;
1474 g->ptr += sprintf(gp, newformat, ptr);
1477 g->ptr += sprintf(gp, "(nil)");
1481 /* %f format is inherently insecure if the numbers that it may be
1482 handed are unknown (e.g. 1e300). However, in Exim, %f is used for
1483 printing load averages, and these are actually stored as integers
1484 (load average * 1000) so the size of the numbers is constrained.
1485 It is also used for formatting sending rates, where the simplicity
1486 of the format prevents overflow. */
1493 if (precision < 0) precision = 6;
1494 if ((need = g->ptr + precision + 8) > lim)
1496 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1497 gstring_grow(g, precision+8);
1499 gp = CS g->s + g->ptr;
1501 strncpy(newformat, item_start, fp - item_start);
1502 newformat[fp-item_start] = 0;
1503 if (length == L_LONGDOUBLE)
1504 g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
1506 g->ptr += sprintf(gp, newformat, va_arg(ap, double));
1512 if ((need = g->ptr + 1) > lim)
1514 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1518 g->s[g->ptr++] = (uschar) '%';
1522 if ((need = g->ptr + 1) > lim)
1524 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1528 g->s[g->ptr++] = (uschar) va_arg(ap, int);
1531 case 'D': /* Insert daily datestamp for log file names */
1532 s = CS tod_stamp(tod_log_datestamp_daily);
1533 string_datestamp_offset = g->ptr; /* Passed back via global */
1534 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1535 string_datestamp_type = tod_log_datestamp_daily;
1536 slen = string_datestamp_length;
1539 case 'M': /* Insert monthly datestamp for log file names */
1540 s = CS tod_stamp(tod_log_datestamp_monthly);
1541 string_datestamp_offset = g->ptr; /* Passed back via global */
1542 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1543 string_datestamp_type = tod_log_datestamp_monthly;
1544 slen = string_datestamp_length;
1548 case 'S': /* Forces *lower* case */
1549 case 'T': /* Forces *upper* case */
1550 s = va_arg(ap, char *);
1555 if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(s))
1556 if (flags & SVFMT_REBUFFER)
1558 gstring_rebuffer(g);
1559 gp = CS g->s + g->ptr;
1560 dest_tainted = TRUE;
1562 #ifndef MACRO_PREDEF
1564 die_tainted(US"string_vformat", func, line);
1567 INSERT_STRING: /* Come to from %D or %M above */
1570 BOOL truncated = FALSE;
1572 /* If the width is specified, check that there is a precision
1573 set; if not, set it to the width to prevent overruns of long
1578 if (precision < 0) precision = width;
1581 /* If a width is not specified and the precision is specified, set
1582 the width to the precision, or the string length if shorted. */
1584 else if (precision >= 0)
1585 width = precision < slen ? precision : slen;
1587 /* If neither are specified, set them both to the string length. */
1590 width = precision = slen;
1592 if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
1594 if (g->ptr == lim) return NULL;
1598 width = precision = lim - g->ptr - 1;
1599 if (width < 0) width = 0;
1600 if (precision < 0) precision = 0;
1603 else if (need > lim)
1605 gstring_grow(g, width);
1607 gp = CS g->s + g->ptr;
1610 g->ptr += sprintf(gp, "%*.*s", width, precision, s);
1612 while (*gp) { *gp = tolower(*gp); gp++; }
1613 else if (fp[-1] == 'T')
1614 while (*gp) { *gp = toupper(*gp); gp++; }
1616 if (truncated) return NULL;
1620 /* Some things are never used in Exim; also catches junk. */
1623 strncpy(newformat, item_start, fp - item_start);
1624 newformat[fp-item_start] = 0;
1625 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
1626 "in \"%s\" in \"%s\"", newformat, format);
1631 if (g->ptr > g->size)
1632 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1633 "string_format internal error: caller %s %d", func, line);
1639 #ifndef COMPILE_UTILITY
1640 /*************************************************
1641 * Generate an "open failed" message *
1642 *************************************************/
1644 /* This function creates a message after failure to open a file. It includes a
1645 string supplied as data, adds the strerror() text, and if the failure was
1646 "Permission denied", reads and includes the euid and egid.
1649 format a text format string - deliberately not uschar *
1650 func caller, for debug
1651 line caller, for debug
1652 ... arguments for the format string
1654 Returns: a message, in dynamic store
1658 string_open_failed_trc(const uschar * func, unsigned line,
1659 const char * format, ...)
1662 gstring * g = string_get(1024);
1664 g = string_catn(g, US"failed to open ", 15);
1666 /* Use the checked formatting routine to ensure that the buffer
1667 does not overflow. It should not, since this is called only for internally
1668 specified messages. If it does, the message just gets truncated, and there
1669 doesn't seem much we can do about that. */
1671 va_start(ap, format);
1672 (void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1673 SVFMT_REBUFFER, format, ap);
1676 g = string_catn(g, US": ", 2);
1677 g = string_cat(g, US strerror(errno));
1679 if (errno == EACCES)
1681 int save_errno = errno;
1682 g = string_fmt_append(g, " (euid=%ld egid=%ld)",
1683 (long int)geteuid(), (long int)getegid());
1686 gstring_release_unused(g);
1687 return string_from_gstring(g);
1694 /* qsort(3), currently used to sort the environment variables
1695 for -bP environment output, needs a function to compare two pointers to string
1696 pointers. Here it is. */
1699 string_compare_by_pointer(const void *a, const void *b)
1701 return Ustrcmp(* CUSS a, * CUSS b);
1703 #endif /* COMPILE_UTILITY */
1708 /*************************************************
1709 **************************************************
1710 * Stand-alone test program *
1711 **************************************************
1712 *************************************************/
1719 printf("Testing is_ip_address\n");
1722 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1725 buffer[Ustrlen(buffer) - 1] = 0;
1726 printf("%d\n", string_is_ip_address(buffer, NULL));
1727 printf("%d %d %s\n", string_is_ip_address(buffer, &offset), offset, buffer);
1730 printf("Testing string_nextinlist\n");
1732 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1734 uschar *list = buffer;
1742 sep1 = sep2 = list[1];
1749 uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));
1750 uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);
1752 if (item1 == NULL && item2 == NULL) break;
1753 if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)
1755 printf("***ERROR\nitem1=\"%s\"\nitem2=\"%s\"\n",
1756 (item1 == NULL)? "NULL" : CS item1,
1757 (item2 == NULL)? "NULL" : CS item2);
1760 else printf(" \"%s\"\n", CS item1);
1764 /* This is a horrible lash-up, but it serves its purpose. */
1766 printf("Testing string_format\n");
1768 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1771 long long llargs[3];
1781 buffer[Ustrlen(buffer) - 1] = 0;
1783 s = Ustrchr(buffer, ',');
1784 if (s == NULL) s = buffer + Ustrlen(buffer);
1786 Ustrncpy(format, buffer, s - buffer);
1787 format[s-buffer] = 0;
1794 s = Ustrchr(ss, ',');
1795 if (s == NULL) s = ss + Ustrlen(ss);
1799 Ustrncpy(outbuf, ss, s-ss);
1800 if (Ustrchr(outbuf, '.') != NULL)
1803 dargs[n++] = Ustrtod(outbuf, NULL);
1805 else if (Ustrstr(outbuf, "ll") != NULL)
1808 llargs[n++] = strtoull(CS outbuf, NULL, 10);
1812 args[n++] = (void *)Uatoi(outbuf);
1816 else if (Ustrcmp(ss, "*") == 0)
1818 args[n++] = (void *)(&count);
1824 uschar *sss = malloc(s - ss + 1);
1825 Ustrncpy(sss, ss, s-ss);
1832 if (!dflag && !llflag)
1833 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1834 args[0], args[1], args[2])? "True" : "False");
1837 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1838 dargs[0], dargs[1], dargs[2])? "True" : "False");
1840 else printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1841 llargs[0], llargs[1], llargs[2])? "True" : "False");
1843 printf("%s\n", CS outbuf);
1844 if (countset) printf("count=%d\n", count);
1851 /* End of string.c */