*************************************************/
/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* Miscellaneous string-handling functions. Some are not required for
uschar *
string_format_size(int size, uschar *buffer)
{
-if (size == 0) Ustrcpy(buffer, " ");
+if (size == 0) Ustrcpy(buffer, US" ");
else if (size < 1024) sprintf(CS buffer, "%5d", size);
else if (size < 10*1024)
sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
Arguments:
pp points a pointer to the initiating "\" in the string;
the pointer gets updated to point to the final character
+ If the backslash is the last character in the string, it
+ is not interpreted.
Returns: the value of the character escape
*/
int ch;
const uschar *p = *pp;
ch = *(++p);
+if (ch == '\0') return **pp;
if (isdigit(ch) && ch != '8' && ch != '9')
{
ch -= '0';
/* This function is called for critical strings. It checks for any
non-printing characters, and if any are found, it makes a new copy
of the string with suitable escape sequences. It is most often called by the
-macro string_printing(), which sets allow_tab TRUE.
+macro string_printing(), which sets flags to 0.
Arguments:
s the input string
- allow_tab TRUE to allow tab as a printing character
+ flags Bit 0: convert tabs. Bit 1: convert spaces.
Returns: string with non-printers encoded as printing sequences
*/
const uschar *
-string_printing2(const uschar *s, BOOL allow_tab)
+string_printing2(const uschar *s, int flags)
{
int nonprintcount = 0;
int length = 0;
while (*t != 0)
{
int c = *t++;
- if (!mac_isprint(c) || (!allow_tab && c == '\t')) nonprintcount++;
+ if ( !mac_isprint(c)
+ || flags & SP_TAB && c == '\t'
+ || flags & SP_SPACE && c == ' '
+ ) nonprintcount++;
length++;
}
/* Get a new block of store guaranteed big enough to hold the
expanded string. */
-ss = store_get(length + nonprintcount * 3 + 1);
+tt = ss = store_get(length + nonprintcount * 3 + 1, is_tainted(s));
/* Copy everything, escaping non printers. */
-t = s;
-tt = ss;
-
-while (*t != 0)
+for (t = s; *t; )
{
int c = *t;
- if (mac_isprint(c) && (allow_tab || c != '\t')) *tt++ = *t++; else
+ if ( mac_isprint(c)
+ && (!(flags & SP_TAB) || c != '\t')
+ && (!(flags & SP_SPACE) || c != ' ')
+ )
+ *tt++ = *t++;
+ else
{
*tt++ = '\\';
switch (*t)
if (!p) return s;
len = Ustrlen(s) + 1;
-ss = store_get(len);
+ss = store_get(len, is_tainted(s));
q = ss;
off = p - s;
+#if (defined(HAVE_LOCAL_SCAN) || defined(EXPAND_DLFUNC)) \
+ && !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY)
/*************************************************
* Copy and save string *
*************************************************/
-/* This function assumes that memcpy() is faster than strcpy().
-
+/*
Argument: string to copy
-Returns: copy of string in new store
+Returns: copy of string in new store with the same taint status
*/
uschar *
-string_copy(const uschar *s)
+string_copy_function(const uschar *s)
{
-int len = Ustrlen(s) + 1;
-uschar *ss = store_get(len);
-memcpy(ss, s, len);
-return ss;
+return string_copy_taint(s, is_tainted(s));
}
-
-
-/*************************************************
-* Copy and save string in malloc'd store *
-*************************************************/
-
/* This function assumes that memcpy() is faster than strcpy().
-
-Argument: string to copy
-Returns: copy of string in new store
+As above, but explicitly specifying the result taint status
*/
uschar *
-string_copy_malloc(const uschar *s)
+string_copy_taint_function(const uschar * s, BOOL tainted)
{
int len = Ustrlen(s) + 1;
-uschar *ss = store_malloc(len);
+uschar *ss = store_get(len, tainted);
memcpy(ss, s, len);
return ss;
}
-/*************************************************
-* Copy, lowercase and save string *
-*************************************************/
-
-/*
-Argument: string to copy
-Returns: copy of string in new store, with letters lowercased
-*/
-
-uschar *
-string_copylc(const uschar *s)
-{
-uschar *ss = store_get(Ustrlen(s) + 1);
-uschar *p = ss;
-while (*s != 0) *p++ = tolower(*s++);
-*p = 0;
-return ss;
-}
-
-
-
/*************************************************
* Copy and save string, given length *
*************************************************/
*/
uschar *
-string_copyn(const uschar *s, int n)
+string_copyn_function(const uschar *s, int n)
{
-uschar *ss = store_get(n + 1);
+uschar *ss = store_get(n + 1, is_tainted(s));
Ustrncpy(ss, s, n);
ss[n] = 0;
return ss;
}
+#endif
/*************************************************
-* Copy, lowercase, and save string, given length *
+* Copy and save string in malloc'd store *
*************************************************/
-/* It is assumed the data contains no zeros. A zero is added
-onto the end.
-
-Arguments:
- s string to copy
- n number of characters
+/* This function assumes that memcpy() is faster than strcpy().
-Returns: copy of string in new store, with letters lowercased
+Argument: string to copy
+Returns: copy of string in new store
*/
uschar *
-string_copynlc(uschar *s, int n)
+string_copy_malloc(const uschar *s)
{
-uschar *ss = store_get(n + 1);
-uschar *p = ss;
-while (n-- > 0) *p++ = tolower(*s++);
-*p = 0;
+int len = Ustrlen(s) + 1;
+uschar *ss = store_malloc(len);
+memcpy(ss, s, len);
return ss;
}
string_copy_dnsdomain(uschar *s)
{
uschar *yield;
-uschar *ss = yield = store_get(Ustrlen(s) + 1);
+uschar *ss = yield = store_get(Ustrlen(s) + 1, TRUE); /* always treat as tainted */
while (*s != 0)
{
if (*s != '\\')
- {
*ss++ = *s++;
- }
else if (isdigit(s[1]))
{
*ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
s += 4;
}
else if (*(++s) != 0)
- {
*ss++ = *s++;
- }
}
*ss = 0;
/* Get enough store to copy into */
-t = yield = store_get(s - *sptr + 1);
+t = yield = store_get(s - *sptr + 1, is_tainted(*sptr));
s = *sptr;
/* Do the copy */
if (*s != '\"')
- {
while (*s != 0 && !isspace(*s)) *t++ = *s++;
- }
else
{
s++;
while (*s != 0 && *s != '\"')
{
- if (*s == '\\') *t++ = string_interpret_escape(&s);
- else *t++ = *s;
+ *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
s++;
}
- if (*s != 0) s++;
+ if (*s) s++;
}
/* Update the pointer and return the terminated copy */
*************************************************/
/* The formatting is done by string_vformat, which checks the length of
-everything.
+everything. Taint is taken from the worst of the arguments.
Arguments:
format a printf() format - deliberately char * rather than uschar *
*/
uschar *
-string_sprintf(const char *format, ...)
+string_sprintf_trc(const char *format, const uschar * func, unsigned line, ...)
{
#ifdef COMPILE_UTILITY
uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
-gstring g = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
-gstring * gp = &g;
+gstring gs = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
+gstring * g = &gs;
+unsigned flags = 0;
#else
-gstring * gp = string_get(STRING_SPRINTF_BUFFER_SIZE);
+gstring * g = NULL;
+unsigned flags = SVFMT_REBUFFER|SVFMT_EXTEND;
#endif
-gstring * gp2;
-va_list ap;
-va_start(ap, format);
-gp2 = string_vformat(gp, FALSE, format, ap);
-gp->s[gp->ptr] = '\0';
+va_list ap;
+va_start(ap, line);
+g = string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
+ flags, format, ap);
va_end(ap);
-if (!gp2)
+if (!g)
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
"string_sprintf expansion was longer than %d; format string was (%s)\n"
- "expansion started '%.32s'",
- gp->size, format, gp->s);
+ " called from %s %d\n",
+ STRING_SPRINTF_BUFFER_SIZE, format, func, line);
#ifdef COMPILE_UTILITY
-return string_copy(gp->s);
+return string_copyn(g->s, g->ptr);
#else
-gstring_reset_unused(gp);
-return gp->s;
+gstring_release_unused(g);
+return string_from_gstring(g);
#endif
}
#ifdef COMPILE_UTILITY
/* Dummy version for this function; it should never be called */
static void
-gstring_grow(gstring * g, int p, int count)
+gstring_grow(gstring * g, int count)
{
assert(FALSE);
}
separator a pointer to the separator character in an int (see above)
buffer where to put a copy of the next string in the list; or
NULL if the next string is returned in new memory
+ Note that if the list is tainted then a provided buffer must be
+ also (else we trap, with a message referencing the callsite).
+ If we do the allocation, taint is handled there.
buflen when buffer is not NULL, the size of buffer; otherwise ignored
Returns: pointer to buffer, containing the next substring,
*/
uschar *
-string_nextinlist(const uschar **listptr, int *separator, uschar *buffer, int buflen)
+string_nextinlist_trc(const uschar **listptr, int *separator, uschar *buffer, int buflen,
+ const uschar * func, int line)
{
int sep = *separator;
const uschar *s = *listptr;
if (buffer)
{
int p = 0;
+ if (is_tainted(s) && !is_tainted(buffer))
+ die_tainted(US"string_nextinlist", func, line);
for (; *s; s++)
{
if (*s == sep && (*(++s) != sep || sep_is_special)) break;
start of a string. Avoid getting working memory for an empty item. */
if (*s == sep)
- {
- s++;
- if (*s != sep || sep_is_special)
+ if (*++s != sep || sep_is_special)
{
*listptr = s;
return string_copy(US"");
}
- }
/* Not an empty string; the first character is guaranteed to be a data
character. */
s = ss;
if (!*s || *++s != sep || sep_is_special) break;
}
- while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--;
+ /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */
+ while ( g->ptr > 0 && isspace(g->s[g->ptr-1])
+ && (g->ptr == 1 || g->s[g->ptr-2] != '\\') )
+ g->ptr--;
buffer = string_from_gstring(g);
- gstring_reset_unused(g);
+ gstring_release_unused(g);
}
/* Update the current pointer and return the new string */
/************************************************/
-/* Create a growable-string with some preassigned space */
-
-gstring *
-string_get(unsigned size)
-{
-gstring * g = store_get(sizeof(gstring) + size);
-g->size = size;
-g->ptr = 0;
-g->s = US(g + 1);
-return g;
-}
-
-/* NUL-terminate the C string in the growable-string, and return it. */
-
-uschar *
-string_from_gstring(gstring * g)
-{
-if (!g) return NULL;
-g->s[g->ptr] = '\0';
-return g->s;
-}
-
-void
-gstring_reset_unused(gstring * g)
-{
-store_reset(g->s + (g->size = g->ptr + 1));
-}
-
-
-/* Add more space to a growable-string.
+/* Add more space to a growable-string. The caller should check
+first if growth is required. The gstring struct is modified on
+return; specifically, the string-base-pointer may have been changed.
Arguments:
g the growable-string
- p current end of data
- count amount to grow by
+ count amount needed for g->ptr to increase by
*/
static void
-gstring_grow(gstring * g, int p, int count)
+gstring_grow(gstring * g, int count)
{
+int p = g->ptr;
int oldsize = g->size;
+BOOL tainted = is_tainted(g->s);
/* Mostly, string_cat() is used to build small strings of a few hundred
characters at most. There are times, however, when the strings are very much
existing length of the string. */
unsigned inc = oldsize < 4096 ? 127 : 1023;
-g->size = ((p + count + inc) & ~inc) + 1;
+
+if (count <= 0) return;
+g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
/* Try to extend an existing allocation. If the result of calling
store_extend() is false, either there isn't room in the current memory block,
was the last item on the dynamic memory stack. This is the case if it matches
store_last_get. */
-if (!store_extend(g->s, oldsize, g->size))
- g->s = store_newblock(g->s, g->size, p);
+if (!store_extend(g->s, tainted, oldsize, g->size))
+ g->s = store_newblock(g->s, tainted, g->size, p);
}
string_catn(gstring * g, const uschar *s, int count)
{
int p;
+BOOL srctaint = is_tainted(s);
if (!g)
{
unsigned inc = count < 4096 ? 127 : 1023;
unsigned size = ((count + inc) & ~inc) + 1;
- g = string_get(size);
+ g = string_get_tainted(size, srctaint);
}
+else if (srctaint && !is_tainted(g->s))
+ gstring_rebuffer(g);
p = g->ptr;
if (p + count >= g->size)
- gstring_grow(g, p, count);
+ gstring_grow(g, count);
/* Because we always specify the exact number of characters to copy, we can
use memcpy(), which is likely to be more efficient than strncopy() because the
g->ptr = p + count;
return g;
}
-
-
+
+
gstring *
string_cat(gstring *string, const uschar *s)
{
*/
BOOL
-string_format(uschar * buffer, int buflen, const char * format, ...)
+string_format_trc(uschar * buffer, int buflen,
+ const uschar * func, unsigned line, const char * format, ...)
{
gstring g = { .size = buflen, .ptr = 0, .s = buffer }, *gp;
va_list ap;
va_start(ap, format);
-gp = string_vformat(&g, FALSE, format, ap);
+gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
+ 0, format, ap);
va_end(ap);
g.s[g.ptr] = '\0';
return !!gp;
+/* Build or append to a growing-string, sprintf-style.
-/* Bulid or append to a growing-string, sprintf-style.
-
-If the "extend" argument is true, the string passed in can be NULL,
-empty, or non-empty.
-
-If the "extend" argument is false, the string passed in may not be NULL,
+Arguments:
+ g a growable-string
+ func called-from function name, for debug
+ line called-from file line number, for debug
+ limit maximum string size
+ flags see below
+ format printf-like format string
+ ap variable-args pointer
+
+Flags:
+ SVFMT_EXTEND buffer can be created or exteded as needed
+ SVFMT_REBUFFER buffer can be recopied to tainted mem as needed
+ SVFMT_TAINT_NOCHK do not check inputs for taint
+
+If the "extend" flag is true, the string passed in can be NULL,
+empty, or non-empty. Growing is subject to an overall limit given
+by the limit argument.
+
+If the "extend" flag is false, the string passed in may not be NULL,
will not be grown, and is usable in the original place after return.
The return value can be NULL to signify overflow.
-Returns the possibly-new (if copy for growth was needed) string,
-not nul-terminated.
+Returns the possibly-new (if copy for growth or taint-handling was needed)
+string, not nul-terminated.
*/
gstring *
-string_vformat(gstring * g, BOOL extend, const char *format, va_list ap)
+string_vformat_trc(gstring * g, const uschar * func, unsigned line,
+ unsigned size_limit, unsigned flags, const char *format, va_list ap)
{
enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
-int width, precision, off, lim;
+int width, precision, off, lim, need;
const char * fp = format; /* Deliberately not unsigned */
+BOOL dest_tainted = FALSE;
string_datestamp_offset = -1; /* Datestamp not inserted */
string_datestamp_length = 0; /* Datestamp not inserted */
string_datestamp_type = 0; /* Datestamp not inserted */
#ifdef COMPILE_UTILITY
-assert(!extend);
+assert(!(flags & SVFMT_EXTEND));
assert(g);
#else
/* Ensure we have a string, to save on checking later */
if (!g) g = string_get(16);
+else if (!(flags & SVFMT_TAINT_NOCHK)) dest_tainted = is_tainted(g->s);
+
+if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(format))
+ {
+#ifndef MACRO_PREDEF
+ if (!(flags & SVFMT_REBUFFER))
+ die_tainted(US"string_vformat", func, line);
+#endif
+ gstring_rebuffer(g);
+ dest_tainted = TRUE;
+ }
#endif /*!COMPILE_UTILITY*/
lim = g->size - 1; /* leave one for a nul */
if (*fp != '%')
{
/* Avoid string_copyn() due to COMPILE_UTILITY */
- if (g->ptr >= lim - 1)
+ if ((need = g->ptr + 1) > lim)
{
- if (!extend) return NULL;
- gstring_grow(g, g->ptr, 1);
+ if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
+ gstring_grow(g, 1);
lim = g->size - 1;
}
g->s[g->ptr++] = (uschar) *fp++;
case 'x':
case 'X':
width = length > L_LONG ? 24 : 12;
- if (g->ptr >= lim - width)
+ if ((need = g->ptr + width) > lim)
{
- if (!extend) return NULL;
- gstring_grow(g, g->ptr, width);
+ if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
+ gstring_grow(g, width);
lim = g->size - 1;
gp = CS g->s + g->ptr;
}
case 'p':
{
void * ptr;
- if (g->ptr >= lim - 24)
+ if ((need = g->ptr + 24) > lim)
{
- if (!extend) return NULL;
- gstring_grow(g, g->ptr, 24);
+ if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
+ gstring_grow(g, 24);
lim = g->size - 1;
gp = CS g->s + g->ptr;
}
case 'g':
case 'G':
if (precision < 0) precision = 6;
- if (g->ptr >= lim - precision - 8)
+ if ((need = g->ptr + precision + 8) > lim)
{
- if (!extend) return NULL;
- gstring_grow(g, g->ptr, precision+8);
+ if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
+ gstring_grow(g, precision+8);
lim = g->size - 1;
gp = CS g->s + g->ptr;
}
/* String types */
case '%':
- if (g->ptr >= lim - 1)
+ if ((need = g->ptr + 1) > lim)
{
- if (!extend) return NULL;
- gstring_grow(g, g->ptr, 1);
+ if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
+ gstring_grow(g, 1);
lim = g->size - 1;
}
g->s[g->ptr++] = (uschar) '%';
break;
case 'c':
- if (g->ptr >= lim - 1)
+ if ((need = g->ptr + 1) > lim)
{
- if (!extend) return NULL;
- gstring_grow(g, g->ptr, 1);
+ if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
+ gstring_grow(g, 1);
lim = g->size - 1;
}
g->s[g->ptr++] = (uschar) va_arg(ap, int);
if (!s) s = null;
slen = Ustrlen(s);
+ if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(s))
+ if (flags & SVFMT_REBUFFER)
+ {
+ gstring_rebuffer(g);
+ gp = CS g->s + g->ptr;
+ dest_tainted = TRUE;
+ }
+#ifndef MACRO_PREDEF
+ else
+ die_tainted(US"string_vformat", func, line);
+#endif
+
INSERT_STRING: /* Come to from %D or %M above */
{
else
width = precision = slen;
- if (!extend)
+ if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
{
if (g->ptr == lim) return NULL;
- if (g->ptr >= lim - width)
+ if (need > lim)
{
truncated = TRUE;
width = precision = lim - g->ptr - 1;
if (precision < 0) precision = 0;
}
}
- else if (g->ptr >= lim - width)
+ else if (need > lim)
{
- gstring_grow(g, g->ptr, width - (lim - g->ptr));
+ gstring_grow(g, width);
lim = g->size - 1;
gp = CS g->s + g->ptr;
}
}
}
+if (g->ptr > g->size)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "string_format internal error: caller %s %d", func, line);
return g;
}
#ifndef COMPILE_UTILITY
-
-gstring *
-string_fmt_append(gstring * g, const char *format, ...)
-{
-va_list ap;
-va_start(ap, format);
-g = string_vformat(g, TRUE, format, ap);
-va_end(ap);
-return g;
-}
-
-
-
/*************************************************
* Generate an "open failed" message *
*************************************************/
"Permission denied", reads and includes the euid and egid.
Arguments:
- eno the value of errno after the failure
format a text format string - deliberately not uschar *
... arguments for the format string
*/
uschar *
-string_open_failed(int eno, const char *format, ...)
+string_open_failed_trc(const uschar * func, unsigned line,
+ const char *format, ...)
{
va_list ap;
gstring * g = string_get(1024);
doesn't seem much we can do about that. */
va_start(ap, format);
-(void) string_vformat(g, FALSE, format, ap);
-string_from_gstring(g);
-gstring_reset_unused(g);
+(void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
+ SVFMT_REBUFFER, format, ap);
va_end(ap);
-return eno == EACCES
- ? string_sprintf("%s: %s (euid=%ld egid=%ld)", g->s, strerror(eno),
- (long int)geteuid(), (long int)getegid())
- : string_sprintf("%s: %s", g->s, strerror(eno));
+g = string_catn(g, US": ", 2);
+g = string_cat(g, US strerror(errno));
+
+if (errno == EACCES)
+ {
+ int save_errno = errno;
+ g = string_fmt_append(g, " (euid=%ld egid=%ld)",
+ (long int)geteuid(), (long int)getegid());
+ errno = save_errno;
+ }
+gstring_release_unused(g);
+return string_from_gstring(g);
}
-#endif /* COMPILE_UTILITY */
-#ifndef COMPILE_UTILITY
/* qsort(3), currently used to sort the environment variables
for -bP environment output, needs a function to compare two pointers to string
pointers. Here it is. */
uschar buffer[256];
printf("Testing is_ip_address\n");
+store_init();
while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
{
git://git.exim.org / exim.git / blobdiff