1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Miscellaneous string-handling functions. Some are not required for
9 utilities and tests, and are cut out by the COMPILE_UTILITY macro. */
15 static void gstring_rebuffer(gstring * g);
17 #ifndef COMPILE_UTILITY
18 /*************************************************
19 * Test for IP address *
20 *************************************************/
22 /* This used just to be a regular expression, but with IPv6 things are a bit
23 more complicated. If the address contains a colon, it is assumed to be a v6
24 address (assuming HAVE_IPV6 is set). If a mask is permitted and one is present,
25 and maskptr is not NULL, its offset is placed there.
29 maskptr NULL if no mask is permitted to follow
30 otherwise, points to an int where the offset of '/' is placed
31 if there is no / followed by trailing digits, *maskptr is set 0
33 Returns: 0 if the string is not a textual representation of an IP address
34 4 if it is an IPv4 address
35 6 if it is an IPv6 address
39 string_is_ip_address(const uschar *s, int *maskptr)
43 /* If an optional mask is permitted, check for it. If found, pass back the
48 const uschar *ss = s + Ustrlen(s);
50 if (s != ss && isdigit(*(--ss)))
52 while (ss > s && isdigit(ss[-1])) ss--;
53 if (ss > s && *(--ss) == '/') *maskptr = ss - s;
57 /* A colon anywhere in the string => IPv6 address */
59 if (Ustrchr(s, ':') != NULL)
61 BOOL had_double_colon = FALSE;
66 /* An IPv6 address must start with hex digit or double colon. A single
69 if (*s == ':' && *(++s) != ':') return 0;
71 /* Now read up to 8 components consisting of up to 4 hex digits each. There
72 may be one and only one appearance of double colon, which implies any number
73 of binary zero bits. The number of preceding components is held in count. */
75 for (int count = 0; count < 8; count++)
77 /* If the end of the string is reached before reading 8 components, the
78 address is valid provided a double colon has been read. This also applies
79 if we hit the / that introduces a mask or the % that introduces the
80 interface specifier (scope id) of a link-local address. */
82 if (*s == 0 || *s == '%' || *s == '/') return had_double_colon ? yield : 0;
84 /* If a component starts with an additional colon, we have hit a double
85 colon. This is permitted to appear once only, and counts as at least
86 one component. The final component may be of this form. */
90 if (had_double_colon) return 0;
91 had_double_colon = TRUE;
96 /* If the remainder of the string contains a dot but no colons, we
97 can expect a trailing IPv4 address. This is valid if either there has
98 been no double-colon and this is the 7th component (with the IPv4 address
99 being the 7th & 8th components), OR if there has been a double-colon
100 and fewer than 6 components. */
102 if (Ustrchr(s, ':') == NULL && Ustrchr(s, '.') != NULL)
104 if ((!had_double_colon && count != 6) ||
105 (had_double_colon && count > 6)) return 0;
111 /* Check for at least one and not more than 4 hex digits for this
114 if (!isxdigit(*s++)) return 0;
115 if (isxdigit(*s) && isxdigit(*(++s)) && isxdigit(*(++s))) s++;
117 /* If the component is terminated by colon and there is more to
118 follow, skip over the colon. If there is no more to follow the address is
121 if (*s == ':' && *(++s) == 0) return 0;
124 /* If about to handle a trailing IPv4 address, drop through. Otherwise
125 all is well if we are at the end of the string or at the mask or at a percent
126 sign, which introduces the interface specifier (scope id) of a link local
130 return (*s == 0 || *s == '%' ||
131 (*s == '/' && maskptr != NULL && *maskptr != 0))? yield : 0;
134 /* Test for IPv4 address, which may be the tail-end of an IPv6 address. */
136 for (int i = 0; i < 4; i++)
141 if (i != 0 && *s++ != '.') return 0;
142 n = strtol(CCS s, CSS &end, 10);
143 if (n > 255 || n < 0 || end <= s || end > s+3) return 0;
147 return !*s || (*s == '/' && maskptr && *maskptr != 0) ? yield : 0;
149 #endif /* COMPILE_UTILITY */
152 /*************************************************
153 * Format message size *
154 *************************************************/
156 /* Convert a message size in bytes to printing form, rounding
157 according to the magnitude of the number. A value of zero causes
158 a string of spaces to be returned.
161 size the message size in bytes
162 buffer where to put the answer
164 Returns: pointer to the buffer
165 a string of exactly 5 characters is normally returned
169 string_format_size(int size, uschar *buffer)
171 if (size == 0) Ustrcpy(buffer, US" ");
172 else if (size < 1024) sprintf(CS buffer, "%5d", size);
173 else if (size < 10*1024)
174 sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
175 else if (size < 1024*1024)
176 sprintf(CS buffer, "%4dK", (size + 512)/1024);
177 else if (size < 10*1024*1024)
178 sprintf(CS buffer, "%4.1fM", (double)size / (1024.0 * 1024.0));
180 sprintf(CS buffer, "%4dM", (size + 512 * 1024)/(1024*1024));
186 #ifndef COMPILE_UTILITY
187 /*************************************************
188 * Convert a number to base 62 format *
189 *************************************************/
191 /* Convert a long integer into an ASCII base 62 string. For Cygwin the value of
192 BASE_62 is actually 36. Always return exactly 6 characters plus zero, in a
195 Argument: a long integer
196 Returns: pointer to base 62 string
200 string_base62(unsigned long int value)
202 static uschar yield[7];
203 uschar *p = yield + sizeof(yield) - 1;
207 *(--p) = base62_chars[value % BASE_62];
212 #endif /* COMPILE_UTILITY */
216 /*************************************************
217 * Interpret escape sequence *
218 *************************************************/
220 /* This function is called from several places where escape sequences are to be
221 interpreted in strings.
224 pp points a pointer to the initiating "\" in the string;
225 the pointer gets updated to point to the final character
226 Returns: the value of the character escape
230 string_interpret_escape(const uschar **pp)
232 #ifdef COMPILE_UTILITY
233 const uschar *hex_digits= CUS"0123456789abcdef";
236 const uschar *p = *pp;
238 if (isdigit(ch) && ch != '8' && ch != '9')
241 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
243 ch = ch * 8 + *(++p) - '0';
244 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
245 ch = ch * 8 + *(++p) - '0';
250 case 'b': ch = '\b'; break;
251 case 'f': ch = '\f'; break;
252 case 'n': ch = '\n'; break;
253 case 'r': ch = '\r'; break;
254 case 't': ch = '\t'; break;
255 case 'v': ch = '\v'; break;
261 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
262 if (isxdigit(p[1])) ch = ch * 16 +
263 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
273 #ifndef COMPILE_UTILITY
274 /*************************************************
275 * Ensure string is printable *
276 *************************************************/
278 /* This function is called for critical strings. It checks for any
279 non-printing characters, and if any are found, it makes a new copy
280 of the string with suitable escape sequences. It is most often called by the
281 macro string_printing(), which sets allow_tab TRUE.
285 allow_tab TRUE to allow tab as a printing character
287 Returns: string with non-printers encoded as printing sequences
291 string_printing2(const uschar *s, BOOL allow_tab)
293 int nonprintcount = 0;
301 if (!mac_isprint(c) || (!allow_tab && c == '\t')) nonprintcount++;
305 if (nonprintcount == 0) return s;
307 /* Get a new block of store guaranteed big enough to hold the
310 ss = store_get(length + nonprintcount * 3 + 1, is_tainted(s));
312 /* Copy everything, escaping non printers. */
320 if (mac_isprint(c) && (allow_tab || c != '\t')) *tt++ = *t++; else
325 case '\n': *tt++ = 'n'; break;
326 case '\r': *tt++ = 'r'; break;
327 case '\b': *tt++ = 'b'; break;
328 case '\v': *tt++ = 'v'; break;
329 case '\f': *tt++ = 'f'; break;
330 case '\t': *tt++ = 't'; break;
331 default: sprintf(CS tt, "%03o", *t); tt += 3; break;
339 #endif /* COMPILE_UTILITY */
341 /*************************************************
342 * Undo printing escapes in string *
343 *************************************************/
345 /* This function is the reverse of string_printing2. It searches for
346 backslash characters and if any are found, it makes a new copy of the
347 string with escape sequences parsed. Otherwise it returns the original
353 Returns: string with printing escapes parsed back
357 string_unprinting(uschar *s)
359 uschar *p, *q, *r, *ss;
362 p = Ustrchr(s, '\\');
365 len = Ustrlen(s) + 1;
366 ss = store_get(len, is_tainted(s));
380 *q++ = string_interpret_escape((const uschar **)&p);
385 r = Ustrchr(p, '\\');
411 #ifdef HAVE_LOCAL_SCAN
412 /*************************************************
413 * Copy and save string *
414 *************************************************/
417 Argument: string to copy
418 Returns: copy of string in new store with the same taint status
422 string_copy_function(const uschar *s)
424 return string_copy_taint(s, is_tainted(s));
427 /* This function assumes that memcpy() is faster than strcpy().
428 As above, but explicitly specifying the result taint status
432 string_copy_taint(const uschar * s, BOOL tainted)
434 int len = Ustrlen(s) + 1;
435 uschar *ss = store_get(len, tainted);
442 /*************************************************
443 * Copy and save string, given length *
444 *************************************************/
446 /* It is assumed the data contains no zeros. A zero is added
451 n number of characters
453 Returns: copy of string in new store
457 string_copyn_function(const uschar *s, int n)
459 uschar *ss = store_get(n + 1, is_tainted(s));
467 /*************************************************
468 * Copy and save string in malloc'd store *
469 *************************************************/
471 /* This function assumes that memcpy() is faster than strcpy().
473 Argument: string to copy
474 Returns: copy of string in new store
478 string_copy_malloc(const uschar *s)
480 int len = Ustrlen(s) + 1;
481 uschar *ss = store_malloc(len);
488 /*************************************************
489 * Copy string if long, inserting newlines *
490 *************************************************/
492 /* If the given string is longer than 75 characters, it is copied, and within
493 the copy, certain space characters are converted into newlines.
495 Argument: pointer to the string
496 Returns: pointer to the possibly altered string
500 string_split_message(uschar *msg)
504 if (msg == NULL || Ustrlen(msg) <= 75) return msg;
505 s = ss = msg = string_copy(msg);
510 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
522 if (t[-1] == ':') { tt = t; break; }
523 if (tt == NULL) tt = t;
527 if (tt == NULL) /* Can't split behind - try ahead */
532 if (*t == ' ' || *t == '\n')
538 if (tt == NULL) break; /* Can't find anywhere to split */
549 /*************************************************
550 * Copy returned DNS domain name, de-escaping *
551 *************************************************/
553 /* If a domain name contains top-bit characters, some resolvers return
554 the fully qualified name with those characters turned into escapes. The
555 convention is a backslash followed by _decimal_ digits. We convert these
556 back into the original binary values. This will be relevant when
557 allow_utf8_domains is set true and UTF-8 characters are used in domain
558 names. Backslash can also be used to escape other characters, though we
559 shouldn't come across them in domain names.
561 Argument: the domain name string
562 Returns: copy of string in new store, de-escaped
566 string_copy_dnsdomain(uschar *s)
569 uschar *ss = yield = store_get(Ustrlen(s) + 1, is_tainted(s));
577 else if (isdigit(s[1]))
579 *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
582 else if (*(++s) != 0)
593 #ifndef COMPILE_UTILITY
594 /*************************************************
595 * Copy space-terminated or quoted string *
596 *************************************************/
598 /* This function copies from a string until its end, or until whitespace is
599 encountered, unless the string begins with a double quote, in which case the
600 terminating quote is sought, and escaping within the string is done. The length
601 of a de-quoted string can be no longer than the original, since escaping always
602 turns n characters into 1 character.
604 Argument: pointer to the pointer to the first character, which gets updated
605 Returns: the new string
609 string_dequote(const uschar **sptr)
611 const uschar *s = *sptr;
614 /* First find the end of the string */
617 while (*s != 0 && !isspace(*s)) s++;
621 while (*s && *s != '\"')
623 if (*s == '\\') (void)string_interpret_escape(&s);
629 /* Get enough store to copy into */
631 t = yield = store_get(s - *sptr + 1, is_tainted(*sptr));
637 while (*s != 0 && !isspace(*s)) *t++ = *s++;
641 while (*s != 0 && *s != '\"')
643 *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
649 /* Update the pointer and return the terminated copy */
655 #endif /* COMPILE_UTILITY */
659 /*************************************************
660 * Format a string and save it *
661 *************************************************/
663 /* The formatting is done by string_vformat, which checks the length of
667 format a printf() format - deliberately char * rather than uschar *
668 because it will most usually be a literal string
669 ... arguments for format
671 Returns: pointer to fresh piece of store containing sprintf'ed string
675 string_sprintf_trc(const char *format, const uschar * func, unsigned line, ...)
681 g = string_vformat_trc(NULL, func, line, STRING_SPRINTF_BUFFER_SIZE,
682 SVFMT_REBUFFER|SVFMT_EXTEND, format, ap);
686 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
687 "string_sprintf expansion was longer than %d; format string was (%s)\n"
688 " called from %s %d\n",
689 STRING_SPRINTF_BUFFER_SIZE, format, func, line);
691 gstring_release_unused(g);
692 return string_from_gstring(g);
697 /*************************************************
698 * Case-independent strncmp() function *
699 *************************************************/
705 n number of characters to compare
707 Returns: < 0, = 0, or > 0, according to the comparison
711 strncmpic(const uschar *s, const uschar *t, int n)
715 int c = tolower(*s++) - tolower(*t++);
722 /*************************************************
723 * Case-independent strcmp() function *
724 *************************************************/
731 Returns: < 0, = 0, or > 0, according to the comparison
735 strcmpic(const uschar *s, const uschar *t)
739 int c = tolower(*s++) - tolower(*t++);
740 if (c != 0) return c;
746 /*************************************************
747 * Case-independent strstr() function *
748 *************************************************/
750 /* The third argument specifies whether whitespace is required
751 to follow the matched string.
755 t substring to search for
756 space_follows if TRUE, match only if whitespace follows
758 Returns: pointer to substring in string, or NULL if not found
762 strstric(uschar *s, uschar *t, BOOL space_follows)
765 uschar *yield = NULL;
766 int cl = tolower(*p);
767 int cu = toupper(*p);
771 if (*s == cl || *s == cu)
773 if (yield == NULL) yield = s;
776 if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield;
784 else if (yield != NULL)
798 #ifdef COMPILE_UTILITY
799 /* Dummy version for this function; it should never be called */
801 gstring_grow(gstring * g, int count)
809 #ifndef COMPILE_UTILITY
810 /*************************************************
811 * Get next string from separated list *
812 *************************************************/
814 /* Leading and trailing space is removed from each item. The separator in the
815 list is controlled by the int pointed to by the separator argument as follows:
817 If the value is > 0 it is used as the separator. This is typically used for
818 sublists such as slash-separated options. The value is always a printing
821 (If the value is actually > UCHAR_MAX there is only one item in the list.
822 This is used for some cases when called via functions that sometimes
823 plough through lists, and sometimes are given single items.)
825 If the value is <= 0, the string is inspected for a leading <x, where x is an
826 ispunct() or an iscntrl() character. If found, x is used as the separator. If
829 (a) if separator == 0, ':' is used
830 (b) if separator <0, -separator is used
832 In all cases the value of the separator that is used is written back to the
833 int so that it is used on subsequent calls as we progress through the list.
835 A literal ispunct() separator can be represented in an item by doubling, but
836 there is no way to include an iscntrl() separator as part of the data.
839 listptr points to a pointer to the current start of the list; the
840 pointer gets updated to point after the end of the next item
841 separator a pointer to the separator character in an int (see above)
842 buffer where to put a copy of the next string in the list; or
843 NULL if the next string is returned in new memory
844 buflen when buffer is not NULL, the size of buffer; otherwise ignored
846 Returns: pointer to buffer, containing the next substring,
847 or NULL if no more substrings
851 string_nextinlist(const uschar **listptr, int *separator, uschar *buffer, int buflen)
853 int sep = *separator;
854 const uschar *s = *listptr;
859 /* This allows for a fixed specified separator to be an iscntrl() character,
860 but at the time of implementation, this is never the case. However, it's best
861 to be conservative. */
863 while (isspace(*s) && *s != sep) s++;
865 /* A change of separator is permitted, so look for a leading '<' followed by an
866 allowed character. */
870 if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
874 while (isspace(*s) && *s != sep) s++;
877 sep = sep ? -sep : ':';
881 /* An empty string has no list elements */
883 if (!*s) return NULL;
885 /* Note whether whether or not the separator is an iscntrl() character. */
887 sep_is_special = iscntrl(sep);
889 /* Handle the case when a buffer is provided. */
896 if (*s == sep && (*(++s) != sep || sep_is_special)) break;
897 if (p < buflen - 1) buffer[p++] = *s;
899 while (p > 0 && isspace(buffer[p-1])) p--;
903 /* Handle the case when a buffer is not provided. */
909 /* We know that *s != 0 at this point. However, it might be pointing to a
910 separator, which could indicate an empty string, or (if an ispunct()
911 character) could be doubled to indicate a separator character as data at the
912 start of a string. Avoid getting working memory for an empty item. */
917 if (*s != sep || sep_is_special)
920 return string_copy(US"");
924 /* Not an empty string; the first character is guaranteed to be a data
930 for (ss = s + 1; *ss && *ss != sep; ) ss++;
931 g = string_catn(g, s, ss-s);
933 if (!*s || *++s != sep || sep_is_special) break;
935 while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--;
936 buffer = string_from_gstring(g);
937 gstring_release_unused(g);
940 /* Update the current pointer and return the new string */
947 static const uschar *
948 Ustrnchr(const uschar * s, int c, unsigned * len)
953 if (!*s) return NULL;
966 /************************************************
967 * Add element to separated list *
968 ************************************************/
969 /* This function is used to build a list, returning an allocated null-terminated
970 growable string. The given element has any embedded separator characters
973 Despite having the same growable-string interface as string_cat() the list is
974 always returned null-terminated.
977 list expanding-string for the list that is being built, or NULL
978 if this is a new list that has no contents yet
979 sep list separator character
980 ele new element to be appended to the list
982 Returns: pointer to the start of the list, changed if copied for expansion.
986 string_append_listele(gstring * list, uschar sep, const uschar * ele)
990 if (list && list->ptr)
991 list = string_catn(list, &sep, 1);
993 while((sp = Ustrchr(ele, sep)))
995 list = string_catn(list, ele, sp-ele+1);
996 list = string_catn(list, &sep, 1);
999 list = string_cat(list, ele);
1000 (void) string_from_gstring(list);
1006 string_append_listele_n(gstring * list, uschar sep, const uschar * ele,
1011 if (list && list->ptr)
1012 list = string_catn(list, &sep, 1);
1014 while((sp = Ustrnchr(ele, sep, &len)))
1016 list = string_catn(list, ele, sp-ele+1);
1017 list = string_catn(list, &sep, 1);
1021 list = string_catn(list, ele, len);
1022 (void) string_from_gstring(list);
1028 /* A slightly-bogus listmaker utility; the separator is a string so
1029 can be multiple chars - there is no checking for the element content
1030 containing any of the separator. */
1033 string_append2_listele_n(gstring * list, const uschar * sepstr,
1034 const uschar * ele, unsigned len)
1036 if (list && list->ptr)
1037 list = string_cat(list, sepstr);
1039 list = string_catn(list, ele, len);
1040 (void) string_from_gstring(list);
1046 /************************************************/
1047 /* Add more space to a growable-string. The caller should check
1048 first if growth is required. The gstring struct is modified on
1049 return; specifically, the string-base-pointer may have been changed.
1052 g the growable-string
1053 count amount needed for g->ptr to increase by
1057 gstring_grow(gstring * g, int count)
1060 int oldsize = g->size;
1061 BOOL tainted = is_tainted(g->s);
1063 /* Mostly, string_cat() is used to build small strings of a few hundred
1064 characters at most. There are times, however, when the strings are very much
1065 longer (for example, a lookup that returns a vast number of alias addresses).
1066 To try to keep things reasonable, we use increments whose size depends on the
1067 existing length of the string. */
1069 unsigned inc = oldsize < 4096 ? 127 : 1023;
1071 if (count <= 0) return;
1072 g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
1074 /* Try to extend an existing allocation. If the result of calling
1075 store_extend() is false, either there isn't room in the current memory block,
1076 or this string is not the top item on the dynamic store stack. We then have
1077 to get a new chunk of store and copy the old string. When building large
1078 strings, it is helpful to call store_release() on the old string, to release
1079 memory blocks that have become empty. (The block will be freed if the string
1080 is at its start.) However, we can do this only if we know that the old string
1081 was the last item on the dynamic memory stack. This is the case if it matches
1084 if (!store_extend(g->s, tainted, oldsize, g->size))
1085 g->s = store_newblock(g->s, tainted, g->size, p);
1090 /*************************************************
1091 * Add chars to string *
1092 *************************************************/
1093 /* This function is used when building up strings of unknown length. Room is
1094 always left for a terminating zero to be added to the string that is being
1095 built. This function does not require the string that is being added to be NUL
1096 terminated, because the number of characters to add is given explicitly. It is
1097 sometimes called to extract parts of other strings.
1100 string points to the start of the string that is being built, or NULL
1101 if this is a new string that has no contents yet
1102 s points to characters to add
1103 count count of characters to add; must not exceed the length of s, if s
1106 Returns: pointer to the start of the string, changed if copied for expansion.
1107 Note that a NUL is not added, though space is left for one. This is
1108 because string_cat() is often called multiple times to build up a
1109 string - there's no point adding the NUL till the end.
1112 /* coverity[+alloc] */
1115 string_catn(gstring * g, const uschar *s, int count)
1118 BOOL srctaint = is_tainted(s);
1122 unsigned inc = count < 4096 ? 127 : 1023;
1123 unsigned size = ((count + inc) & ~inc) + 1;
1124 g = string_get_tainted(size, srctaint);
1126 else if (srctaint && !is_tainted(g->s))
1127 gstring_rebuffer(g);
1130 if (p + count >= g->size)
1131 gstring_grow(g, count);
1133 /* Because we always specify the exact number of characters to copy, we can
1134 use memcpy(), which is likely to be more efficient than strncopy() because the
1135 latter has to check for zero bytes. */
1137 memcpy(g->s + p, s, count);
1144 string_cat(gstring *string, const uschar *s)
1146 return string_catn(string, s, Ustrlen(s));
1151 /*************************************************
1152 * Append strings to another string *
1153 *************************************************/
1155 /* This function can be used to build a string from many other strings.
1156 It calls string_cat() to do the dirty work.
1159 string expanding-string that is being built, or NULL
1160 if this is a new string that has no contents yet
1161 count the number of strings to append
1162 ... "count" uschar* arguments, which must be valid zero-terminated
1165 Returns: pointer to the start of the string, changed if copied for expansion.
1166 The string is not zero-terminated - see string_cat() above.
1169 __inline__ gstring *
1170 string_append(gstring *string, int count, ...)
1174 va_start(ap, count);
1177 uschar *t = va_arg(ap, uschar *);
1178 string = string_cat(string, t);
1188 /*************************************************
1189 * Format a string with length checks *
1190 *************************************************/
1192 /* This function is used to format a string with checking of the length of the
1193 output for all conversions. It protects Exim from absent-mindedness when
1194 calling functions like debug_printf and string_sprintf, and elsewhere. There
1195 are two different entry points to what is actually the same function, depending
1196 on whether the variable length list of data arguments are given explicitly or
1199 The formats are the usual printf() ones, with some omissions (never used) and
1200 three additions for strings: %S forces lower case, %T forces upper case, and
1201 %#s or %#S prints nothing for a NULL string. Without the # "NULL" is printed
1202 (useful in debugging). There is also the addition of %D and %M, which insert
1203 the date in the form used for datestamped log files.
1206 buffer a buffer in which to put the formatted string
1207 buflen the length of the buffer
1208 format the format string - deliberately char * and not uschar *
1209 ... or ap variable list of supplementary arguments
1211 Returns: TRUE if the result fitted in the buffer
1215 string_format_trc(uschar * buffer, int buflen,
1216 const uschar * func, unsigned line, const char * format, ...)
1218 gstring g = { .size = buflen, .ptr = 0, .s = buffer }, *gp;
1220 va_start(ap, format);
1221 gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1230 /* Copy the content of a string to tainted memory */
1232 gstring_rebuffer(gstring * g)
1234 uschar * s = store_get(g->size, TRUE);
1235 memcpy(s, g->s, g->ptr);
1241 /* Build or append to a growing-string, sprintf-style.
1243 If the "extend" flag is true, the string passed in can be NULL,
1244 empty, or non-empty. Growing is subject to an overall limit given
1245 by the size_limit argument.
1247 If the "extend" flag is false, the string passed in may not be NULL,
1248 will not be grown, and is usable in the original place after return.
1249 The return value can be NULL to signify overflow.
1251 Returns the possibly-new (if copy for growth was needed) string,
1256 string_vformat_trc(gstring * g, const uschar * func, unsigned line,
1257 unsigned size_limit, unsigned flags, const char *format, va_list ap)
1259 enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
1261 int width, precision, off, lim, need;
1262 const char * fp = format; /* Deliberately not unsigned */
1263 BOOL dest_tainted = FALSE;
1265 string_datestamp_offset = -1; /* Datestamp not inserted */
1266 string_datestamp_length = 0; /* Datestamp not inserted */
1267 string_datestamp_type = 0; /* Datestamp not inserted */
1269 #ifdef COMPILE_UTILITY
1270 assert(!(flags & SVFMT_EXTEND));
1274 /* Ensure we have a string, to save on checking later */
1275 if (!g) g = string_get(16);
1276 else if (!(flags & SVFMT_TAINT_NOCHK)) dest_tainted = is_tainted(g->s);
1278 if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(format))
1280 if (!(flags & SVFMT_REBUFFER))
1281 die_tainted(US"string_vformat", func, line);
1282 gstring_rebuffer(g);
1283 dest_tainted = TRUE;
1285 #endif /*!COMPILE_UTILITY*/
1287 lim = g->size - 1; /* leave one for a nul */
1288 off = g->ptr; /* remember initial offset in gstring */
1290 /* Scan the format and handle the insertions */
1294 int length = L_NORMAL;
1297 const char *null = "NULL"; /* ) These variables */
1298 const char *item_start, *s; /* ) are deliberately */
1299 char newformat[16]; /* ) not unsigned */
1300 char * gp = CS g->s + g->ptr; /* ) */
1302 /* Non-% characters just get copied verbatim */
1306 /* Avoid string_copyn() due to COMPILE_UTILITY */
1307 if ((need = g->ptr + 1) > lim)
1309 if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
1313 g->s[g->ptr++] = (uschar) *fp++;
1317 /* Deal with % characters. Pick off the width and precision, for checking
1318 strings, skipping over the flag and modifier characters. */
1321 width = precision = -1;
1323 if (strchr("-+ #0", *(++fp)) != NULL)
1325 if (*fp == '#') null = "";
1329 if (isdigit((uschar)*fp))
1331 width = *fp++ - '0';
1332 while (isdigit((uschar)*fp)) width = width * 10 + *fp++ - '0';
1334 else if (*fp == '*')
1336 width = va_arg(ap, int);
1343 precision = va_arg(ap, int);
1347 for (precision = 0; isdigit((uschar)*fp); fp++)
1348 precision = precision*10 + *fp - '0';
1350 /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
1353 { fp++; length = L_SHORT; }
1354 else if (*fp == 'L')
1355 { fp++; length = L_LONGDOUBLE; }
1356 else if (*fp == 'l')
1358 { fp += 2; length = L_LONGLONG; }
1360 { fp++; length = L_LONG; }
1361 else if (*fp == 'z')
1362 { fp++; length = L_SIZE; }
1364 /* Handle each specific format type. */
1369 nptr = va_arg(ap, int *);
1370 *nptr = g->ptr - off;
1378 width = length > L_LONG ? 24 : 12;
1379 if ((need = g->ptr + width) > lim)
1381 if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
1382 gstring_grow(g, width);
1384 gp = CS g->s + g->ptr;
1386 strncpy(newformat, item_start, fp - item_start);
1387 newformat[fp - item_start] = 0;
1389 /* Short int is promoted to int when passing through ..., so we must use
1390 int for va_arg(). */
1396 g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
1398 g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
1400 g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
1402 g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
1409 if ((need = g->ptr + 24) > lim)
1411 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1412 gstring_grow(g, 24);
1414 gp = CS g->s + g->ptr;
1416 /* sprintf() saying "(nil)" for a null pointer seems unreliable.
1417 Handle it explicitly. */
1418 if ((ptr = va_arg(ap, void *)))
1420 strncpy(newformat, item_start, fp - item_start);
1421 newformat[fp - item_start] = 0;
1422 g->ptr += sprintf(gp, newformat, ptr);
1425 g->ptr += sprintf(gp, "(nil)");
1429 /* %f format is inherently insecure if the numbers that it may be
1430 handed are unknown (e.g. 1e300). However, in Exim, %f is used for
1431 printing load averages, and these are actually stored as integers
1432 (load average * 1000) so the size of the numbers is constrained.
1433 It is also used for formatting sending rates, where the simplicity
1434 of the format prevents overflow. */
1441 if (precision < 0) precision = 6;
1442 if ((need = g->ptr + precision + 8) > lim)
1444 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1445 gstring_grow(g, precision+8);
1447 gp = CS g->s + g->ptr;
1449 strncpy(newformat, item_start, fp - item_start);
1450 newformat[fp-item_start] = 0;
1451 if (length == L_LONGDOUBLE)
1452 g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
1454 g->ptr += sprintf(gp, newformat, va_arg(ap, double));
1460 if ((need = g->ptr + 1) > lim)
1462 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1466 g->s[g->ptr++] = (uschar) '%';
1470 if ((need = g->ptr + 1) > lim)
1472 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1476 g->s[g->ptr++] = (uschar) va_arg(ap, int);
1479 case 'D': /* Insert daily datestamp for log file names */
1480 s = CS tod_stamp(tod_log_datestamp_daily);
1481 string_datestamp_offset = g->ptr; /* Passed back via global */
1482 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1483 string_datestamp_type = tod_log_datestamp_daily;
1484 slen = string_datestamp_length;
1487 case 'M': /* Insert monthly datestamp for log file names */
1488 s = CS tod_stamp(tod_log_datestamp_monthly);
1489 string_datestamp_offset = g->ptr; /* Passed back via global */
1490 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1491 string_datestamp_type = tod_log_datestamp_monthly;
1492 slen = string_datestamp_length;
1496 case 'S': /* Forces *lower* case */
1497 case 'T': /* Forces *upper* case */
1498 s = va_arg(ap, char *);
1503 if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(s))
1504 if (flags & SVFMT_REBUFFER)
1506 gstring_rebuffer(g);
1507 gp = CS g->s + g->ptr;
1508 dest_tainted = TRUE;
1511 die_tainted(US"string_vformat", func, line);
1513 INSERT_STRING: /* Come to from %D or %M above */
1516 BOOL truncated = FALSE;
1518 /* If the width is specified, check that there is a precision
1519 set; if not, set it to the width to prevent overruns of long
1524 if (precision < 0) precision = width;
1527 /* If a width is not specified and the precision is specified, set
1528 the width to the precision, or the string length if shorted. */
1530 else if (precision >= 0)
1531 width = precision < slen ? precision : slen;
1533 /* If neither are specified, set them both to the string length. */
1536 width = precision = slen;
1538 if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
1540 if (g->ptr == lim) return NULL;
1544 width = precision = lim - g->ptr - 1;
1545 if (width < 0) width = 0;
1546 if (precision < 0) precision = 0;
1549 else if (need > lim)
1551 gstring_grow(g, width);
1553 gp = CS g->s + g->ptr;
1556 g->ptr += sprintf(gp, "%*.*s", width, precision, s);
1558 while (*gp) { *gp = tolower(*gp); gp++; }
1559 else if (fp[-1] == 'T')
1560 while (*gp) { *gp = toupper(*gp); gp++; }
1562 if (truncated) return NULL;
1566 /* Some things are never used in Exim; also catches junk. */
1569 strncpy(newformat, item_start, fp - item_start);
1570 newformat[fp-item_start] = 0;
1571 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
1572 "in \"%s\" in \"%s\"", newformat, format);
1577 if (g->ptr > g->size)
1578 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1579 "string_format internal error: caller %s %d", func, line);
1585 #ifndef COMPILE_UTILITY
1586 /*************************************************
1587 * Generate an "open failed" message *
1588 *************************************************/
1590 /* This function creates a message after failure to open a file. It includes a
1591 string supplied as data, adds the strerror() text, and if the failure was
1592 "Permission denied", reads and includes the euid and egid.
1595 eno the value of errno after the failure
1596 format a text format string - deliberately not uschar *
1597 ... arguments for the format string
1599 Returns: a message, in dynamic store
1603 string_open_failed_trc(int eno, const uschar * func, unsigned line,
1604 const char *format, ...)
1607 gstring * g = string_get(1024);
1609 g = string_catn(g, US"failed to open ", 15);
1611 /* Use the checked formatting routine to ensure that the buffer
1612 does not overflow. It should not, since this is called only for internally
1613 specified messages. If it does, the message just gets truncated, and there
1614 doesn't seem much we can do about that. */
1616 va_start(ap, format);
1617 (void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1619 string_from_gstring(g);
1620 gstring_release_unused(g);
1623 return eno == EACCES
1624 ? string_sprintf("%s: %s (euid=%ld egid=%ld)", g->s, strerror(eno),
1625 (long int)geteuid(), (long int)getegid())
1626 : string_sprintf("%s: %s", g->s, strerror(eno));
1628 #endif /* COMPILE_UTILITY */
1634 #ifndef COMPILE_UTILITY
1635 /* qsort(3), currently used to sort the environment variables
1636 for -bP environment output, needs a function to compare two pointers to string
1637 pointers. Here it is. */
1640 string_compare_by_pointer(const void *a, const void *b)
1642 return Ustrcmp(* CUSS a, * CUSS b);
1644 #endif /* COMPILE_UTILITY */
1649 /*************************************************
1650 **************************************************
1651 * Stand-alone test program *
1652 **************************************************
1653 *************************************************/
1660 printf("Testing is_ip_address\n");
1662 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1665 buffer[Ustrlen(buffer) - 1] = 0;
1666 printf("%d\n", string_is_ip_address(buffer, NULL));
1667 printf("%d %d %s\n", string_is_ip_address(buffer, &offset), offset, buffer);
1670 printf("Testing string_nextinlist\n");
1672 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1674 uschar *list = buffer;
1682 sep1 = sep2 = list[1];
1689 uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));
1690 uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);
1692 if (item1 == NULL && item2 == NULL) break;
1693 if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)
1695 printf("***ERROR\nitem1=\"%s\"\nitem2=\"%s\"\n",
1696 (item1 == NULL)? "NULL" : CS item1,
1697 (item2 == NULL)? "NULL" : CS item2);
1700 else printf(" \"%s\"\n", CS item1);
1704 /* This is a horrible lash-up, but it serves its purpose. */
1706 printf("Testing string_format\n");
1708 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1711 long long llargs[3];
1721 buffer[Ustrlen(buffer) - 1] = 0;
1723 s = Ustrchr(buffer, ',');
1724 if (s == NULL) s = buffer + Ustrlen(buffer);
1726 Ustrncpy(format, buffer, s - buffer);
1727 format[s-buffer] = 0;
1734 s = Ustrchr(ss, ',');
1735 if (s == NULL) s = ss + Ustrlen(ss);
1739 Ustrncpy(outbuf, ss, s-ss);
1740 if (Ustrchr(outbuf, '.') != NULL)
1743 dargs[n++] = Ustrtod(outbuf, NULL);
1745 else if (Ustrstr(outbuf, "ll") != NULL)
1748 llargs[n++] = strtoull(CS outbuf, NULL, 10);
1752 args[n++] = (void *)Uatoi(outbuf);
1756 else if (Ustrcmp(ss, "*") == 0)
1758 args[n++] = (void *)(&count);
1764 uschar *sss = malloc(s - ss + 1);
1765 Ustrncpy(sss, ss, s-ss);
1772 if (!dflag && !llflag)
1773 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1774 args[0], args[1], args[2])? "True" : "False");
1777 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1778 dargs[0], dargs[1], dargs[2])? "True" : "False");
1780 else printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1781 llargs[0], llargs[1], llargs[2])? "True" : "False");
1783 printf("%s\n", CS outbuf);
1784 if (countset) printf("count=%d\n", count);
1791 /* End of string.c */