1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Miscellaneous string-handling functions. Some are not required for
9 utilities and tests, and are cut out by the COMPILE_UTILITY macro. */
15 static void gstring_rebuffer(gstring * g);
17 #ifndef COMPILE_UTILITY
18 /*************************************************
19 * Test for IP address *
20 *************************************************/
22 /* This used just to be a regular expression, but with IPv6 things are a bit
23 more complicated. If the address contains a colon, it is assumed to be a v6
24 address (assuming HAVE_IPV6 is set). If a mask is permitted and one is present,
25 and maskptr is not NULL, its offset is placed there.
29 maskptr NULL if no mask is permitted to follow
30 otherwise, points to an int where the offset of '/' is placed
31 if there is no / followed by trailing digits, *maskptr is set 0
33 Returns: 0 if the string is not a textual representation of an IP address
34 4 if it is an IPv4 address
35 6 if it is an IPv6 address
39 string_is_ip_address(const uschar *s, int *maskptr)
43 /* If an optional mask is permitted, check for it. If found, pass back the
48 const uschar *ss = s + Ustrlen(s);
50 if (s != ss && isdigit(*(--ss)))
52 while (ss > s && isdigit(ss[-1])) ss--;
53 if (ss > s && *(--ss) == '/') *maskptr = ss - s;
57 /* A colon anywhere in the string => IPv6 address */
59 if (Ustrchr(s, ':') != NULL)
61 BOOL had_double_colon = FALSE;
66 /* An IPv6 address must start with hex digit or double colon. A single
69 if (*s == ':' && *(++s) != ':') return 0;
71 /* Now read up to 8 components consisting of up to 4 hex digits each. There
72 may be one and only one appearance of double colon, which implies any number
73 of binary zero bits. The number of preceding components is held in count. */
75 for (int count = 0; count < 8; count++)
77 /* If the end of the string is reached before reading 8 components, the
78 address is valid provided a double colon has been read. This also applies
79 if we hit the / that introduces a mask or the % that introduces the
80 interface specifier (scope id) of a link-local address. */
82 if (*s == 0 || *s == '%' || *s == '/') return had_double_colon ? yield : 0;
84 /* If a component starts with an additional colon, we have hit a double
85 colon. This is permitted to appear once only, and counts as at least
86 one component. The final component may be of this form. */
90 if (had_double_colon) return 0;
91 had_double_colon = TRUE;
96 /* If the remainder of the string contains a dot but no colons, we
97 can expect a trailing IPv4 address. This is valid if either there has
98 been no double-colon and this is the 7th component (with the IPv4 address
99 being the 7th & 8th components), OR if there has been a double-colon
100 and fewer than 6 components. */
102 if (Ustrchr(s, ':') == NULL && Ustrchr(s, '.') != NULL)
104 if ((!had_double_colon && count != 6) ||
105 (had_double_colon && count > 6)) return 0;
111 /* Check for at least one and not more than 4 hex digits for this
114 if (!isxdigit(*s++)) return 0;
115 if (isxdigit(*s) && isxdigit(*(++s)) && isxdigit(*(++s))) s++;
117 /* If the component is terminated by colon and there is more to
118 follow, skip over the colon. If there is no more to follow the address is
121 if (*s == ':' && *(++s) == 0) return 0;
124 /* If about to handle a trailing IPv4 address, drop through. Otherwise
125 all is well if we are at the end of the string or at the mask or at a percent
126 sign, which introduces the interface specifier (scope id) of a link local
130 return (*s == 0 || *s == '%' ||
131 (*s == '/' && maskptr != NULL && *maskptr != 0))? yield : 0;
134 /* Test for IPv4 address, which may be the tail-end of an IPv6 address. */
136 for (int i = 0; i < 4; i++)
141 if (i != 0 && *s++ != '.') return 0;
142 n = strtol(CCS s, CSS &end, 10);
143 if (n > 255 || n < 0 || end <= s || end > s+3) return 0;
147 return !*s || (*s == '/' && maskptr && *maskptr != 0) ? yield : 0;
149 #endif /* COMPILE_UTILITY */
152 /*************************************************
153 * Format message size *
154 *************************************************/
156 /* Convert a message size in bytes to printing form, rounding
157 according to the magnitude of the number. A value of zero causes
158 a string of spaces to be returned.
161 size the message size in bytes
162 buffer where to put the answer
164 Returns: pointer to the buffer
165 a string of exactly 5 characters is normally returned
169 string_format_size(int size, uschar *buffer)
171 if (size == 0) Ustrcpy(buffer, US" ");
172 else if (size < 1024) sprintf(CS buffer, "%5d", size);
173 else if (size < 10*1024)
174 sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
175 else if (size < 1024*1024)
176 sprintf(CS buffer, "%4dK", (size + 512)/1024);
177 else if (size < 10*1024*1024)
178 sprintf(CS buffer, "%4.1fM", (double)size / (1024.0 * 1024.0));
180 sprintf(CS buffer, "%4dM", (size + 512 * 1024)/(1024*1024));
186 #ifndef COMPILE_UTILITY
187 /*************************************************
188 * Convert a number to base 62 format *
189 *************************************************/
191 /* Convert a long integer into an ASCII base 62 string. For Cygwin the value of
192 BASE_62 is actually 36. Always return exactly 6 characters plus zero, in a
195 Argument: a long integer
196 Returns: pointer to base 62 string
200 string_base62(unsigned long int value)
202 static uschar yield[7];
203 uschar *p = yield + sizeof(yield) - 1;
207 *(--p) = base62_chars[value % BASE_62];
212 #endif /* COMPILE_UTILITY */
216 /*************************************************
217 * Interpret escape sequence *
218 *************************************************/
220 /* This function is called from several places where escape sequences are to be
221 interpreted in strings.
224 pp points a pointer to the initiating "\" in the string;
225 the pointer gets updated to point to the final character
226 If the backslash is the last character in the string, it
228 Returns: the value of the character escape
232 string_interpret_escape(const uschar **pp)
234 #ifdef COMPILE_UTILITY
235 const uschar *hex_digits= CUS"0123456789abcdef";
238 const uschar *p = *pp;
240 if (ch == '\0') return **pp;
241 if (isdigit(ch) && ch != '8' && ch != '9')
244 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
246 ch = ch * 8 + *(++p) - '0';
247 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
248 ch = ch * 8 + *(++p) - '0';
253 case 'b': ch = '\b'; break;
254 case 'f': ch = '\f'; break;
255 case 'n': ch = '\n'; break;
256 case 'r': ch = '\r'; break;
257 case 't': ch = '\t'; break;
258 case 'v': ch = '\v'; break;
264 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
265 if (isxdigit(p[1])) ch = ch * 16 +
266 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
276 #ifndef COMPILE_UTILITY
277 /*************************************************
278 * Ensure string is printable *
279 *************************************************/
281 /* This function is called for critical strings. It checks for any
282 non-printing characters, and if any are found, it makes a new copy
283 of the string with suitable escape sequences. It is most often called by the
284 macro string_printing(), which sets allow_tab TRUE.
288 allow_tab TRUE to allow tab as a printing character
290 Returns: string with non-printers encoded as printing sequences
294 string_printing2(const uschar *s, BOOL allow_tab)
296 int nonprintcount = 0;
304 if (!mac_isprint(c) || (!allow_tab && c == '\t')) nonprintcount++;
308 if (nonprintcount == 0) return s;
310 /* Get a new block of store guaranteed big enough to hold the
313 ss = store_get(length + nonprintcount * 3 + 1, is_tainted(s));
315 /* Copy everything, escaping non printers. */
323 if (mac_isprint(c) && (allow_tab || c != '\t')) *tt++ = *t++; else
328 case '\n': *tt++ = 'n'; break;
329 case '\r': *tt++ = 'r'; break;
330 case '\b': *tt++ = 'b'; break;
331 case '\v': *tt++ = 'v'; break;
332 case '\f': *tt++ = 'f'; break;
333 case '\t': *tt++ = 't'; break;
334 default: sprintf(CS tt, "%03o", *t); tt += 3; break;
342 #endif /* COMPILE_UTILITY */
344 /*************************************************
345 * Undo printing escapes in string *
346 *************************************************/
348 /* This function is the reverse of string_printing2. It searches for
349 backslash characters and if any are found, it makes a new copy of the
350 string with escape sequences parsed. Otherwise it returns the original
356 Returns: string with printing escapes parsed back
360 string_unprinting(uschar *s)
362 uschar *p, *q, *r, *ss;
365 p = Ustrchr(s, '\\');
368 len = Ustrlen(s) + 1;
369 ss = store_get(len, is_tainted(s));
383 *q++ = string_interpret_escape((const uschar **)&p);
388 r = Ustrchr(p, '\\');
414 #ifdef HAVE_LOCAL_SCAN
415 /*************************************************
416 * Copy and save string *
417 *************************************************/
420 Argument: string to copy
421 Returns: copy of string in new store with the same taint status
425 string_copy_function(const uschar *s)
427 return string_copy_taint(s, is_tainted(s));
430 /* This function assumes that memcpy() is faster than strcpy().
431 As above, but explicitly specifying the result taint status
435 string_copy_taint(const uschar * s, BOOL tainted)
437 int len = Ustrlen(s) + 1;
438 uschar *ss = store_get(len, tainted);
445 /*************************************************
446 * Copy and save string, given length *
447 *************************************************/
449 /* It is assumed the data contains no zeros. A zero is added
454 n number of characters
456 Returns: copy of string in new store
460 string_copyn_function(const uschar *s, int n)
462 uschar *ss = store_get(n + 1, is_tainted(s));
470 /*************************************************
471 * Copy and save string in malloc'd store *
472 *************************************************/
474 /* This function assumes that memcpy() is faster than strcpy().
476 Argument: string to copy
477 Returns: copy of string in new store
481 string_copy_malloc(const uschar *s)
483 int len = Ustrlen(s) + 1;
484 uschar *ss = store_malloc(len);
491 /*************************************************
492 * Copy string if long, inserting newlines *
493 *************************************************/
495 /* If the given string is longer than 75 characters, it is copied, and within
496 the copy, certain space characters are converted into newlines.
498 Argument: pointer to the string
499 Returns: pointer to the possibly altered string
503 string_split_message(uschar *msg)
507 if (msg == NULL || Ustrlen(msg) <= 75) return msg;
508 s = ss = msg = string_copy(msg);
513 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
525 if (t[-1] == ':') { tt = t; break; }
526 if (tt == NULL) tt = t;
530 if (tt == NULL) /* Can't split behind - try ahead */
535 if (*t == ' ' || *t == '\n')
541 if (tt == NULL) break; /* Can't find anywhere to split */
552 /*************************************************
553 * Copy returned DNS domain name, de-escaping *
554 *************************************************/
556 /* If a domain name contains top-bit characters, some resolvers return
557 the fully qualified name with those characters turned into escapes. The
558 convention is a backslash followed by _decimal_ digits. We convert these
559 back into the original binary values. This will be relevant when
560 allow_utf8_domains is set true and UTF-8 characters are used in domain
561 names. Backslash can also be used to escape other characters, though we
562 shouldn't come across them in domain names.
564 Argument: the domain name string
565 Returns: copy of string in new store, de-escaped
569 string_copy_dnsdomain(uschar *s)
572 uschar *ss = yield = store_get(Ustrlen(s) + 1, is_tainted(s));
580 else if (isdigit(s[1]))
582 *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
585 else if (*(++s) != 0)
596 #ifndef COMPILE_UTILITY
597 /*************************************************
598 * Copy space-terminated or quoted string *
599 *************************************************/
601 /* This function copies from a string until its end, or until whitespace is
602 encountered, unless the string begins with a double quote, in which case the
603 terminating quote is sought, and escaping within the string is done. The length
604 of a de-quoted string can be no longer than the original, since escaping always
605 turns n characters into 1 character.
607 Argument: pointer to the pointer to the first character, which gets updated
608 Returns: the new string
612 string_dequote(const uschar **sptr)
614 const uschar *s = *sptr;
617 /* First find the end of the string */
620 while (*s != 0 && !isspace(*s)) s++;
624 while (*s && *s != '\"')
626 if (*s == '\\') (void)string_interpret_escape(&s);
632 /* Get enough store to copy into */
634 t = yield = store_get(s - *sptr + 1, is_tainted(*sptr));
640 while (*s != 0 && !isspace(*s)) *t++ = *s++;
644 while (*s != 0 && *s != '\"')
646 *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
652 /* Update the pointer and return the terminated copy */
658 #endif /* COMPILE_UTILITY */
662 /*************************************************
663 * Format a string and save it *
664 *************************************************/
666 /* The formatting is done by string_vformat, which checks the length of
670 format a printf() format - deliberately char * rather than uschar *
671 because it will most usually be a literal string
672 ... arguments for format
674 Returns: pointer to fresh piece of store containing sprintf'ed string
678 string_sprintf_trc(const char *format, const uschar * func, unsigned line, ...)
684 g = string_vformat_trc(NULL, func, line, STRING_SPRINTF_BUFFER_SIZE,
685 SVFMT_REBUFFER|SVFMT_EXTEND, format, ap);
689 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
690 "string_sprintf expansion was longer than %d; format string was (%s)\n"
691 " called from %s %d\n",
692 STRING_SPRINTF_BUFFER_SIZE, format, func, line);
694 gstring_release_unused(g);
695 return string_from_gstring(g);
700 /*************************************************
701 * Case-independent strncmp() function *
702 *************************************************/
708 n number of characters to compare
710 Returns: < 0, = 0, or > 0, according to the comparison
714 strncmpic(const uschar *s, const uschar *t, int n)
718 int c = tolower(*s++) - tolower(*t++);
725 /*************************************************
726 * Case-independent strcmp() function *
727 *************************************************/
734 Returns: < 0, = 0, or > 0, according to the comparison
738 strcmpic(const uschar *s, const uschar *t)
742 int c = tolower(*s++) - tolower(*t++);
743 if (c != 0) return c;
749 /*************************************************
750 * Case-independent strstr() function *
751 *************************************************/
753 /* The third argument specifies whether whitespace is required
754 to follow the matched string.
758 t substring to search for
759 space_follows if TRUE, match only if whitespace follows
761 Returns: pointer to substring in string, or NULL if not found
765 strstric(uschar *s, uschar *t, BOOL space_follows)
768 uschar *yield = NULL;
769 int cl = tolower(*p);
770 int cu = toupper(*p);
774 if (*s == cl || *s == cu)
776 if (yield == NULL) yield = s;
779 if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield;
787 else if (yield != NULL)
801 #ifdef COMPILE_UTILITY
802 /* Dummy version for this function; it should never be called */
804 gstring_grow(gstring * g, int count)
812 #ifndef COMPILE_UTILITY
813 /*************************************************
814 * Get next string from separated list *
815 *************************************************/
817 /* Leading and trailing space is removed from each item. The separator in the
818 list is controlled by the int pointed to by the separator argument as follows:
820 If the value is > 0 it is used as the separator. This is typically used for
821 sublists such as slash-separated options. The value is always a printing
824 (If the value is actually > UCHAR_MAX there is only one item in the list.
825 This is used for some cases when called via functions that sometimes
826 plough through lists, and sometimes are given single items.)
828 If the value is <= 0, the string is inspected for a leading <x, where x is an
829 ispunct() or an iscntrl() character. If found, x is used as the separator. If
832 (a) if separator == 0, ':' is used
833 (b) if separator <0, -separator is used
835 In all cases the value of the separator that is used is written back to the
836 int so that it is used on subsequent calls as we progress through the list.
838 A literal ispunct() separator can be represented in an item by doubling, but
839 there is no way to include an iscntrl() separator as part of the data.
842 listptr points to a pointer to the current start of the list; the
843 pointer gets updated to point after the end of the next item
844 separator a pointer to the separator character in an int (see above)
845 buffer where to put a copy of the next string in the list; or
846 NULL if the next string is returned in new memory
847 buflen when buffer is not NULL, the size of buffer; otherwise ignored
849 Returns: pointer to buffer, containing the next substring,
850 or NULL if no more substrings
854 string_nextinlist(const uschar **listptr, int *separator, uschar *buffer, int buflen)
856 int sep = *separator;
857 const uschar *s = *listptr;
862 /* This allows for a fixed specified separator to be an iscntrl() character,
863 but at the time of implementation, this is never the case. However, it's best
864 to be conservative. */
866 while (isspace(*s) && *s != sep) s++;
868 /* A change of separator is permitted, so look for a leading '<' followed by an
869 allowed character. */
873 if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
877 while (isspace(*s) && *s != sep) s++;
880 sep = sep ? -sep : ':';
884 /* An empty string has no list elements */
886 if (!*s) return NULL;
888 /* Note whether whether or not the separator is an iscntrl() character. */
890 sep_is_special = iscntrl(sep);
892 /* Handle the case when a buffer is provided. */
899 if (*s == sep && (*(++s) != sep || sep_is_special)) break;
900 if (p < buflen - 1) buffer[p++] = *s;
902 while (p > 0 && isspace(buffer[p-1])) p--;
906 /* Handle the case when a buffer is not provided. */
912 /* We know that *s != 0 at this point. However, it might be pointing to a
913 separator, which could indicate an empty string, or (if an ispunct()
914 character) could be doubled to indicate a separator character as data at the
915 start of a string. Avoid getting working memory for an empty item. */
920 if (*s != sep || sep_is_special)
923 return string_copy(US"");
927 /* Not an empty string; the first character is guaranteed to be a data
933 for (ss = s + 1; *ss && *ss != sep; ) ss++;
934 g = string_catn(g, s, ss-s);
936 if (!*s || *++s != sep || sep_is_special) break;
938 while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--;
939 buffer = string_from_gstring(g);
940 gstring_release_unused(g);
943 /* Update the current pointer and return the new string */
950 static const uschar *
951 Ustrnchr(const uschar * s, int c, unsigned * len)
956 if (!*s) return NULL;
969 /************************************************
970 * Add element to separated list *
971 ************************************************/
972 /* This function is used to build a list, returning an allocated null-terminated
973 growable string. The given element has any embedded separator characters
976 Despite having the same growable-string interface as string_cat() the list is
977 always returned null-terminated.
980 list expanding-string for the list that is being built, or NULL
981 if this is a new list that has no contents yet
982 sep list separator character
983 ele new element to be appended to the list
985 Returns: pointer to the start of the list, changed if copied for expansion.
989 string_append_listele(gstring * list, uschar sep, const uschar * ele)
993 if (list && list->ptr)
994 list = string_catn(list, &sep, 1);
996 while((sp = Ustrchr(ele, sep)))
998 list = string_catn(list, ele, sp-ele+1);
999 list = string_catn(list, &sep, 1);
1002 list = string_cat(list, ele);
1003 (void) string_from_gstring(list);
1009 string_append_listele_n(gstring * list, uschar sep, const uschar * ele,
1014 if (list && list->ptr)
1015 list = string_catn(list, &sep, 1);
1017 while((sp = Ustrnchr(ele, sep, &len)))
1019 list = string_catn(list, ele, sp-ele+1);
1020 list = string_catn(list, &sep, 1);
1024 list = string_catn(list, ele, len);
1025 (void) string_from_gstring(list);
1031 /* A slightly-bogus listmaker utility; the separator is a string so
1032 can be multiple chars - there is no checking for the element content
1033 containing any of the separator. */
1036 string_append2_listele_n(gstring * list, const uschar * sepstr,
1037 const uschar * ele, unsigned len)
1039 if (list && list->ptr)
1040 list = string_cat(list, sepstr);
1042 list = string_catn(list, ele, len);
1043 (void) string_from_gstring(list);
1049 /************************************************/
1050 /* Add more space to a growable-string. The caller should check
1051 first if growth is required. The gstring struct is modified on
1052 return; specifically, the string-base-pointer may have been changed.
1055 g the growable-string
1056 count amount needed for g->ptr to increase by
1060 gstring_grow(gstring * g, int count)
1063 int oldsize = g->size;
1064 BOOL tainted = is_tainted(g->s);
1066 /* Mostly, string_cat() is used to build small strings of a few hundred
1067 characters at most. There are times, however, when the strings are very much
1068 longer (for example, a lookup that returns a vast number of alias addresses).
1069 To try to keep things reasonable, we use increments whose size depends on the
1070 existing length of the string. */
1072 unsigned inc = oldsize < 4096 ? 127 : 1023;
1074 if (count <= 0) return;
1075 g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
1077 /* Try to extend an existing allocation. If the result of calling
1078 store_extend() is false, either there isn't room in the current memory block,
1079 or this string is not the top item on the dynamic store stack. We then have
1080 to get a new chunk of store and copy the old string. When building large
1081 strings, it is helpful to call store_release() on the old string, to release
1082 memory blocks that have become empty. (The block will be freed if the string
1083 is at its start.) However, we can do this only if we know that the old string
1084 was the last item on the dynamic memory stack. This is the case if it matches
1087 if (!store_extend(g->s, tainted, oldsize, g->size))
1088 g->s = store_newblock(g->s, tainted, g->size, p);
1093 /*************************************************
1094 * Add chars to string *
1095 *************************************************/
1096 /* This function is used when building up strings of unknown length. Room is
1097 always left for a terminating zero to be added to the string that is being
1098 built. This function does not require the string that is being added to be NUL
1099 terminated, because the number of characters to add is given explicitly. It is
1100 sometimes called to extract parts of other strings.
1103 string points to the start of the string that is being built, or NULL
1104 if this is a new string that has no contents yet
1105 s points to characters to add
1106 count count of characters to add; must not exceed the length of s, if s
1109 Returns: pointer to the start of the string, changed if copied for expansion.
1110 Note that a NUL is not added, though space is left for one. This is
1111 because string_cat() is often called multiple times to build up a
1112 string - there's no point adding the NUL till the end.
1115 /* coverity[+alloc] */
1118 string_catn(gstring * g, const uschar *s, int count)
1121 BOOL srctaint = is_tainted(s);
1125 unsigned inc = count < 4096 ? 127 : 1023;
1126 unsigned size = ((count + inc) & ~inc) + 1;
1127 g = string_get_tainted(size, srctaint);
1129 else if (srctaint && !is_tainted(g->s))
1130 gstring_rebuffer(g);
1133 if (p + count >= g->size)
1134 gstring_grow(g, count);
1136 /* Because we always specify the exact number of characters to copy, we can
1137 use memcpy(), which is likely to be more efficient than strncopy() because the
1138 latter has to check for zero bytes. */
1140 memcpy(g->s + p, s, count);
1147 string_cat(gstring *string, const uschar *s)
1149 return string_catn(string, s, Ustrlen(s));
1154 /*************************************************
1155 * Append strings to another string *
1156 *************************************************/
1158 /* This function can be used to build a string from many other strings.
1159 It calls string_cat() to do the dirty work.
1162 string expanding-string that is being built, or NULL
1163 if this is a new string that has no contents yet
1164 count the number of strings to append
1165 ... "count" uschar* arguments, which must be valid zero-terminated
1168 Returns: pointer to the start of the string, changed if copied for expansion.
1169 The string is not zero-terminated - see string_cat() above.
1172 __inline__ gstring *
1173 string_append(gstring *string, int count, ...)
1177 va_start(ap, count);
1180 uschar *t = va_arg(ap, uschar *);
1181 string = string_cat(string, t);
1191 /*************************************************
1192 * Format a string with length checks *
1193 *************************************************/
1195 /* This function is used to format a string with checking of the length of the
1196 output for all conversions. It protects Exim from absent-mindedness when
1197 calling functions like debug_printf and string_sprintf, and elsewhere. There
1198 are two different entry points to what is actually the same function, depending
1199 on whether the variable length list of data arguments are given explicitly or
1202 The formats are the usual printf() ones, with some omissions (never used) and
1203 three additions for strings: %S forces lower case, %T forces upper case, and
1204 %#s or %#S prints nothing for a NULL string. Without the # "NULL" is printed
1205 (useful in debugging). There is also the addition of %D and %M, which insert
1206 the date in the form used for datestamped log files.
1209 buffer a buffer in which to put the formatted string
1210 buflen the length of the buffer
1211 format the format string - deliberately char * and not uschar *
1212 ... or ap variable list of supplementary arguments
1214 Returns: TRUE if the result fitted in the buffer
1218 string_format_trc(uschar * buffer, int buflen,
1219 const uschar * func, unsigned line, const char * format, ...)
1221 gstring g = { .size = buflen, .ptr = 0, .s = buffer }, *gp;
1223 va_start(ap, format);
1224 gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1233 /* Copy the content of a string to tainted memory */
1235 gstring_rebuffer(gstring * g)
1237 uschar * s = store_get(g->size, TRUE);
1238 memcpy(s, g->s, g->ptr);
1244 /* Build or append to a growing-string, sprintf-style.
1246 If the "extend" flag is true, the string passed in can be NULL,
1247 empty, or non-empty. Growing is subject to an overall limit given
1248 by the size_limit argument.
1250 If the "extend" flag is false, the string passed in may not be NULL,
1251 will not be grown, and is usable in the original place after return.
1252 The return value can be NULL to signify overflow.
1254 Returns the possibly-new (if copy for growth was needed) string,
1259 string_vformat_trc(gstring * g, const uschar * func, unsigned line,
1260 unsigned size_limit, unsigned flags, const char *format, va_list ap)
1262 enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
1264 int width, precision, off, lim, need;
1265 const char * fp = format; /* Deliberately not unsigned */
1266 BOOL dest_tainted = FALSE;
1268 string_datestamp_offset = -1; /* Datestamp not inserted */
1269 string_datestamp_length = 0; /* Datestamp not inserted */
1270 string_datestamp_type = 0; /* Datestamp not inserted */
1272 #ifdef COMPILE_UTILITY
1273 assert(!(flags & SVFMT_EXTEND));
1277 /* Ensure we have a string, to save on checking later */
1278 if (!g) g = string_get(16);
1279 else if (!(flags & SVFMT_TAINT_NOCHK)) dest_tainted = is_tainted(g->s);
1281 if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(format))
1283 #ifndef MACRO_PREDEF
1284 if (!(flags & SVFMT_REBUFFER))
1285 die_tainted(US"string_vformat", func, line);
1287 gstring_rebuffer(g);
1288 dest_tainted = TRUE;
1290 #endif /*!COMPILE_UTILITY*/
1292 lim = g->size - 1; /* leave one for a nul */
1293 off = g->ptr; /* remember initial offset in gstring */
1295 /* Scan the format and handle the insertions */
1299 int length = L_NORMAL;
1302 const char *null = "NULL"; /* ) These variables */
1303 const char *item_start, *s; /* ) are deliberately */
1304 char newformat[16]; /* ) not unsigned */
1305 char * gp = CS g->s + g->ptr; /* ) */
1307 /* Non-% characters just get copied verbatim */
1311 /* Avoid string_copyn() due to COMPILE_UTILITY */
1312 if ((need = g->ptr + 1) > lim)
1314 if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
1318 g->s[g->ptr++] = (uschar) *fp++;
1322 /* Deal with % characters. Pick off the width and precision, for checking
1323 strings, skipping over the flag and modifier characters. */
1326 width = precision = -1;
1328 if (strchr("-+ #0", *(++fp)) != NULL)
1330 if (*fp == '#') null = "";
1334 if (isdigit((uschar)*fp))
1336 width = *fp++ - '0';
1337 while (isdigit((uschar)*fp)) width = width * 10 + *fp++ - '0';
1339 else if (*fp == '*')
1341 width = va_arg(ap, int);
1348 precision = va_arg(ap, int);
1352 for (precision = 0; isdigit((uschar)*fp); fp++)
1353 precision = precision*10 + *fp - '0';
1355 /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
1358 { fp++; length = L_SHORT; }
1359 else if (*fp == 'L')
1360 { fp++; length = L_LONGDOUBLE; }
1361 else if (*fp == 'l')
1363 { fp += 2; length = L_LONGLONG; }
1365 { fp++; length = L_LONG; }
1366 else if (*fp == 'z')
1367 { fp++; length = L_SIZE; }
1369 /* Handle each specific format type. */
1374 nptr = va_arg(ap, int *);
1375 *nptr = g->ptr - off;
1383 width = length > L_LONG ? 24 : 12;
1384 if ((need = g->ptr + width) > lim)
1386 if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
1387 gstring_grow(g, width);
1389 gp = CS g->s + g->ptr;
1391 strncpy(newformat, item_start, fp - item_start);
1392 newformat[fp - item_start] = 0;
1394 /* Short int is promoted to int when passing through ..., so we must use
1395 int for va_arg(). */
1401 g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
1403 g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
1405 g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
1407 g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
1414 if ((need = g->ptr + 24) > lim)
1416 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1417 gstring_grow(g, 24);
1419 gp = CS g->s + g->ptr;
1421 /* sprintf() saying "(nil)" for a null pointer seems unreliable.
1422 Handle it explicitly. */
1423 if ((ptr = va_arg(ap, void *)))
1425 strncpy(newformat, item_start, fp - item_start);
1426 newformat[fp - item_start] = 0;
1427 g->ptr += sprintf(gp, newformat, ptr);
1430 g->ptr += sprintf(gp, "(nil)");
1434 /* %f format is inherently insecure if the numbers that it may be
1435 handed are unknown (e.g. 1e300). However, in Exim, %f is used for
1436 printing load averages, and these are actually stored as integers
1437 (load average * 1000) so the size of the numbers is constrained.
1438 It is also used for formatting sending rates, where the simplicity
1439 of the format prevents overflow. */
1446 if (precision < 0) precision = 6;
1447 if ((need = g->ptr + precision + 8) > lim)
1449 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1450 gstring_grow(g, precision+8);
1452 gp = CS g->s + g->ptr;
1454 strncpy(newformat, item_start, fp - item_start);
1455 newformat[fp-item_start] = 0;
1456 if (length == L_LONGDOUBLE)
1457 g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
1459 g->ptr += sprintf(gp, newformat, va_arg(ap, double));
1465 if ((need = g->ptr + 1) > lim)
1467 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1471 g->s[g->ptr++] = (uschar) '%';
1475 if ((need = g->ptr + 1) > lim)
1477 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1481 g->s[g->ptr++] = (uschar) va_arg(ap, int);
1484 case 'D': /* Insert daily datestamp for log file names */
1485 s = CS tod_stamp(tod_log_datestamp_daily);
1486 string_datestamp_offset = g->ptr; /* Passed back via global */
1487 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1488 string_datestamp_type = tod_log_datestamp_daily;
1489 slen = string_datestamp_length;
1492 case 'M': /* Insert monthly datestamp for log file names */
1493 s = CS tod_stamp(tod_log_datestamp_monthly);
1494 string_datestamp_offset = g->ptr; /* Passed back via global */
1495 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1496 string_datestamp_type = tod_log_datestamp_monthly;
1497 slen = string_datestamp_length;
1501 case 'S': /* Forces *lower* case */
1502 case 'T': /* Forces *upper* case */
1503 s = va_arg(ap, char *);
1508 if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(s))
1509 if (flags & SVFMT_REBUFFER)
1511 gstring_rebuffer(g);
1512 gp = CS g->s + g->ptr;
1513 dest_tainted = TRUE;
1515 #ifndef MACRO_PREDEF
1517 die_tainted(US"string_vformat", func, line);
1520 INSERT_STRING: /* Come to from %D or %M above */
1523 BOOL truncated = FALSE;
1525 /* If the width is specified, check that there is a precision
1526 set; if not, set it to the width to prevent overruns of long
1531 if (precision < 0) precision = width;
1534 /* If a width is not specified and the precision is specified, set
1535 the width to the precision, or the string length if shorted. */
1537 else if (precision >= 0)
1538 width = precision < slen ? precision : slen;
1540 /* If neither are specified, set them both to the string length. */
1543 width = precision = slen;
1545 if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
1547 if (g->ptr == lim) return NULL;
1551 width = precision = lim - g->ptr - 1;
1552 if (width < 0) width = 0;
1553 if (precision < 0) precision = 0;
1556 else if (need > lim)
1558 gstring_grow(g, width);
1560 gp = CS g->s + g->ptr;
1563 g->ptr += sprintf(gp, "%*.*s", width, precision, s);
1565 while (*gp) { *gp = tolower(*gp); gp++; }
1566 else if (fp[-1] == 'T')
1567 while (*gp) { *gp = toupper(*gp); gp++; }
1569 if (truncated) return NULL;
1573 /* Some things are never used in Exim; also catches junk. */
1576 strncpy(newformat, item_start, fp - item_start);
1577 newformat[fp-item_start] = 0;
1578 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
1579 "in \"%s\" in \"%s\"", newformat, format);
1584 if (g->ptr > g->size)
1585 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1586 "string_format internal error: caller %s %d", func, line);
1592 #ifndef COMPILE_UTILITY
1593 /*************************************************
1594 * Generate an "open failed" message *
1595 *************************************************/
1597 /* This function creates a message after failure to open a file. It includes a
1598 string supplied as data, adds the strerror() text, and if the failure was
1599 "Permission denied", reads and includes the euid and egid.
1602 eno the value of errno after the failure
1603 format a text format string - deliberately not uschar *
1604 ... arguments for the format string
1606 Returns: a message, in dynamic store
1610 string_open_failed_trc(int eno, const uschar * func, unsigned line,
1611 const char *format, ...)
1614 gstring * g = string_get(1024);
1616 g = string_catn(g, US"failed to open ", 15);
1618 /* Use the checked formatting routine to ensure that the buffer
1619 does not overflow. It should not, since this is called only for internally
1620 specified messages. If it does, the message just gets truncated, and there
1621 doesn't seem much we can do about that. */
1623 va_start(ap, format);
1624 (void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1626 string_from_gstring(g);
1627 gstring_release_unused(g);
1630 return eno == EACCES
1631 ? string_sprintf("%s: %s (euid=%ld egid=%ld)", g->s, strerror(eno),
1632 (long int)geteuid(), (long int)getegid())
1633 : string_sprintf("%s: %s", g->s, strerror(eno));
1635 #endif /* COMPILE_UTILITY */
1641 #ifndef COMPILE_UTILITY
1642 /* qsort(3), currently used to sort the environment variables
1643 for -bP environment output, needs a function to compare two pointers to string
1644 pointers. Here it is. */
1647 string_compare_by_pointer(const void *a, const void *b)
1649 return Ustrcmp(* CUSS a, * CUSS b);
1651 #endif /* COMPILE_UTILITY */
1656 /*************************************************
1657 **************************************************
1658 * Stand-alone test program *
1659 **************************************************
1660 *************************************************/
1667 printf("Testing is_ip_address\n");
1669 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1672 buffer[Ustrlen(buffer) - 1] = 0;
1673 printf("%d\n", string_is_ip_address(buffer, NULL));
1674 printf("%d %d %s\n", string_is_ip_address(buffer, &offset), offset, buffer);
1677 printf("Testing string_nextinlist\n");
1679 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1681 uschar *list = buffer;
1689 sep1 = sep2 = list[1];
1696 uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));
1697 uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);
1699 if (item1 == NULL && item2 == NULL) break;
1700 if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)
1702 printf("***ERROR\nitem1=\"%s\"\nitem2=\"%s\"\n",
1703 (item1 == NULL)? "NULL" : CS item1,
1704 (item2 == NULL)? "NULL" : CS item2);
1707 else printf(" \"%s\"\n", CS item1);
1711 /* This is a horrible lash-up, but it serves its purpose. */
1713 printf("Testing string_format\n");
1715 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1718 long long llargs[3];
1728 buffer[Ustrlen(buffer) - 1] = 0;
1730 s = Ustrchr(buffer, ',');
1731 if (s == NULL) s = buffer + Ustrlen(buffer);
1733 Ustrncpy(format, buffer, s - buffer);
1734 format[s-buffer] = 0;
1741 s = Ustrchr(ss, ',');
1742 if (s == NULL) s = ss + Ustrlen(ss);
1746 Ustrncpy(outbuf, ss, s-ss);
1747 if (Ustrchr(outbuf, '.') != NULL)
1750 dargs[n++] = Ustrtod(outbuf, NULL);
1752 else if (Ustrstr(outbuf, "ll") != NULL)
1755 llargs[n++] = strtoull(CS outbuf, NULL, 10);
1759 args[n++] = (void *)Uatoi(outbuf);
1763 else if (Ustrcmp(ss, "*") == 0)
1765 args[n++] = (void *)(&count);
1771 uschar *sss = malloc(s - ss + 1);
1772 Ustrncpy(sss, ss, s-ss);
1779 if (!dflag && !llflag)
1780 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1781 args[0], args[1], args[2])? "True" : "False");
1784 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1785 dargs[0], dargs[1], dargs[2])? "True" : "False");
1787 else printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1788 llargs[0], llargs[1], llargs[2])? "True" : "False");
1790 printf("%s\n", CS outbuf);
1791 if (countset) printf("count=%d\n", count);
1798 /* End of string.c */