]> git.saurik.com Git - apple/libc.git/blob - gen/wordexp.c
projects / apple / libc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Libc-498.1.1.tar.gz
[apple/libc.git] / gen / wordexp.c
1 /*
2 * Copyright (c) 2005 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <stdlib.h>
25 #include <string.h>
26 #include <stdio.h>
27 #include <wordexp.h>
28 #include <pthread.h>
29 #include <regex.h>
30 #include <assert.h>
31 #include <unistd.h>
32 #include <paths.h>
33 #include <strings.h>
34 #include <sys/errno.h>
35
36 // For _NSGetEnviron() -- which gives us a pointer to environ
37 #include <crt_externs.h>
38
39 extern size_t malloc_good_size(size_t size);
40 extern int errno;
41
42 pthread_once_t re_init_c = PTHREAD_ONCE_INIT;
43 static regex_t re_cmd, re_goodchars, re_subcmd_syntax_err_kludge;
44
45 /* Similar to popen, but catures stderr for you. Doesn't interoperate
46 with pclose. Call wait4 on your own */
47 pid_t popen_oe(char *cmd, FILE **out, FILE **err) {
48 int out_pipe[2], err_pipe[2];
49 char *argv[4];
50 pid_t pid;
51
52 if (pipe(out_pipe) < 0) {
53 return 0;
54 }
55 if (pipe(err_pipe) < 0) {
56 close(out_pipe[0]);
57 close(out_pipe[1]);
58 return 0;
59 }
60
61 argv[0] = "sh";
62 argv[1] = "-c";
63 argv[2] = cmd;
64 argv[3] = NULL;
65
66 switch(pid = vfork()) {
67 case -1:
68 close(out_pipe[0]);
69 close(out_pipe[1]);
70 close(err_pipe[0]);
71 close(err_pipe[1]);
72 return 0;
73 case 0:
74 if (out_pipe[1] != STDOUT_FILENO) {
75 dup2(out_pipe[1], STDOUT_FILENO);
76 close(out_pipe[1]);
77 }
78 close(out_pipe[0]);
79 if (err_pipe[1] != STDERR_FILENO) {
80 dup2(err_pipe[1], STDERR_FILENO);
81 close(err_pipe[1]);
82 }
83 close(err_pipe[0]);
84 execve(_PATH_BSHELL, argv, *_NSGetEnviron());
85 _exit(127);
86 default:
87 *out = fdopen(out_pipe[0], "r");
88 assert(*out);
89 close(out_pipe[1]);
90 *err = fdopen(err_pipe[0], "r");
91 assert(*err);
92 close(err_pipe[1]);
93
94 return pid;
95 }
96 }
97
98 void re_init(void) {
99 int rc = regcomp(&re_cmd, "(^|[^\\])(`|\\$\\()", REG_EXTENDED|REG_NOSUB);
100 /* XXX I'm not sure the { } stuff is correct,
101 it may be overly restrictave */
102 char *rx = "^([^\\\"'|&;<>(){}]"
103 "|\\\\."
104 "|'([^']|\\\\')*'"
105 "|\"([^\"]|\\\\\")*\""
106 "|`([^`]|\\\\`)*`"
107 "|\\$(([^)]|\\\\))*\\)" /* can't do nesting in a regex */
108 "|\\$\\{[^}]*\\}"
109 /* XXX: { } ? */
110 ")*$";
111 rc = regcomp(&re_goodchars, rx,
112 REG_EXTENDED|REG_NOSUB);
113
114 rc = regcomp(&re_subcmd_syntax_err_kludge,
115 "command substitution.*syntax error", REG_EXTENDED|REG_NOSUB);
116 }
117
118 /* Returns zero if it can't realloc */
119 static int word_alloc(size_t want, wordexp_t *__restrict__ pwe, size_t *have) {
120 if (want < *have) {
121 return 1;
122 }
123 size_t bytes = malloc_good_size(sizeof(char *) * want * 2);
124 pwe->we_wordv = reallocf(pwe->we_wordv, bytes);
125 if (pwe->we_wordv) {
126 *have = bytes / sizeof(char *);
127 return 1;
128 }
129 return 0;
130 }
131
132 /* XXX this is _not_ designed to be fast */
133 /* wordexp is also rife with security "chalenges", unless you pass it
134 WRDE_NOCMD it *must* support subshell expansion, and even if you
135 don't beause it has to support so much of the standard shell (all
136 the odd little variable expansion options for example) it is hard
137 to do without a subshell). It is probbably just plan a Bad Idea
138 to call in anything setuid, or executing remotely. */
139
140 int wordexp(const char *__restrict__ words,
141 wordexp_t *__restrict__ pwe, int flags) {
142 /* cbuf_l's inital value needs to be big enough for 'cmd' plus
143 about 20 chars */
144 size_t cbuf_l = 1024;
145 char *cbuf = NULL;
146 /* Put a NUL byte between eaach word, and at the end */
147 char *cmd = "/usr/bin/perl -e 'print join(chr(0), @ARGV), chr(0)' -- ";
148 size_t wordv_l = 0, wordv_i = 0;
149 int rc;
150 wordexp_t save;
151
152 /* Some errors require us to leave pwe unchanged, so we save it here */
153 save = *pwe;
154 pthread_once(&re_init_c, re_init);
155
156 if (flags & WRDE_NOCMD) {
157 /* Thi attmpts to match any backticks or $(...)'s, but there may be
158 other ways to do subshell expansion that the standard doesn't
159 cover, but I don't know of any -- failures here aare a potential
160 security risk */
161 rc = regexec(&re_cmd, words, 0, NULL, 0);
162 if (rc != REG_NOMATCH) {
163 /* Technically ==0 is WRDE_CMDSUB, and != REG_NOMATCH is
164 "some internal error", but failing to catch those here
165 could allow a subshell */
166 return WRDE_CMDSUB;
167 }
168 }
169 rc = regexec(&re_goodchars, words, 0, NULL, 0);
170 if (rc != 0) {
171 /* Technically ==REG_NOMATCH is WRDE_BADCHAR, and != is
172 some internal error", but again failure to notice the
173 internal error could allow unexpected shell commands
174 (allowing an unexcaped ;), or file clobbering (unescaped
175 >) */
176 return WRDE_BADCHAR;
177 }
178
179 if (flags & WRDE_APPEND) {
180 wordv_i = wordv_l = pwe->we_wordc;
181 if (flags & WRDE_DOOFFS) {
182 wordv_l = wordv_i += pwe->we_offs;
183 }
184 } else {
185 if (flags & WRDE_REUSE) {
186 wordfree(pwe);
187 }
188 pwe->we_wordc = 0;
189 pwe->we_wordv = NULL;
190
191 if (flags & WRDE_DOOFFS) {
192 size_t wend = wordv_i + pwe->we_offs;
193 word_alloc(wend, pwe, &wordv_l);
194 if (!pwe->we_wordv) {
195 return WRDE_NOSPACE;
196 }
197 bzero(pwe->we_wordv + wordv_i, pwe->we_offs * sizeof(char *));
198 wordv_i = wend;
199 }
200 }
201
202 size_t need = 0;
203 while(!cbuf || need > cbuf_l) {
204 if (need > cbuf_l) {
205 cbuf_l = malloc_good_size(need +1);
206 }
207 cbuf = reallocf(cbuf, cbuf_l);
208 if (cbuf == NULL) {
209 wordfree(pwe);
210 return WRDE_NOSPACE;
211 }
212 cbuf[0] = '\0';
213 if (flags & WRDE_UNDEF) {
214 strlcat(cbuf, "set -u; ", cbuf_l);
215 }
216 /* This kludge is needed because /bin/sh seems to set IFS to the
217 defualt even if you have set it; We also can't just ignore it
218 because it is hard/unplesent to code around or even a potential
219 security problem because the test suiete explicitly checks
220 to make sure setting IFS "works" */
221 if (getenv("IFS")) {
222 setenv("_IFS", getenv("IFS"), 1);
223 strlcat(cbuf, "export IFS=${_IFS}; ", cbuf_l);
224 }
225 strlcat(cbuf, cmd, cbuf_l);
226 need = strlcat(cbuf, words, cbuf_l);
227 }
228
229 FILE *out, *err;
230 pid_t pid = popen_oe(cbuf, &out, &err);
231 if (pid == 0) {
232 wordfree(pwe);
233 return WRDE_NOSPACE;
234 }
235
236 char *word = NULL;
237 int word_l = 0;
238 int word_i = 0;
239 int ch;
240
241 while(EOF != (ch = fgetc(out))) {
242 if (word_l <= word_i) {
243 word_l = malloc_good_size(word_l * 2 + 1);
244 word = reallocf(word, word_l);
245 if (!word) {
246 fclose(err);
247 fclose(out);
248 wordfree(pwe);
249 return WRDE_NOSPACE;
250 }
251 }
252 word[word_i++] = ch;
253
254 if (ch == '\0') {
255 word_alloc(wordv_i + 1, pwe, &wordv_l);
256 char *tmp = strdup(word);
257 if (pwe->we_wordv == NULL || tmp == NULL) {
258 fclose(err);
259 fclose(out);
260 wordfree(pwe);
261 free(word);
262 free(tmp);
263 int status;
264 wait4(pid, &status, 0, NULL);
265 return WRDE_NOSPACE;
266 }
267 pwe->we_wordv[wordv_i++] = tmp;
268 pwe->we_wordc++;
269 word_i = 0;
270 }
271 }
272
273 assert(word_i == 0);
274 free(word);
275
276 char err_buf[1024];
277 size_t err_sz = fread(err_buf, 1, sizeof(err_buf) -1, err);
278 err_buf[(err_sz >= 0) ? err_sz : 0] = '\0';
279 if (flags & WRDE_SHOWERR) {
280 fputs(err_buf, stderr);
281 }
282
283 pid_t got_pid = 0;
284 int status;
285 do {
286 pid = wait4(pid, &status, 0, NULL);
287 } while(got_pid == -1 && errno == EINTR);
288
289 fclose(out);
290 fclose(err);
291
292 /* the exit status isn't set for some command syntax errors */
293 if (regexec(&re_subcmd_syntax_err_kludge, err_buf, 0, NULL, 0) == 0
294 || got_pid == -1 || (WIFEXITED(status) && WEXITSTATUS(status))) {
295 if (!(flags & (WRDE_APPEND|WRDE_REUSE))) {
296 /* Restore pwe if possiable, can't really do it in the append
297 case, and isn't easy in the reuse case */
298 *pwe = save;
299 }
300 if (strstr(err_buf, " unbound variable")) {
301 return WRDE_BADVAL;
302 }
303 return WRDE_SYNTAX;
304 }
305
306 if (!word_alloc(wordv_i + 1, pwe, &wordv_l)) {
307 return WRDE_NOSPACE;
308 }
309 pwe->we_wordv[wordv_i] = NULL;
310
311 return 0;
312 }
313
314 void wordfree(wordexp_t *pwe) {
315 if (pwe == NULL || pwe->we_wordv == NULL) {
316 return;
317 }
318
319 int i = 0, e = pwe->we_wordc + pwe->we_offs;
320 for(i = 0; i < e; i++) {
321 free(pwe->we_wordv[i]);
322 }
323 free(pwe->we_wordv);
324 pwe->we_wordv = NULL;
325 }
mirror of libc