]> git.saurik.com Git - apple/libc.git/blob - gen/wordexp.c
projects / apple / libc.git / blob
? search:


4c4baa788055b6ad9af75f5d45ff49d83a28313c
[apple/libc.git] / gen / wordexp.c
1 /*
2 * Copyright (c) 2005, 2008 Apple Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <stdlib.h>
25 #include <string.h>
26 #include <stdio.h>
27 #include <wordexp.h>
28 #include <pthread.h>
29 #include <regex.h>
30 #include <assert.h>
31 #include <unistd.h>
32 #include <paths.h>
33 #include <strings.h>
34 #include <spawn.h>
35 #include <sys/errno.h>
36
37 // For _NSGetEnviron() -- which gives us a pointer to environ
38 #include <crt_externs.h>
39
40 extern size_t malloc_good_size(size_t size);
41 extern int errno;
42
43 pthread_once_t re_init_c = PTHREAD_ONCE_INIT;
44 static regex_t re_cmd, re_goodchars, re_subcmd_syntax_err_kludge, re_quoted_string;
45
46 /* Similar to popen, but captures stderr for you. Doesn't interoperate
47 with pclose. Call wait4 on your own */
48 pid_t popen_oe(char *cmd, FILE **out, FILE **err) {
49 int out_pipe[2], err_pipe[2];
50 char *argv[4];
51 pid_t pid;
52 posix_spawn_file_actions_t file_actions;
53 int errrtn;
54
55 if ((errrtn = posix_spawn_file_actions_init(&file_actions)) != 0) {
56 errno = errrtn;
57 return 0;
58 }
59 if (pipe(out_pipe) < 0) {
60 posix_spawn_file_actions_destroy(&file_actions);
61 return 0;
62 }
63 if (pipe(err_pipe) < 0) {
64 posix_spawn_file_actions_destroy(&file_actions);
65 close(out_pipe[0]);
66 close(out_pipe[1]);
67 return 0;
68 }
69
70 if (out_pipe[1] != STDOUT_FILENO) {
71 posix_spawn_file_actions_adddup2(&file_actions, out_pipe[1], STDOUT_FILENO);
72 posix_spawn_file_actions_addclose(&file_actions, out_pipe[1]);
73 }
74 posix_spawn_file_actions_addclose(&file_actions, out_pipe[0]);
75 if (err_pipe[1] != STDERR_FILENO) {
76 posix_spawn_file_actions_adddup2(&file_actions, err_pipe[1], STDERR_FILENO);
77 posix_spawn_file_actions_addclose(&file_actions, err_pipe[1]);
78 }
79 posix_spawn_file_actions_addclose(&file_actions, err_pipe[0]);
80
81 argv[0] = "sh";
82 argv[1] = "-c";
83 argv[2] = cmd;
84 argv[3] = NULL;
85
86 errrtn = posix_spawn(&pid, _PATH_BSHELL, &file_actions, NULL, argv, *_NSGetEnviron());
87 posix_spawn_file_actions_destroy(&file_actions);
88
89 if (errrtn != 0) {
90 close(out_pipe[0]);
91 close(out_pipe[1]);
92 close(err_pipe[0]);
93 close(err_pipe[1]);
94 errno = errrtn;
95 return 0;
96 }
97
98 *out = fdopen(out_pipe[0], "r");
99 assert(*out);
100 close(out_pipe[1]);
101 *err = fdopen(err_pipe[0], "r");
102 assert(*err);
103 close(err_pipe[1]);
104
105 return pid;
106 }
107
108 void re_init(void) {
109 int rc = regcomp(&re_cmd, "(^|[^\\])(`|\\$\\([^(])", REG_EXTENDED|REG_NOSUB);
110 /* XXX I'm not sure the { } stuff is correct,
111 it may be overly restrictave */
112 char *rx = "^([^\\\"'|&;<>(){}\n]"
113 "|\\\\."
114 "|'(\\\\\\\\|\\\\'|[^'])*'"
115 "|\"(\\\\\\\\|\\\\\"|[^\"])*\""
116 "|`(\\\\\\\\|\\\\`|[^`])*`"
117 "|\\$\\(\\(([^)]|\\\\)*\\)\\)" /* can't do nesting in a regex */
118 "|\\$\\(([^)]|\\\\)*\\)" /* can't do nesting in a regex */
119 "|\\$\\{[^}]*\\}"
120 /* XXX: { } ? */
121 ")*$";
122 rc = regcomp(&re_goodchars, rx,
123 REG_EXTENDED|REG_NOSUB);
124
125 rc = regcomp(&re_subcmd_syntax_err_kludge,
126 "command substitution.*syntax error", REG_EXTENDED|REG_NOSUB);
127
128 rc = regcomp(&re_quoted_string,
129 "(^|[^\\])'(\\\\\\\\|\\\\'|[^'])*'", REG_EXTENDED|REG_NOSUB);
130 }
131
132 /* Returns zero if it can't realloc */
133 static int word_alloc(size_t want, wordexp_t *__restrict__ pwe, size_t *have) {
134 if (want < *have) {
135 return 1;
136 }
137 size_t bytes = malloc_good_size(sizeof(char *) * want * 2);
138 pwe->we_wordv = reallocf(pwe->we_wordv, bytes);
139 if (pwe->we_wordv) {
140 *have = bytes / sizeof(char *);
141 return 1;
142 }
143 return 0;
144 }
145
146 static int
147 cmd_search(const char *str) {
148 regoff_t first = 0;
149 regoff_t last = strlen(str);
150 regmatch_t m = {first, last};
151 int flags;
152
153 if (last == 0) return REG_NOMATCH; /* empty string */
154
155 flags = REG_STARTEND;
156 while(regexec(&re_quoted_string, str, 1, &m, flags) == 0) {
157 /*
158 * We have matched a single quoted string, from m.rm_so to m.rm_eo.
159 * So the (non-quote string) from first to m.rm_so needs to be
160 * checked for command substitution. Then we use REG_STARTEND to
161 * look for any other single quote strings after this one.
162 */
163 regmatch_t head = {first, m.rm_so};
164 if (regexec(&re_cmd, str, 1, &head, flags) == 0) {
165 return 0; /* found a command substitution */
166 }
167 flags = REG_NOTBOL | REG_STARTEND;
168 m.rm_so = first = m.rm_eo;
169 m.rm_eo = last;
170 }
171 /* Check the remaining string */
172 flags = REG_STARTEND;
173 if (m.rm_so > 0) flags |= REG_NOTBOL;
174 return regexec(&re_cmd, str, 1, &m, flags);
175 }
176
177 /* XXX this is _not_ designed to be fast */
178 /* wordexp is also rife with security "challenges", unless you pass it
179 WRDE_NOCMD it *must* support subshell expansion, and even if you
180 don't beause it has to support so much of the standard shell (all
181 the odd little variable expansion options for example) it is hard
182 to do without a subshell). It is probbably just plan a Bad Idea
183 to call in anything setuid, or executing remotely. */
184
185 int wordexp(const char *__restrict__ words,
186 wordexp_t *__restrict__ pwe, int flags) {
187 /* cbuf_l's inital value needs to be big enough for 'cmd' plus
188 about 20 chars */
189 size_t cbuf_l = 1024;
190 char *cbuf = NULL;
191 /* Put a NUL byte between each word, and at the end */
192 char *cmd = "/usr/bin/perl -e 'print join(chr(0), @ARGV), chr(0)' -- ";
193 size_t wordv_l = 0, wordv_i = 0;
194 int rc;
195 wordexp_t save;
196
197 /* Some errors require us to leave pwe unchanged, so we save it here */
198 save = *pwe;
199 pthread_once(&re_init_c, re_init);
200
201 if (flags & WRDE_NOCMD) {
202 /* This attempts to match any backticks or $(...)'s, but there may be
203 other ways to do subshell expansion that the standard doesn't
204 cover, but I don't know of any -- failures here are a potential
205 security risk */
206 rc = cmd_search(words);
207 if (rc != REG_NOMATCH) {
208 /* Technically ==0 is WRDE_CMDSUB, and != REG_NOMATCH is
209 "some internal error", but failing to catch those here
210 could allow a subshell */
211 return WRDE_CMDSUB;
212 }
213 }
214 rc = regexec(&re_goodchars, words, 0, NULL, 0);
215 if (rc != 0) {
216 /* Technically ==REG_NOMATCH is WRDE_BADCHAR, and != is
217 some internal error", but again failure to notice the
218 internal error could allow unexpected shell commands
219 (allowing an unexcaped ;), or file clobbering (unescaped
220 >) */
221 return WRDE_BADCHAR;
222 }
223
224 if (flags & WRDE_APPEND) {
225 wordv_i = wordv_l = pwe->we_wordc;
226 if (flags & WRDE_DOOFFS) {
227 wordv_l = wordv_i += pwe->we_offs;
228 }
229 } else {
230 if (flags & WRDE_REUSE) {
231 wordfree(pwe);
232 }
233 pwe->we_wordc = 0;
234 pwe->we_wordv = NULL;
235
236 if (flags & WRDE_DOOFFS) {
237 size_t wend = wordv_i + pwe->we_offs;
238 word_alloc(wend, pwe, &wordv_l);
239 if (!pwe->we_wordv) {
240 return WRDE_NOSPACE;
241 }
242 bzero(pwe->we_wordv + wordv_i, pwe->we_offs * sizeof(char *));
243 wordv_i = wend;
244 } else {
245 pwe->we_offs = 0;
246 }
247 }
248
249 size_t need = 0;
250 while(!cbuf || need > cbuf_l) {
251 if (need > cbuf_l) {
252 cbuf_l = malloc_good_size(need +1);
253 }
254 cbuf = reallocf(cbuf, cbuf_l);
255 if (cbuf == NULL) {
256 wordfree(pwe);
257 return WRDE_NOSPACE;
258 }
259 cbuf[0] = '\0';
260 if (flags & WRDE_UNDEF) {
261 strlcat(cbuf, "set -u; ", cbuf_l);
262 }
263 /* This kludge is needed because /bin/sh seems to set IFS to the
264 defualt even if you have set it; We also can't just ignore it
265 because it is hard/unplesent to code around or even a potential
266 security problem because the test suiete explicitly checks
267 to make sure setting IFS "works" */
268 if (getenv("IFS")) {
269 setenv("_IFS", getenv("IFS"), 1);
270 strlcat(cbuf, "export IFS=${_IFS}; ", cbuf_l);
271 }
272 strlcat(cbuf, cmd, cbuf_l);
273 need = strlcat(cbuf, words, cbuf_l);
274 }
275
276 FILE *out, *err;
277 pid_t pid = popen_oe(cbuf, &out, &err);
278 if (pid == 0) {
279 wordfree(pwe);
280 return WRDE_NOSPACE;
281 }
282
283 char *word = NULL;
284 int word_l = 0;
285 int word_i = 0;
286 int ch;
287
288 while(EOF != (ch = fgetc(out))) {
289 if (word_l <= word_i) {
290 word_l = malloc_good_size(word_l * 2 + 1);
291 word = reallocf(word, word_l);
292 if (!word) {
293 fclose(err);
294 fclose(out);
295 wordfree(pwe);
296 return WRDE_NOSPACE;
297 }
298 }
299 word[word_i++] = ch;
300
301 if (ch == '\0') {
302 word_alloc(wordv_i + 1, pwe, &wordv_l);
303 char *tmp = strdup(word);
304 if (pwe->we_wordv == NULL || tmp == NULL) {
305 fclose(err);
306 fclose(out);
307 wordfree(pwe);
308 free(word);
309 free(tmp);
310 int status;
311 wait4(pid, &status, 0, NULL);
312 return WRDE_NOSPACE;
313 }
314 pwe->we_wordv[wordv_i++] = tmp;
315 pwe->we_wordc++;
316 word_i = 0;
317 }
318 }
319
320 assert(word_i == 0);
321 free(word);
322
323 char err_buf[1024];
324 size_t err_sz = fread(err_buf, 1, sizeof(err_buf) -1, err);
325 err_buf[(err_sz >= 0) ? err_sz : 0] = '\0';
326 if (flags & WRDE_SHOWERR) {
327 fputs(err_buf, stderr);
328 }
329
330 pid_t got_pid = 0;
331 int status;
332 do {
333 pid = wait4(pid, &status, 0, NULL);
334 } while(got_pid == -1 && errno == EINTR);
335
336 fclose(out);
337 fclose(err);
338
339 /* the exit status isn't set for some command syntax errors */
340 if (regexec(&re_subcmd_syntax_err_kludge, err_buf, 0, NULL, 0) == 0
341 || got_pid == -1 || (WIFEXITED(status) && WEXITSTATUS(status))) {
342 if (!(flags & (WRDE_APPEND|WRDE_REUSE))) {
343 /* Restore pwe if possiable, can't really do it in the append
344 case, and isn't easy in the reuse case */
345 *pwe = save;
346 }
347 if (strstr(err_buf, " unbound variable")) {
348 return WRDE_BADVAL;
349 }
350 return WRDE_SYNTAX;
351 }
352
353 if (!word_alloc(wordv_i + 1, pwe, &wordv_l)) {
354 return WRDE_NOSPACE;
355 }
356 pwe->we_wordv[wordv_i] = NULL;
357
358 return 0;
359 }
360
361 void wordfree(wordexp_t *pwe) {
362 if (pwe == NULL || pwe->we_wordv == NULL) {
363 return;
364 }
365
366 int i = 0, e = pwe->we_wordc + pwe->we_offs;
367 for(i = pwe->we_offs; i < e; i++) {
368 free(pwe->we_wordv[i]);
369 }
370 free(pwe->we_wordv);
371 pwe->we_wordv = NULL;
372 }
mirror of libc