490 lines
15 KiB
C
490 lines
15 KiB
C
/* Return the canonical absolute name of a given file.
|
|
Copyright (C) 1996-2022 Free Software Foundation, Inc.
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <https://www.gnu.org/licenses/>. */
|
|
|
|
#include <config.h>
|
|
|
|
#include "canonicalize.h"
|
|
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <stdbool.h>
|
|
#include <string.h>
|
|
#include <sys/stat.h>
|
|
#include <unistd.h>
|
|
|
|
#include <filename.h>
|
|
#include <idx.h>
|
|
#include <intprops.h>
|
|
#include <scratch_buffer.h>
|
|
|
|
#include "attribute.h"
|
|
#include "file-set.h"
|
|
#include "hash-triple.h"
|
|
#include "xalloc.h"
|
|
|
|
/* Suppress bogus GCC -Wmaybe-uninitialized warnings. */
|
|
#if defined GCC_LINT || defined lint
|
|
# define IF_LINT(Code) Code
|
|
#else
|
|
# define IF_LINT(Code) /* empty */
|
|
#endif
|
|
|
|
#ifndef DOUBLE_SLASH_IS_DISTINCT_ROOT
|
|
# define DOUBLE_SLASH_IS_DISTINCT_ROOT false
|
|
#endif
|
|
|
|
#if ISSLASH ('\\')
|
|
# define SLASHES "/\\"
|
|
#else
|
|
# define SLASHES "/"
|
|
#endif
|
|
|
|
/* Return true if FILE's existence can be shown, false (setting errno)
|
|
otherwise. Follow symbolic links. */
|
|
static bool
|
|
file_accessible (char const *file)
|
|
{
|
|
# if HAVE_FACCESSAT
|
|
return faccessat (AT_FDCWD, file, F_OK, AT_EACCESS) == 0;
|
|
# else
|
|
struct stat st;
|
|
return stat (file, &st) == 0 || errno == EOVERFLOW;
|
|
# endif
|
|
}
|
|
|
|
/* True if concatenating END as a suffix to a file name means that the
|
|
code needs to check that the file name is that of a searchable
|
|
directory, since the canonicalize_filename_mode_stk code won't
|
|
check this later anyway when it checks an ordinary file name
|
|
component within END. END must either be empty, or start with a
|
|
slash. */
|
|
|
|
static bool _GL_ATTRIBUTE_PURE
|
|
suffix_requires_dir_check (char const *end)
|
|
{
|
|
/* If END does not start with a slash, the suffix is OK. */
|
|
while (ISSLASH (*end))
|
|
{
|
|
/* Two or more slashes act like a single slash. */
|
|
do
|
|
end++;
|
|
while (ISSLASH (*end));
|
|
|
|
switch (*end++)
|
|
{
|
|
default: return false; /* An ordinary file name component is OK. */
|
|
case '\0': return true; /* Trailing "/" is trouble. */
|
|
case '.': break; /* Possibly "." or "..". */
|
|
}
|
|
/* Trailing "/.", or "/.." even if not trailing, is trouble. */
|
|
if (!*end || (*end == '.' && (!end[1] || ISSLASH (end[1]))))
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/* Append this to a file name to test whether it is a searchable directory.
|
|
On POSIX platforms "/" suffices, but "/./" is sometimes needed on
|
|
macOS 10.13 <https://bugs.gnu.org/30350>, and should also work on
|
|
platforms like AIX 7.2 that need at least "/.". */
|
|
|
|
#ifdef LSTAT_FOLLOWS_SLASHED_SYMLINK
|
|
static char const dir_suffix[] = "/";
|
|
#else
|
|
static char const dir_suffix[] = "/./";
|
|
#endif
|
|
|
|
/* Return true if DIR is a searchable dir, false (setting errno) otherwise.
|
|
DIREND points to the NUL byte at the end of the DIR string.
|
|
Store garbage into DIREND[0 .. strlen (dir_suffix)]. */
|
|
|
|
static bool
|
|
dir_check (char *dir, char *dirend)
|
|
{
|
|
strcpy (dirend, dir_suffix);
|
|
return file_accessible (dir);
|
|
}
|
|
|
|
#if !((HAVE_CANONICALIZE_FILE_NAME && FUNC_REALPATH_WORKS) \
|
|
|| GNULIB_CANONICALIZE_LGPL)
|
|
/* Return the canonical absolute name of file NAME. A canonical name
|
|
does not contain any ".", ".." components nor any repeated file name
|
|
separators ('/') or symlinks. All components must exist.
|
|
The result is malloc'd. */
|
|
|
|
char *
|
|
canonicalize_file_name (const char *name)
|
|
{
|
|
return canonicalize_filename_mode (name, CAN_EXISTING);
|
|
}
|
|
#endif /* !HAVE_CANONICALIZE_FILE_NAME */
|
|
|
|
static bool
|
|
multiple_bits_set (canonicalize_mode_t i)
|
|
{
|
|
return (i & (i - 1)) != 0;
|
|
}
|
|
|
|
/* Return true if we've already seen the triple, <FILENAME, dev, ino>.
|
|
If *HT is not initialized, initialize it. */
|
|
static bool
|
|
seen_triple (Hash_table **ht, char const *filename, struct stat const *st)
|
|
{
|
|
if (*ht == NULL)
|
|
{
|
|
idx_t initial_capacity = 7;
|
|
*ht = hash_initialize (initial_capacity,
|
|
NULL,
|
|
triple_hash,
|
|
triple_compare_ino_str,
|
|
triple_free);
|
|
if (*ht == NULL)
|
|
xalloc_die ();
|
|
}
|
|
|
|
if (seen_file (*ht, filename, st))
|
|
return true;
|
|
|
|
record_file (*ht, filename, st);
|
|
return false;
|
|
}
|
|
|
|
|
|
/* Act like canonicalize_filename_mode (see below), with an additional argument
|
|
rname_buf that can be used as temporary storage.
|
|
|
|
If GCC_LINT is defined, do not inline this function with GCC 10.1
|
|
and later, to avoid creating a pointer to the stack that GCC
|
|
-Wreturn-local-addr incorrectly complains about. See:
|
|
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93644
|
|
Although the noinline attribute can hurt performance a bit, no better way
|
|
to pacify GCC is known; even an explicit #pragma does not pacify GCC.
|
|
When the GCC bug is fixed this workaround should be limited to the
|
|
broken GCC versions. */
|
|
#if _GL_GNUC_PREREQ (10, 1)
|
|
# if defined GCC_LINT || defined lint
|
|
__attribute__ ((__noinline__))
|
|
# elif __OPTIMIZE__ && !__NO_INLINE__
|
|
# define GCC_BOGUS_WRETURN_LOCAL_ADDR
|
|
# endif
|
|
#endif
|
|
static char *
|
|
canonicalize_filename_mode_stk (const char *name, canonicalize_mode_t can_mode,
|
|
struct scratch_buffer *rname_buf)
|
|
{
|
|
char *dest;
|
|
char const *start;
|
|
char const *end;
|
|
Hash_table *ht = NULL;
|
|
bool logical = (can_mode & CAN_NOLINKS) != 0;
|
|
int num_links = 0;
|
|
|
|
canonicalize_mode_t can_exist = can_mode & CAN_MODE_MASK;
|
|
if (multiple_bits_set (can_exist))
|
|
{
|
|
errno = EINVAL;
|
|
return NULL;
|
|
}
|
|
|
|
if (name == NULL)
|
|
{
|
|
errno = EINVAL;
|
|
return NULL;
|
|
}
|
|
|
|
if (name[0] == '\0')
|
|
{
|
|
errno = ENOENT;
|
|
return NULL;
|
|
}
|
|
|
|
struct scratch_buffer extra_buffer, link_buffer;
|
|
scratch_buffer_init (&extra_buffer);
|
|
scratch_buffer_init (&link_buffer);
|
|
scratch_buffer_init (rname_buf);
|
|
char *rname_on_stack = rname_buf->data;
|
|
char *rname = rname_on_stack;
|
|
bool end_in_extra_buffer = false;
|
|
bool failed = true;
|
|
|
|
/* This is always zero for Posix hosts, but can be 2 for MS-Windows
|
|
and MS-DOS X:/foo/bar file names. */
|
|
idx_t prefix_len = FILE_SYSTEM_PREFIX_LEN (name);
|
|
|
|
if (!IS_ABSOLUTE_FILE_NAME (name))
|
|
{
|
|
while (!getcwd (rname, rname_buf->length))
|
|
{
|
|
switch (errno)
|
|
{
|
|
case ERANGE:
|
|
if (scratch_buffer_grow (rname_buf))
|
|
break;
|
|
FALLTHROUGH;
|
|
case ENOMEM:
|
|
xalloc_die ();
|
|
|
|
default:
|
|
dest = rname;
|
|
goto error;
|
|
}
|
|
rname = rname_buf->data;
|
|
}
|
|
dest = rawmemchr (rname, '\0');
|
|
start = name;
|
|
prefix_len = FILE_SYSTEM_PREFIX_LEN (rname);
|
|
}
|
|
else
|
|
{
|
|
dest = mempcpy (rname, name, prefix_len);
|
|
*dest++ = '/';
|
|
if (DOUBLE_SLASH_IS_DISTINCT_ROOT)
|
|
{
|
|
if (prefix_len == 0 /* implies ISSLASH (name[0]) */
|
|
&& ISSLASH (name[1]) && !ISSLASH (name[2]))
|
|
{
|
|
*dest++ = '/';
|
|
#if defined _WIN32 && !defined __CYGWIN__
|
|
/* For UNC file names '\\server\path\to\file', extend the prefix
|
|
to include the server: '\\server\'. */
|
|
{
|
|
idx_t i;
|
|
for (i = 2; name[i] != '\0' && !ISSLASH (name[i]); )
|
|
i++;
|
|
if (name[i] != '\0' /* implies ISSLASH (name[i]) */
|
|
&& i + 1 < rname_buf->length)
|
|
{
|
|
prefix_len = i;
|
|
memcpy (dest, name + 2, i - 2 + 1);
|
|
dest += i - 2 + 1;
|
|
}
|
|
else
|
|
{
|
|
/* Either name = '\\server'; this is an invalid file name.
|
|
Or name = '\\server\...' and server is more than
|
|
rname_buf->length - 4 bytes long. In either
|
|
case, stop the UNC processing. */
|
|
}
|
|
}
|
|
#endif
|
|
}
|
|
*dest = '\0';
|
|
}
|
|
start = name + prefix_len;
|
|
}
|
|
|
|
for ( ; *start; start = end)
|
|
{
|
|
/* Skip sequence of multiple file name separators. */
|
|
while (ISSLASH (*start))
|
|
++start;
|
|
|
|
/* Find end of component. */
|
|
for (end = start; *end && !ISSLASH (*end); ++end)
|
|
/* Nothing. */;
|
|
|
|
/* Length of this file name component; it can be zero if a file
|
|
name ends in '/'. */
|
|
idx_t startlen = end - start;
|
|
|
|
if (startlen == 0)
|
|
break;
|
|
else if (startlen == 1 && start[0] == '.')
|
|
/* nothing */;
|
|
else if (startlen == 2 && start[0] == '.' && start[1] == '.')
|
|
{
|
|
/* Back up to previous component, ignore if at root already. */
|
|
if (dest > rname + prefix_len + 1)
|
|
for (--dest; dest > rname && !ISSLASH (dest[-1]); --dest)
|
|
continue;
|
|
if (DOUBLE_SLASH_IS_DISTINCT_ROOT
|
|
&& dest == rname + 1 && !prefix_len
|
|
&& ISSLASH (*dest) && !ISSLASH (dest[1]))
|
|
dest++;
|
|
}
|
|
else
|
|
{
|
|
if (!ISSLASH (dest[-1]))
|
|
*dest++ = '/';
|
|
|
|
while (rname + rname_buf->length - dest
|
|
< startlen + sizeof dir_suffix)
|
|
{
|
|
idx_t dest_offset = dest - rname;
|
|
if (!scratch_buffer_grow_preserve (rname_buf))
|
|
xalloc_die ();
|
|
rname = rname_buf->data;
|
|
dest = rname + dest_offset;
|
|
}
|
|
|
|
dest = mempcpy (dest, start, startlen);
|
|
*dest = '\0';
|
|
|
|
char *buf;
|
|
ssize_t n = -1;
|
|
if (!logical)
|
|
{
|
|
while (true)
|
|
{
|
|
buf = link_buffer.data;
|
|
idx_t bufsize = link_buffer.length;
|
|
n = readlink (rname, buf, bufsize - 1);
|
|
if (n < bufsize - 1)
|
|
break;
|
|
if (!scratch_buffer_grow (&link_buffer))
|
|
xalloc_die ();
|
|
}
|
|
}
|
|
if (0 <= n)
|
|
{
|
|
/* A physical traversal and RNAME is a symbolic link. */
|
|
|
|
if (num_links < 20)
|
|
num_links++;
|
|
else if (*start)
|
|
{
|
|
/* Enough symlinks have been seen that it is time to
|
|
worry about being in a symlink cycle.
|
|
Get the device and inode of the parent directory, as
|
|
pre-2017 POSIX says this info is not reliable for
|
|
symlinks. */
|
|
struct stat st;
|
|
dest[- startlen] = '\0';
|
|
if (stat (*rname ? rname : ".", &st) != 0)
|
|
goto error;
|
|
dest[- startlen] = *start;
|
|
|
|
/* Detect loops. We cannot use the cycle-check module here,
|
|
since it's possible to encounter the same parent
|
|
directory more than once in a given traversal. However,
|
|
encountering the same (parentdir, START) pair twice does
|
|
indicate a loop. */
|
|
if (seen_triple (&ht, start, &st))
|
|
{
|
|
if (can_exist == CAN_MISSING)
|
|
continue;
|
|
errno = ELOOP;
|
|
goto error;
|
|
}
|
|
}
|
|
|
|
buf[n] = '\0';
|
|
|
|
char *extra_buf = extra_buffer.data;
|
|
idx_t end_idx IF_LINT (= 0);
|
|
if (end_in_extra_buffer)
|
|
end_idx = end - extra_buf;
|
|
size_t len = strlen (end);
|
|
if (INT_ADD_OVERFLOW (len, n))
|
|
xalloc_die ();
|
|
while (extra_buffer.length <= len + n)
|
|
{
|
|
if (!scratch_buffer_grow_preserve (&extra_buffer))
|
|
xalloc_die ();
|
|
extra_buf = extra_buffer.data;
|
|
}
|
|
if (end_in_extra_buffer)
|
|
end = extra_buf + end_idx;
|
|
|
|
/* Careful here, end may be a pointer into extra_buf... */
|
|
memmove (&extra_buf[n], end, len + 1);
|
|
name = end = memcpy (extra_buf, buf, n);
|
|
end_in_extra_buffer = true;
|
|
|
|
if (IS_ABSOLUTE_FILE_NAME (buf))
|
|
{
|
|
idx_t pfxlen = FILE_SYSTEM_PREFIX_LEN (buf);
|
|
|
|
dest = mempcpy (rname, buf, pfxlen);
|
|
*dest++ = '/'; /* It's an absolute symlink */
|
|
if (DOUBLE_SLASH_IS_DISTINCT_ROOT)
|
|
{
|
|
if (ISSLASH (buf[1]) && !ISSLASH (buf[2]) && !pfxlen)
|
|
*dest++ = '/';
|
|
*dest = '\0';
|
|
}
|
|
/* Install the new prefix to be in effect hereafter. */
|
|
prefix_len = pfxlen;
|
|
}
|
|
else
|
|
{
|
|
/* Back up to previous component, ignore if at root
|
|
already: */
|
|
if (dest > rname + prefix_len + 1)
|
|
for (--dest; dest > rname && !ISSLASH (dest[-1]); --dest)
|
|
continue;
|
|
if (DOUBLE_SLASH_IS_DISTINCT_ROOT && dest == rname + 1
|
|
&& ISSLASH (*dest) && !ISSLASH (dest[1]) && !prefix_len)
|
|
dest++;
|
|
}
|
|
}
|
|
else if (! (can_exist == CAN_MISSING
|
|
|| (suffix_requires_dir_check (end)
|
|
? dir_check (rname, dest)
|
|
: !logical
|
|
? errno == EINVAL
|
|
: *end || file_accessible (rname))
|
|
|| (can_exist == CAN_ALL_BUT_LAST
|
|
&& errno == ENOENT
|
|
&& !end[strspn (end, SLASHES)])))
|
|
goto error;
|
|
}
|
|
}
|
|
if (dest > rname + prefix_len + 1 && ISSLASH (dest[-1]))
|
|
--dest;
|
|
if (DOUBLE_SLASH_IS_DISTINCT_ROOT && dest == rname + 1 && !prefix_len
|
|
&& ISSLASH (*dest) && !ISSLASH (dest[1]))
|
|
dest++;
|
|
failed = false;
|
|
|
|
error:
|
|
if (ht)
|
|
hash_free (ht);
|
|
scratch_buffer_free (&extra_buffer);
|
|
scratch_buffer_free (&link_buffer);
|
|
|
|
if (failed)
|
|
{
|
|
scratch_buffer_free (rname_buf);
|
|
return NULL;
|
|
}
|
|
|
|
*dest++ = '\0';
|
|
char *result = scratch_buffer_dupfree (rname_buf, dest - rname);
|
|
if (!result)
|
|
xalloc_die ();
|
|
return result;
|
|
}
|
|
|
|
/* Return the canonical absolute name of file NAME, while treating
|
|
missing elements according to CAN_MODE. A canonical name
|
|
does not contain any ".", ".." components nor any repeated file name
|
|
separators ('/') or, depending on other CAN_MODE flags, symlinks.
|
|
Whether components must exist or not depends on canonicalize mode.
|
|
The result is malloc'd. */
|
|
|
|
char *
|
|
canonicalize_filename_mode (const char *name, canonicalize_mode_t can_mode)
|
|
{
|
|
#ifdef GCC_BOGUS_WRETURN_LOCAL_ADDR
|
|
#warning "GCC might issue a bogus -Wreturn-local-addr warning here."
|
|
#warning "See <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93644>."
|
|
#endif
|
|
struct scratch_buffer rname_buffer;
|
|
return canonicalize_filename_mode_stk (name, can_mode, &rname_buffer);
|
|
}
|