Commit Graph

994 Commits

Author SHA1 Message Date
Jilles Tjoelker
046bfe5240 sh: Avoid copying argv for simple commands.
Add dummy entries before and after so arglist's array is directly usable as
argv.
2015-11-01 22:07:40 +00:00
Bryan Drewery
aa92269e46 Add more SUBDIR_PARALLEL.
MFC after:	3 weeks
Sponsored by:	EMC / Isilon Storage Division
2015-10-15 22:55:08 +00:00
Enji Cooper
b2d48be1bc Refactor the test/ Makefiles after recent changes to bsd.test.mk (r289158) and
netbsd-tests.test.mk (r289151)

- Eliminate explicit OBJTOP/SRCTOP setting
- Convert all ad hoc NetBSD test integration over to netbsd-tests.test.mk
- Remove unnecessary TESTSDIR setting
- Use SRCTOP where possible for clarity

MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Divison
2015-10-12 08:16:03 +00:00
Jilles Tjoelker
8ef0ae8a8f sh: Make struct arglist an array instead of a linked list.
This simplifies the code (e.g. allowing use of qsort(3) instead of a
hand-rolled mergesort) and should have better cache properties.

The waste of unused args arrays after resizes is approximately the same as
the savings from getting rid of the next pointers.

At the same time, remove a piece of global state and move some duplicated
code into a function.
2015-10-11 21:33:00 +00:00
Jilles Tjoelker
d358fa780b wordexp: Rewrite to make WRDE_NOCMD reliable.
Shell syntax is too complicated to detect command substitution and unquoted
operators reliably without implementing much of sh's parser. Therefore, have
sh do this detection.

While changing sh's support anyway, also read input from a pipe instead of
arguments to avoid {ARG_MAX} limits and improve privacy, and output count
and length using 16 instead of 8 digits.

The basic concept is:
execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2",
    "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>);

The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to
fail strings containing unquoted braces with code WRDE_BADCHAR. Since this
is normally not a syntax error in sh, there is still a need for checking
code in libc, we_check().

The new we_check() is an optimistic check that all the characters
  <newline> | & ; < > ( ) { }
are quoted. To avoid duplicating too much sh logic, such characters are
permitted when quoting characters are seen, even if the quoting characters
may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad
characters that get past it and are a syntax error in sh return WRDE_SYNTAX.

Although many implementations of WRDE_NOCMD erroneously allow some command
substitutions (and ours even documented this), there appears to be code that
relies on its security (codesearch.debian.net shows quite a few uses).
Passing untrusted data to wordexp() still exposes a denial of service
possibility and a fairly large attack surface.

Reviewed by:	wblock (man page only)
MFC after:	2 weeks
Relnotes:	yes
Security:	fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
Jilles Tjoelker
92fe71faae sh: Allow empty << EOF markers. 2015-09-02 19:49:55 +00:00
Jilles Tjoelker
f0688a48d2 sh: Fix read with escaped IFS characters at the end.
Characters escaped with a backslash must be treated as if they were not in
IFS. This includes stripping trailing IFS characters.
2015-08-30 17:24:22 +00:00
Jilles Tjoelker
62c3711632 sh: Add set -o nolog.
POSIX requires this to prevent entering function definitions in history but
this implementation does nothing except retain the option's value. In ksh88,
function definitions were usually entered in the history file, even when
they came from ~/.profile and the $ENV file, to allow displaying their
definitions.

This is also the first option that does not have a letter.
2015-08-29 19:41:47 +00:00
Jilles Tjoelker
4a4867d667 sh: Fix out of bounds read when there is no ] after a [:class:].
The initial check for a matching ] was incorrect if a ] may be consumed by a
[:class:]. The subsequent loop assumed that there must be a ].

Remove the initial check and make the loop cope with a missing ].

Found with afl-fuzz.

MFC after:	1 week
2015-08-25 21:55:15 +00:00
Jilles Tjoelker
d0b0ac182d sh: Don't create bad parse result when postponing a bad substitution error.
An invalid substitution like ${var@} does not cause a parse error but is
stored in the intermediate representation, to be written as part of the
error message. If there is a CTL* byte in the stored part, this confuses
some code such as the code to skip an unused alternative such as in
${var-alternative}.

To keep things simple, do not store CTL* bytes.

Found with afl-fuzz.

MFC after:	1 week
2015-08-23 20:44:53 +00:00
Jilles Tjoelker
5e03b81fd4 sh: Avoid negative character values from $'\Uffffffff' etc.
The negative value was not expected and generated the low 8 bits as a byte,
which may be an invalid character encoding.

The final shift in creating the negative value was undefined as well.

Make the temporary variable unsigned to fix this.
2015-08-20 22:05:55 +00:00
Jilles Tjoelker
f84460dded sh: Add test for $'\u' without any digits.
It is likely that $'\uXXXX' and $'\UXXXXXXXX' will allow fewer digits in
future. However, no digits at all should still be disallowed.
2015-08-20 21:31:36 +00:00
Jilles Tjoelker
4b6578dc8c sh: Backslash-newline should not affect field splitting in read builtin.
This was originally broken in r212339 in 2010.
2015-08-16 12:57:17 +00:00
Jilles Tjoelker
58bbcdb183 sh: When setting option via long name, don't go via letter.
Looking up the letter makes no sense and prevents adding options that only
have a long name, no letter.
2015-08-14 21:44:15 +00:00
Jilles Tjoelker
8956c4ec63 sh(1): libedit has supported multibyte encodings for a while. 2015-07-11 13:07:26 +00:00
Jilles Tjoelker
c3c85727d0 sh: Fix some arithmetic undefined behaviour.
Fix shifts of possibly negative numbers found with ubsan and avoid signed
integer overflow when hashing an extremely long command name.

MFC after:	1 week
2015-06-24 20:51:48 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
44d314f704 dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
Simon J. Gerraty
98e0ffaefb Merge sync of head 2015-05-27 01:19:58 +00:00
Jilles Tjoelker
cad3cc1310 sh: Pass along SIGINT from a child if job control is enabled, even when not
interactive.

I added the interactive check in r208881 to be safe, but in actual use
(scripts in set -m mode) passing along SIGINT seems best.

Discussed with:	bdrewery
2015-04-25 13:34:25 +00:00
Bryan Drewery
a59f817491 sh: Fix the trap builtin to be POSIX-compliant for 'trap exit SIG' and 'trap n n...'.
The parser considered 'trap exit INT' to reset the default for both EXIT and
INT. This beahvior is not POSIX compliant. This was avoided if a value was
specified for 'exit', but then disallows exiting with the signal received. A
possible workaround is using ' exit'.

However POSIX does allow this type of behavior if the parameters are all
integers. Fix the handling for this and clarify its support in the manpage
since it is specifically allowed by POSIX.

Differential Revision:	https://reviews.freebsd.org/D2325
Reviewed by:	jilles
MFC after:	2 weeks
2015-04-18 23:49:57 +00:00
Jilles Tjoelker
739d568935 sh: Add more tests for exotic IFS splitting. 2015-03-31 20:59:37 +00:00
Jilles Tjoelker
58bdb0761c sh: Fix more compiler warnings related to variable declarations. 2015-03-03 21:21:43 +00:00
Jilles Tjoelker
22afca9b67 sh: Fix more compiler warnings. 2015-03-01 22:32:23 +00:00
Jilles Tjoelker
22ea47ec90 sh: Fix compiler warnings related to duplicate or missing declarations. 2015-03-01 21:46:55 +00:00
Nathan Whitehorn
c4b725f42a Fix unitialized variable that broke sh on PowerPC starting with r278826. 2015-02-26 20:59:18 +00:00
Jilles Tjoelker
4445af212c sh: Add details about importing the environment and initializing OPTIND. 2015-02-22 21:32:57 +00:00
Jilles Tjoelker
7034d8df04 sh: Various cleanups to expand.c:
* Remove some gotos.
* Remove unused parameter.
* Remove duplicate code.
2015-02-15 22:38:00 +00:00
Jilles Tjoelker
781bfb5a53 sh: Prefer "" to nullstr where possible. 2015-02-15 21:47:43 +00:00
Jilles Tjoelker
a4652c280b sh: Add stsavestr(), like savestr() but allocates using stalloc(). 2015-02-15 21:41:29 +00:00
Jilles Tjoelker
8c6cc7dad5 sh: Add simple tests for globbing/splitting command substitution. 2015-02-15 19:48:29 +00:00
Jilles Tjoelker
edebe56497 sh: Abort a wait builtin on any trapped signal.
This is required by POSIX.

PR:		197210
Reported by:	ache
MFC after:	2 weeks
2015-01-31 13:53:29 +00:00
Jilles Tjoelker
85052e7b56 sh: Move some code from onint() to onsig(), making onint() noreturn.
As a result, the INTON macro which is used many times generates fewer
bytes of code.
2014-12-21 23:09:59 +00:00
Jilles Tjoelker
f649ab8b15 sh: Remove EXP_REDIR.
EXP_REDIR was supposed to generate pathnames in redirection if exactly one
file matches, as permitted but not required by POSIX in interactive mode. It
is unlikely this will be implemented.

No functional change is intended.

MFC after:	1 week
2014-12-21 22:18:30 +00:00
Jilles Tjoelker
88ef06f3a9 sh: Make sure output suitable as shell input is also printable.
Commands like 'export -p', 'set' and 'trap', and tracing enabled via 'set
-x' generate output suitable as shell input by adding quotes as necessary.

If there are control characters other than newline or invalid UTF-8
sequences, use $'...' and \OOO to display them safely.

The resulting output is not parsable by a strict POSIX.1-2008 shell but sh
from FreeBSD 9.0 and newer and many other shells can parse it.
2014-12-14 16:26:19 +00:00
Jilles Tjoelker
e753a1effb sh: Remove special case for '=' in set -x; always quote it in outqstr().
I plan to make set -x output always printable using $'...'; avoiding quoting
words containing '=' is not worth the extra complexity.
2014-11-30 20:12:47 +00:00
Baptiste Daroussin
12cd1730ee Convert bin/ to LIBADD, reduce overlinking allow to build all components as
static
2014-11-25 11:15:40 +00:00
Jilles Tjoelker
fafeab4393 sh: Prepend "$0: " to error messages if there is no command name. 2014-11-22 23:28:41 +00:00
Jilles Tjoelker
08dc8cf90c sh: Use DQSYNTAX only while expanding, not SQSYNTAX.
Quoting during expansion only cares about CCTL, which is the same for
DQSYNTAX and SQSYNTAX.
2014-11-22 16:03:18 +00:00
Simon J. Gerraty
9268022b74 Merge from head@274682 2014-11-19 01:07:58 +00:00
Jilles Tjoelker
b1f6059232 sh(1): Add/improve information about exit status of commands. 2014-11-14 17:11:28 +00:00
Jilles Tjoelker
945e15624b sh(1): Mention portability issue with shifting zero positional parameters.
Per Austin Group issue #459, shifting zero positional parameters may or may
not be considered an operand error (which causes the shell to exit in most
cases).
2014-11-07 21:30:16 +00:00
Jilles Tjoelker
5dff1efc27 sh: Fix corruption of CTL* bytes in positional parameters in redirection.
EXP_REDIR was not being checked for while expanding positional parameters in
redirection, so CTL* bytes were not being prefixed where they should be.

MFC after:	1 week
2014-10-31 22:28:10 +00:00
Jilles Tjoelker
3fb51b3a43 Treat IFS separators in "$*" as quoted.
This makes a difference if IFS starts with *, ?, [ or a CTL* byte.
2014-10-28 22:14:31 +00:00
Jilles Tjoelker
1bc2fdfabf sh: Make getopts memory-safe if with changing arguments.
POSIX does not permit to continuing a getopts loop with different
arguments. For parsing the positional parameters, we handle this case by
resetting the getopts state when the positional parameters are changed in
any way (and the getopts state is local to a function). However, in the
syntax getopts <optstring> <var> <arg...>, changes could lead to invalid
memory access.

In the syntax getopts <optstring> <var> <arg...>, store a copy of the
arguments and continue to use them until getopts is reset.
2014-10-26 17:50:33 +00:00
Jilles Tjoelker
0b4b9c8158 sh: Allow backslash-newline continuation in more places:
* directly after a $
 * directly after ${
 * between the characters of a multi-character operator token
 * within a parameter name
2014-10-19 11:59:15 +00:00
Jilles Tjoelker
334111e2df sh: Add some tests for backslash-newline continuation. 2014-10-17 21:52:57 +00:00
Jilles Tjoelker
3f9b4e9ab8 sh: Make parseredir() a proper function instead of an emulated nested
function.
2014-10-15 21:26:09 +00:00
Jilles Tjoelker
622fdf3236 sh: Remove more gotos. 2014-10-15 21:20:56 +00:00
Jilles Tjoelker
75e1716807 sh: Fix break/continue/return in multiline eval.
Example:
  eval $'return\necho bad'
2014-10-12 13:12:06 +00:00