freebsd-skq/bin/sh/expand.c

1540 lines
32 KiB
C
Raw Normal View History

1994-05-26 06:18:55 +00:00
/*-
* Copyright (c) 1991, 1993
* The Regents of the University of California. All rights reserved.
* Copyright (c) 1997-2005
* Herbert Xu <herbert@gondor.apana.org.au>. All rights reserved.
* Copyright (c) 2010-2015
* Jilles Tjoelker <jilles@stack.nl>. All rights reserved.
1994-05-26 06:18:55 +00:00
*
* This code is derived from software contributed to Berkeley by
* Kenneth Almquist.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef lint
1998-05-18 06:44:24 +00:00
#if 0
static char sccsid[] = "@(#)expand.c 8.5 (Berkeley) 5/15/95";
#endif
1994-05-26 06:18:55 +00:00
#endif /* not lint */
2002-06-30 05:15:05 +00:00
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
1994-05-26 06:18:55 +00:00
#include <sys/types.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <dirent.h>
#include <errno.h>
#include <inttypes.h>
#include <limits.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <wchar.h>
#include <wctype.h>
1994-05-26 06:18:55 +00:00
/*
* Routines to expand arguments to commands. We have to deal with
* backquotes, shell variables, and file metacharacters.
*/
#include "shell.h"
#include "main.h"
#include "nodes.h"
#include "eval.h"
#include "expand.h"
#include "syntax.h"
#include "parser.h"
#include "jobs.h"
#include "options.h"
#include "var.h"
#include "input.h"
#include "output.h"
#include "memalloc.h"
#include "error.h"
#include "mystring.h"
#include "arith.h"
#include "show.h"
#include "builtins.h"
1994-05-26 06:18:55 +00:00
enum wordstate { WORD_IDLE, WORD_WS_DELIMITED, WORD_QUOTEMARK };
1994-05-26 06:18:55 +00:00
struct worddest {
struct arglist *list;
enum wordstate state;
1994-05-26 06:18:55 +00:00
};
static char *expdest; /* output of current string */
static struct nodelist *argbackq; /* list of back quote expressions */
1994-05-26 06:18:55 +00:00
static char *argstr(char *, int, struct worddest *);
static char *exptilde(char *, int);
static char *expari(char *, int, struct worddest *);
static void expbackq(union node *, int, int, struct worddest *);
static void subevalvar_trim(char *, int, int, int);
static int subevalvar_misc(char *, const char *, int, int, int);
static char *evalvar(char *, int, struct worddest *);
2014-03-14 21:45:37 +00:00
static int varisset(const char *, int);
static void strtodest(const char *, int, int, int, struct worddest *);
static void reprocess(int, int, int, int, struct worddest *);
static void varvalue(const char *, int, int, int, struct worddest *);
static void expandmeta(char *, struct arglist *);
static void expmeta(char *, char *, struct arglist *);
static int expsortcmp(const void *, const void *);
static int patmatch(const char *, const char *);
static void cvtnum(int, char *);
static int collate_range_cmp(wchar_t, wchar_t);
void
emptyarglist(struct arglist *list)
{
list->args = list->smallarg;
list->count = 0;
list->capacity = sizeof(list->smallarg) / sizeof(list->smallarg[0]);
}
void
appendarglist(struct arglist *list, char *str)
{
char **newargs;
int newcapacity;
if (list->count >= list->capacity) {
newcapacity = list->capacity * 2;
if (newcapacity < 16)
newcapacity = 16;
if (newcapacity > INT_MAX / (int)sizeof(newargs[0]))
error("Too many entries in arglist");
newargs = stalloc(newcapacity * sizeof(newargs[0]));
memcpy(newargs, list->args, list->count * sizeof(newargs[0]));
list->args = newargs;
list->capacity = newcapacity;
}
list->args[list->count++] = str;
}
static int
collate_range_cmp(wchar_t c1, wchar_t c2)
{
static wchar_t s1[2], s2[2];
s1[0] = c1;
s2[0] = c2;
return (wcscoll(s1, s2));
}
1994-05-26 06:18:55 +00:00
static char *
stputs_quotes(const char *data, const char *syntax, char *p)
{
while (*data) {
CHECKSTRSPACE(2, p);
if (syntax[(int)*data] == CCTL)
USTPUTC(CTLESC, p);
USTPUTC(*data++, p);
}
return (p);
}
#define STPUTS_QUOTES(data, syntax, p) p = stputs_quotes((data), syntax, p)
1994-05-26 06:18:55 +00:00
static char *
nextword(char c, int flag, char *p, struct worddest *dst)
{
int is_ws;
is_ws = c == '\t' || c == '\n' || c == ' ';
if (p != stackblock() || (is_ws ? dst->state == WORD_QUOTEMARK :
dst->state != WORD_WS_DELIMITED) || c == '\0') {
STPUTC('\0', p);
if (flag & EXP_GLOB)
expandmeta(grabstackstr(p), dst->list);
else
appendarglist(dst->list, grabstackstr(p));
dst->state = is_ws ? WORD_WS_DELIMITED : WORD_IDLE;
} else if (!is_ws && dst->state == WORD_WS_DELIMITED)
dst->state = WORD_IDLE;
/* Reserve space while the stack string is empty. */
appendarglist(dst->list, NULL);
dst->list->count--;
STARTSTACKSTR(p);
return p;
}
#define NEXTWORD(c, flag, p, dstlist) p = nextword(c, flag, p, dstlist)
static char *
stputs_split(const char *data, const char *syntax, int flag, char *p,
struct worddest *dst)
{
const char *ifs;
char c;
ifs = ifsset() ? ifsval() : " \t\n";
while (*data) {
CHECKSTRSPACE(2, p);
c = *data++;
if (strchr(ifs, c) != NULL) {
NEXTWORD(c, flag, p, dst);
continue;
}
if (flag & EXP_GLOB && syntax[(int)c] == CCTL)
USTPUTC(CTLESC, p);
USTPUTC(c, p);
}
return (p);
}
#define STPUTS_SPLIT(data, syntax, flag, p, dst) p = stputs_split((data), syntax, flag, p, dst)
1994-05-26 06:18:55 +00:00
/*
2010-09-05 21:12:48 +00:00
* Perform expansions on an argument, placing the resulting list of arguments
* in arglist. Parameter expansion, command substitution and arithmetic
* expansion are always performed; additional expansions can be requested
* via flag (EXP_*).
* The result is left in the stack string.
* When arglist is NULL, perform here document expansion.
2010-09-05 21:12:48 +00:00
*
* Caution: this function uses global state and is not reentrant.
* However, a new invocation after an interrupted invocation is safe
* and will reset the global state for the new call.
1994-05-26 06:18:55 +00:00
*/
void
expandarg(union node *arg, struct arglist *arglist, int flag)
{
struct worddest exparg;
1994-05-26 06:18:55 +00:00
if (fflag)
flag &= ~EXP_GLOB;
1994-05-26 06:18:55 +00:00
argbackq = arg->narg.backquote;
exparg.list = arglist;
exparg.state = WORD_IDLE;
1994-05-26 06:18:55 +00:00
STARTSTACKSTR(expdest);
argstr(arg->narg.text, flag, &exparg);
1994-05-26 06:18:55 +00:00
if (arglist == NULL) {
STACKSTRNUL(expdest);
1994-05-26 06:18:55 +00:00
return; /* here document expanded */
}
if ((flag & EXP_SPLIT) == 0 || expdest != stackblock() ||
exparg.state == WORD_QUOTEMARK) {
STPUTC('\0', expdest);
if (flag & EXP_SPLIT) {
if (flag & EXP_GLOB)
expandmeta(grabstackstr(expdest), exparg.list);
else
appendarglist(exparg.list, grabstackstr(expdest));
}
1994-05-26 06:18:55 +00:00
}
if ((flag & EXP_SPLIT) == 0)
appendarglist(arglist, grabstackstr(expdest));
1994-05-26 06:18:55 +00:00
}
/*
2010-09-05 21:12:48 +00:00
* Perform parameter expansion, command substitution and arithmetic
* expansion, and tilde expansion if requested via EXP_TILDE/EXP_VARTILDE.
* Processing ends at a CTLENDVAR or CTLENDARI character as well as '\0'.
2010-09-05 21:12:48 +00:00
* This is used to expand word in ${var+word} etc.
* If EXP_GLOB or EXP_CASE are set, keep and/or generate CTLESC
2010-09-05 21:12:48 +00:00
* characters to allow for further processing.
*
* If EXP_SPLIT is set, dst receives any complete words produced.
1994-05-26 06:18:55 +00:00
*/
static char *
argstr(char *p, int flag, struct worddest *dst)
{
char c;
int quotes = flag & (EXP_GLOB | EXP_CASE); /* do CTLESC */
1994-05-26 06:18:55 +00:00
int firsteq = 1;
int split_lit;
int lit_quoted;
1994-05-26 06:18:55 +00:00
split_lit = flag & EXP_SPLIT_LIT;
lit_quoted = flag & EXP_LIT_QUOTED;
flag &= ~(EXP_SPLIT_LIT | EXP_LIT_QUOTED);
1994-05-26 06:18:55 +00:00
if (*p == '~' && (flag & (EXP_TILDE | EXP_VARTILDE)))
p = exptilde(p, flag);
for (;;) {
CHECKSTRSPACE(2, expdest);
1994-05-26 06:18:55 +00:00
switch (c = *p++) {
case '\0':
return (p - 1);
2010-09-05 21:12:48 +00:00
case CTLENDVAR:
case CTLENDARI:
return (p);
case CTLQUOTEMARK:
lit_quoted = 1;
/* "$@" syntax adherence hack */
if (p[0] == CTLVAR && (p[1] & VSQUOTE) != 0 &&
p[2] == '@' && p[3] == '=')
break;
if ((flag & EXP_SPLIT) != 0 && expdest == stackblock())
dst->state = WORD_QUOTEMARK;
break;
case CTLQUOTEEND:
lit_quoted = 0;
break;
1994-05-26 06:18:55 +00:00
case CTLESC:
c = *p++;
if (split_lit && !lit_quoted &&
strchr(ifsset() ? ifsval() : " \t\n", c) != NULL) {
NEXTWORD(c, flag, expdest, dst);
break;
}
if (quotes)
USTPUTC(CTLESC, expdest);
USTPUTC(c, expdest);
1994-05-26 06:18:55 +00:00
break;
case CTLVAR:
p = evalvar(p, flag, dst);
1994-05-26 06:18:55 +00:00
break;
case CTLBACKQ:
case CTLBACKQ|CTLQUOTE:
expbackq(argbackq->n, c & CTLQUOTE, flag, dst);
1994-05-26 06:18:55 +00:00
argbackq = argbackq->next;
break;
case CTLARI:
p = expari(p, flag, dst);
1994-05-26 06:18:55 +00:00
break;
case ':':
case '=':
/*
* sort of a hack - expand tildes in variable
* assignments (after the first '=' and after ':'s).
*/
if (split_lit && !lit_quoted &&
strchr(ifsset() ? ifsval() : " \t\n", c) != NULL) {
NEXTWORD(c, flag, expdest, dst);
break;
}
USTPUTC(c, expdest);
if (flag & EXP_VARTILDE && *p == '~' &&
(c != '=' || firsteq)) {
if (c == '=')
firsteq = 0;
1994-05-26 06:18:55 +00:00
p = exptilde(p, flag);
}
break;
default:
if (split_lit && !lit_quoted &&
strchr(ifsset() ? ifsval() : " \t\n", c) != NULL) {
NEXTWORD(c, flag, expdest, dst);
break;
}
USTPUTC(c, expdest);
1994-05-26 06:18:55 +00:00
}
}
}
2010-09-05 21:12:48 +00:00
/*
* Perform tilde expansion, placing the result in the stack string and
* returning the next position in the input string to process.
*/
static char *
exptilde(char *p, int flag)
{
1994-05-26 06:18:55 +00:00
char c, *startp = p;
struct passwd *pw;
char *home;
for (;;) {
c = *p;
1994-05-26 06:18:55 +00:00
switch(c) {
case CTLESC: /* This means CTL* are always considered quoted. */
case CTLVAR:
case CTLBACKQ:
case CTLBACKQ | CTLQUOTE:
case CTLARI:
case CTLENDARI:
case CTLQUOTEMARK:
return (startp);
1994-05-26 06:18:55 +00:00
case ':':
if ((flag & EXP_VARTILDE) == 0)
break;
/* FALLTHROUGH */
case '\0':
1994-05-26 06:18:55 +00:00
case '/':
case CTLENDVAR:
*p = '\0';
if (*(startp+1) == '\0') {
home = lookupvar("HOME");
} else {
pw = getpwnam(startp+1);
home = pw != NULL ? pw->pw_dir : NULL;
}
*p = c;
if (home == NULL || *home == '\0')
return (startp);
strtodest(home, flag, VSNORMAL, 1, NULL);
return (p);
1994-05-26 06:18:55 +00:00
}
p++;
}
}
/*
* Expand arithmetic expression.
1994-05-26 06:18:55 +00:00
*/
static char *
expari(char *p, int flag, struct worddest *dst)
{
char *q, *start;
arith_t result;
int begoff;
int quoted;
int adj;
1994-05-26 06:18:55 +00:00
quoted = *p++ == '"';
begoff = expdest - stackblock();
p = argstr(p, 0, NULL);
STPUTC('\0', expdest);
start = stackblock() + begoff;
q = grabstackstr(expdest);
result = arith(start);
ungrabstackstr(q, expdest);
start = stackblock() + begoff;
adj = start - expdest;
STADJUST(adj, expdest);
CHECKSTRSPACE((int)(DIGITS(result) + 1), expdest);
fmtstr(expdest, DIGITS(result), ARITH_FORMAT_STR, result);
adj = strlen(expdest);
STADJUST(adj, expdest);
if (!quoted)
reprocess(expdest - adj - stackblock(), flag, VSNORMAL, 0, dst);
return p;
1994-05-26 06:18:55 +00:00
}
/*
2010-09-05 21:12:48 +00:00
* Perform command substitution.
1994-05-26 06:18:55 +00:00
*/
static void
expbackq(union node *cmd, int quoted, int flag, struct worddest *dst)
{
1994-05-26 06:18:55 +00:00
struct backcmd in;
int i;
char buf[128];
char *p;
char *dest = expdest;
struct nodelist *saveargbackq;
char lastc;
char const *syntax = quoted? DQSYNTAX : BASESYNTAX;
int quotes = flag & (EXP_GLOB | EXP_CASE);
size_t nnl;
const char *ifs;
1994-05-26 06:18:55 +00:00
INTOFF;
saveargbackq = argbackq;
p = grabstackstr(dest);
evalbackcmd(cmd, &in);
ungrabstackstr(p, dest);
argbackq = saveargbackq;
p = in.buf;
lastc = '\0';
nnl = 0;
if (!quoted && flag & EXP_SPLIT)
ifs = ifsset() ? ifsval() : " \t\n";
else
ifs = "";
/* Don't copy trailing newlines */
1994-05-26 06:18:55 +00:00
for (;;) {
if (--in.nleft < 0) {
if (in.fd < 0)
break;
while ((i = read(in.fd, buf, sizeof buf)) < 0 && errno == EINTR);
TRACE(("expbackq: read returns %d\n", i));
if (i <= 0)
break;
p = buf;
in.nleft = i - 1;
}
lastc = *p++;
if (lastc == '\0')
continue;
if (lastc == '\n') {
nnl++;
} else {
if (nnl > 0) {
if (strchr(ifs, '\n') != NULL) {
NEXTWORD('\n', flag, dest, dst);
nnl = 0;
} else {
CHECKSTRSPACE(nnl + 2, dest);
while (nnl > 0) {
nnl--;
USTPUTC('\n', dest);
}
}
}
if (strchr(ifs, lastc) != NULL)
NEXTWORD(lastc, flag, dest, dst);
else {
CHECKSTRSPACE(2, dest);
if (quotes && syntax[(int)lastc] == CCTL)
USTPUTC(CTLESC, dest);
USTPUTC(lastc, dest);
}
1994-05-26 06:18:55 +00:00
}
}
1994-05-26 06:18:55 +00:00
if (in.fd >= 0)
close(in.fd);
if (in.buf)
ckfree(in.buf);
if (in.jp)
exitstatus = waitforjob(in.jp, (int *)NULL);
TRACE(("expbackq: size=%td: \"%.*s\"\n",
((dest - stackblock()) - startloc),
(int)((dest - stackblock()) - startloc),
1994-05-26 06:18:55 +00:00
stackblock() + startloc));
expdest = dest;
INTON;
}
static void
recordleft(const char *str, const char *loc, char *startp)
{
int amount;
amount = ((str - 1) - (loc - startp)) - expdest;
STADJUST(amount, expdest);
while (loc != str - 1)
*startp++ = *loc++;
}
static void
subevalvar_trim(char *p, int strloc, int subtype, int startloc)
{
char *startp;
char *loc = NULL;
char *str;
int c = 0;
struct nodelist *saveargbackq = argbackq;
int amount;
argstr(p, EXP_CASE | EXP_TILDE, NULL);
STACKSTRNUL(expdest);
argbackq = saveargbackq;
startp = stackblock() + startloc;
str = stackblock() + strloc;
switch (subtype) {
case VSTRIMLEFT:
for (loc = startp; loc < str; loc++) {
c = *loc;
*loc = '\0';
if (patmatch(str, startp)) {
*loc = c;
recordleft(str, loc, startp);
return;
}
*loc = c;
}
break;
case VSTRIMLEFTMAX:
for (loc = str - 1; loc >= startp;) {
c = *loc;
*loc = '\0';
if (patmatch(str, startp)) {
*loc = c;
recordleft(str, loc, startp);
return;
}
*loc = c;
loc--;
}
break;
case VSTRIMRIGHT:
for (loc = str - 1; loc >= startp;) {
if (patmatch(str, loc)) {
amount = loc - expdest;
STADJUST(amount, expdest);
return;
}
loc--;
}
break;
case VSTRIMRIGHTMAX:
for (loc = startp; loc < str - 1; loc++) {
if (patmatch(str, loc)) {
amount = loc - expdest;
STADJUST(amount, expdest);
return;
}
}
break;
default:
abort();
}
amount = (expdest - stackblock() - strloc) + 1;
STADJUST(-amount, expdest);
}
static int
subevalvar_misc(char *p, const char *var, int subtype, int startloc,
int varflags)
{
char *startp;
struct nodelist *saveargbackq = argbackq;
int amount;
argstr(p, EXP_TILDE, NULL);
STACKSTRNUL(expdest);
argbackq = saveargbackq;
startp = stackblock() + startloc;
switch (subtype) {
case VSASSIGN:
setvar(var, startp, 0);
amount = startp - expdest;
STADJUST(amount, expdest);
return 1;
case VSQUESTION:
if (*p != CTLENDVAR) {
outfmt(out2, "%s\n", startp);
error((char *)NULL);
}
error("%.*s: parameter %snot set", (int)(p - var - 1),
var, (varflags & VSNUL) ? "null or " : "");
return 0;
default:
abort();
}
}
1994-05-26 06:18:55 +00:00
/*
* Expand a variable, and return a pointer to the next character in the
* input string.
*/
static char *
evalvar(char *p, int flag, struct worddest *dst)
{
1994-05-26 06:18:55 +00:00
int subtype;
int varflags;
char *var;
2014-03-14 21:45:37 +00:00
const char *val;
int patloc;
1994-05-26 06:18:55 +00:00
int c;
int set;
int special;
int startloc;
int varlen;
int varlenb;
char buf[21];
1994-05-26 06:18:55 +00:00
varflags = (unsigned char)*p++;
1994-05-26 06:18:55 +00:00
subtype = varflags & VSTYPE;
var = p;
special = 0;
if (! is_name(*p))
special = 1;
p = strchr(p, '=') + 1;
again: /* jump here after setting a variable with ${var=text} */
if (varflags & VSLINENO) {
set = 1;
special = 1;
val = NULL;
} else if (special) {
set = varisset(var, varflags & VSNUL);
1994-05-26 06:18:55 +00:00
val = NULL;
} else {
val = bltinlookup(var, 1);
if (val == NULL || ((varflags & VSNUL) && val[0] == '\0')) {
1994-05-26 06:18:55 +00:00
val = NULL;
set = 0;
} else
set = 1;
}
varlen = 0;
1994-05-26 06:18:55 +00:00
startloc = expdest - stackblock();
if (!set && uflag && *var != '@' && *var != '*') {
switch (subtype) {
case VSNORMAL:
case VSTRIMLEFT:
case VSTRIMLEFTMAX:
case VSTRIMRIGHT:
case VSTRIMRIGHTMAX:
case VSLENGTH:
error("%.*s: parameter not set", (int)(p - var - 1),
var);
}
}
1994-05-26 06:18:55 +00:00
if (set && subtype != VSPLUS) {
/* insert the value of the variable */
if (special) {
if (varflags & VSLINENO) {
if (p - var > (ptrdiff_t)sizeof(buf))
abort();
memcpy(buf, var, p - var - 1);
buf[p - var - 1] = '\0';
strtodest(buf, flag, subtype,
varflags & VSQUOTE, dst);
} else
varvalue(var, varflags & VSQUOTE, subtype, flag,
dst);
if (subtype == VSLENGTH) {
varlenb = expdest - stackblock() - startloc;
varlen = varlenb;
if (localeisutf8) {
val = stackblock() + startloc;
for (;val != expdest; val++)
if ((*val & 0xC0) == 0x80)
varlen--;
}
STADJUST(-varlenb, expdest);
}
1994-05-26 06:18:55 +00:00
} else {
if (subtype == VSLENGTH) {
for (;*val; val++)
if (!localeisutf8 ||
(*val & 0xC0) != 0x80)
varlen++;
}
else
strtodest(val, flag, subtype,
varflags & VSQUOTE, dst);
1994-05-26 06:18:55 +00:00
}
}
1994-05-26 06:18:55 +00:00
if (subtype == VSPLUS)
set = ! set;
switch (subtype) {
case VSLENGTH:
cvtnum(varlen, buf);
strtodest(buf, flag, VSNORMAL, varflags & VSQUOTE, dst);
break;
case VSNORMAL:
break;
case VSPLUS:
case VSMINUS:
if (!set) {
argstr(p, flag | (flag & EXP_SPLIT ? EXP_SPLIT_LIT : 0) |
(varflags & VSQUOTE ? EXP_LIT_QUOTED : 0), dst);
break;
}
break;
case VSTRIMLEFT:
case VSTRIMLEFTMAX:
case VSTRIMRIGHT:
case VSTRIMRIGHTMAX:
if (!set)
break;
/*
* Terminate the string and start recording the pattern
* right after it
*/
STPUTC('\0', expdest);
patloc = expdest - stackblock();
subevalvar_trim(p, patloc, subtype, startloc);
reprocess(startloc, flag, VSNORMAL, varflags & VSQUOTE, dst);
if (flag & EXP_SPLIT && *var == '@' && varflags & VSQUOTE)
dst->state = WORD_QUOTEMARK;
break;
case VSASSIGN:
case VSQUESTION:
if (!set) {
if (subevalvar_misc(p, var, subtype, startloc,
varflags)) {
varflags &= ~VSNUL;
1994-05-26 06:18:55 +00:00
goto again;
}
break;
1994-05-26 06:18:55 +00:00
}
break;
case VSERROR:
c = p - var - 1;
error("${%.*s%s}: Bad substitution", c, var,
(c > 0 && *p != CTLENDVAR) ? "..." : "");
default:
abort();
1994-05-26 06:18:55 +00:00
}
1994-05-26 06:18:55 +00:00
if (subtype != VSNORMAL) { /* skip to end of alternative */
int nesting = 1;
for (;;) {
if ((c = *p++) == CTLESC)
p++;
else if (c == CTLBACKQ || c == (CTLBACKQ|CTLQUOTE)) {
if (set)
argbackq = argbackq->next;
} else if (c == CTLVAR) {
if ((*p++ & VSTYPE) != VSNORMAL)
nesting++;
} else if (c == CTLENDVAR) {
if (--nesting == 0)
break;
}
}
}
return p;
}
/*
* Test whether a specialized variable is set.
*/
static int
2014-03-14 21:45:37 +00:00
varisset(const char *name, int nulok)
{
1994-05-26 06:18:55 +00:00
if (*name == '!')
return backgndpidset();
else if (*name == '@' || *name == '*') {
1994-05-26 06:18:55 +00:00
if (*shellparam.p == NULL)
return 0;
if (nulok) {
char **av;
for (av = shellparam.p; *av; av++)
if (**av != '\0')
return 1;
return 0;
}
} else if (is_digit(*name)) {
char *ap;
long num;
errno = 0;
num = strtol(name, NULL, 10);
if (errno != 0 || num > shellparam.nparam)
return 0;
if (num == 0)
ap = arg0;
else
ap = shellparam.p[num - 1];
if (nulok && (ap == NULL || *ap == '\0'))
return 0;
1994-05-26 06:18:55 +00:00
}
return 1;
}
static void
strtodest(const char *p, int flag, int subtype, int quoted,
struct worddest *dst)
{
if (subtype == VSLENGTH || subtype == VSTRIMLEFT ||
subtype == VSTRIMLEFTMAX || subtype == VSTRIMRIGHT ||
subtype == VSTRIMRIGHTMAX)
STPUTS(p, expdest);
else if (flag & EXP_SPLIT && !quoted && dst != NULL)
STPUTS_SPLIT(p, BASESYNTAX, flag, expdest, dst);
else if (flag & (EXP_GLOB | EXP_CASE))
STPUTS_QUOTES(p, quoted ? DQSYNTAX : BASESYNTAX, expdest);
else
STPUTS(p, expdest);
}
1994-05-26 06:18:55 +00:00
static void
reprocess(int startloc, int flag, int subtype, int quoted,
struct worddest *dst)
{
static char *buf = NULL;
static size_t buflen = 0;
char *startp;
size_t len, zpos, zlen;
startp = stackblock() + startloc;
len = expdest - startp;
if (len >= SIZE_MAX / 2)
abort();
INTOFF;
if (len >= buflen) {
ckfree(buf);
buf = NULL;
}
if (buflen < 128)
buflen = 128;
while (len >= buflen)
buflen <<= 1;
if (buf == NULL)
buf = ckmalloc(buflen);
INTON;
memcpy(buf, startp, len);
buf[len] = '\0';
STADJUST(-len, expdest);
for (zpos = 0;;) {
zlen = strlen(buf + zpos);
strtodest(buf + zpos, flag, subtype, quoted, dst);
zpos += zlen + 1;
if (zpos == len + 1)
break;
if (flag & EXP_SPLIT && (quoted || (zlen > 0 && zpos < len)))
NEXTWORD('\0', flag, expdest, dst);
}
}
1994-05-26 06:18:55 +00:00
/*
* Add the value of a specialized variable to the stack string.
*/
static void
varvalue(const char *name, int quoted, int subtype, int flag,
struct worddest *dst)
{
1994-05-26 06:18:55 +00:00
int num;
char *p;
int i;
int splitlater;
char sep[2];
1994-05-26 06:18:55 +00:00
char **ap;
char buf[(NSHORTOPTS > 10 ? NSHORTOPTS : 10) + 1];
if (subtype == VSLENGTH)
flag &= ~EXP_FULL;
splitlater = subtype == VSTRIMLEFT || subtype == VSTRIMLEFTMAX ||
subtype == VSTRIMRIGHT || subtype == VSTRIMRIGHTMAX;
1994-05-26 06:18:55 +00:00
switch (*name) {
1994-05-26 06:18:55 +00:00
case '$':
num = rootpid;
2014-10-15 21:20:56 +00:00
break;
1994-05-26 06:18:55 +00:00
case '?':
num = oexitstatus;
2014-10-15 21:20:56 +00:00
break;
1994-05-26 06:18:55 +00:00
case '#':
num = shellparam.nparam;
2014-10-15 21:20:56 +00:00
break;
1994-05-26 06:18:55 +00:00
case '!':
num = backgndpidval();
1994-05-26 06:18:55 +00:00
break;
case '-':
p = buf;
for (i = 0 ; i < NSHORTOPTS ; i++) {
2016-01-07 23:13:20 +00:00
if (optval[i])
*p++ = optletter[i];
1994-05-26 06:18:55 +00:00
}
*p = '\0';
strtodest(buf, flag, subtype, quoted, dst);
2014-10-15 21:20:56 +00:00
return;
1994-05-26 06:18:55 +00:00
case '@':
if (flag & EXP_SPLIT && quoted) {
for (ap = shellparam.p ; (p = *ap++) != NULL ; ) {
strtodest(p, flag, subtype, quoted, dst);
if (*ap) {
if (splitlater)
STPUTC('\0', expdest);
else
NEXTWORD('\0', flag, expdest,
dst);
}
}
if (shellparam.nparam > 0)
dst->state = WORD_QUOTEMARK;
2014-10-15 21:20:56 +00:00
return;
1994-05-26 06:18:55 +00:00
}
/* FALLTHROUGH */
1994-05-26 06:18:55 +00:00
case '*':
Various small code cleanups resulting from a code reviewing and linting procedure: 1. Remove useless sub-expression: - if (*start || (!ifsspc && start > string && (nulonly || 1))) { + if (*start || (!ifsspc && start > string)) { The sub-expression "(nulonly || 1)" always evaluates to true and according to CVS logs seems to be just a left-over from some debugging and introduced by accident. Removing the sub-expression doesn't change semantics and a code inspection showed that the variable "nulonly" is also not necessary here in any way (and the expression would require fixing instead of removing). 2. Remove dead code: - if (backslash && c == '\\') { - if (read(STDIN_FILENO, &c, 1) != 1) { - status = 1; - break; - } - STPUTC(c, p); - } else if (ap[1] != NULL && strchr(ifs, c) != NULL) { + if (ap[1] != NULL && strchr(ifs, c) != NULL) { Inspection of the control and data flow showed that variable "backslash" is always false (0) when the "if"-expression is evaluated, hence the whole block is effectively dead code. Additionally, the skipping of characters after a backslash is already performed correctly a few lines above, so this code is also not needed at all. According to the CVS logs and the ASH 0.2 sources, this code existed in this way already since its early days. 3. Cleanup Style: - ! trap[signo][0] == '\0' && + ! (trap[signo][0] == '\0') && The expression wants to ensure the trap is not assigned the empty string. But the "!" operator has higher precedence than "==", so the comparison should be put into parenthesis to form the intended way of expression. Nevertheless the code was effectively not really broken as both particular NUL comparisons are semantically equal, of course. But the parenthesized version is a lot more intuitive. 4. Remove shadowing variable declaration: - char *q; The declaration of symbol "q" hides another identical declaration of "q" in the same context. As the other "q" is already reused multiple times and also can be reused again without negative side-effects, just remove the shadowing declaration. 5. Just small cosmetics: - if (ifsset() != 0) + if (ifsset()) The ifsset() macro is already coded by returning the boolean result of a comparison operator, so no need to compare this boolean result again against a numerical value. This also aligns the macros usage to the remaining existing code. Reviewed by: stefanf@
2005-09-06 19:30:00 +00:00
if (ifsset())
sep[0] = ifsval()[0];
else
sep[0] = ' ';
sep[1] = '\0';
1994-05-26 06:18:55 +00:00
for (ap = shellparam.p ; (p = *ap++) != NULL ; ) {
strtodest(p, flag, subtype, quoted, dst);
if (!*ap)
break;
if (sep[0])
strtodest(sep, flag, subtype, quoted, dst);
else if (flag & EXP_SPLIT && !quoted && **ap != '\0') {
if (splitlater)
STPUTC('\0', expdest);
else
NEXTWORD('\0', flag, expdest, dst);
}
1994-05-26 06:18:55 +00:00
}
2014-10-15 21:20:56 +00:00
return;
1994-05-26 06:18:55 +00:00
default:
if (is_digit(*name)) {
num = atoi(name);
if (num == 0)
p = arg0;
else if (num > 0 && num <= shellparam.nparam)
p = shellparam.p[num - 1];
else
2014-10-15 21:20:56 +00:00
return;
strtodest(p, flag, subtype, quoted, dst);
1994-05-26 06:18:55 +00:00
}
2014-10-15 21:20:56 +00:00
return;
1994-05-26 06:18:55 +00:00
}
cvtnum(num, buf);
strtodest(buf, flag, subtype, quoted, dst);
1994-05-26 06:18:55 +00:00
}
static char expdir[PATH_MAX];
#define expdir_end (expdir + sizeof(expdir))
1994-05-26 06:18:55 +00:00
2010-09-05 21:12:48 +00:00
/*
* Perform pathname generation and remove control characters.
* At this point, the only control characters should be CTLESC.
* The results are stored in the list dstlist.
2010-09-05 21:12:48 +00:00
*/
static void
expandmeta(char *pattern, struct arglist *dstlist)
{
1994-05-26 06:18:55 +00:00
char *p;
int firstmatch;
1994-05-26 06:18:55 +00:00
char c;
2015-12-31 18:56:11 +00:00
firstmatch = dstlist->count;
p = pattern;
for (; (c = *p) != '\0'; p++) {
/* fast check for meta chars */
if (c == '*' || c == '?' || c == '[') {
INTOFF;
expmeta(expdir, pattern, dstlist);
INTON;
break;
1994-05-26 06:18:55 +00:00
}
2015-12-31 18:56:11 +00:00
}
if (dstlist->count == firstmatch) {
/*
* no matches
*/
rmescapes(pattern);
appendarglist(dstlist, pattern);
} else {
qsort(&dstlist->args[firstmatch],
dstlist->count - firstmatch,
sizeof(dstlist->args[0]), expsortcmp);
}
1994-05-26 06:18:55 +00:00
}
/*
* Do metacharacter (i.e. *, ?, [...]) expansion.
*/
static void
expmeta(char *enddir, char *name, struct arglist *arglist)
{
const char *p;
const char *q;
const char *start;
1994-05-26 06:18:55 +00:00
char *endname;
int metaflag;
struct stat statb;
DIR *dirp;
struct dirent *dp;
int atend;
int matchdot;
int esc;
int namlen;
1994-05-26 06:18:55 +00:00
metaflag = 0;
start = name;
for (p = name; esc = 0, *p; p += esc + 1) {
1994-05-26 06:18:55 +00:00
if (*p == '*' || *p == '?')
metaflag = 1;
else if (*p == '[') {
q = p + 1;
if (*q == '!' || *q == '^')
1994-05-26 06:18:55 +00:00
q++;
for (;;) {
if (*q == CTLESC)
q++;
if (*q == '/' || *q == '\0')
break;
if (*++q == ']') {
metaflag = 1;
break;
}
}
} else if (*p == '\0')
break;
else {
if (*p == CTLESC)
esc++;
if (p[esc] == '/') {
if (metaflag)
break;
start = p + esc + 1;
}
1994-05-26 06:18:55 +00:00
}
}
if (metaflag == 0) { /* we've reached the end of the file name */
if (enddir != expdir)
metaflag++;
for (p = name ; ; p++) {
if (*p == CTLESC)
p++;
*enddir++ = *p;
if (*p == '\0')
break;
if (enddir == expdir_end)
return;
1994-05-26 06:18:55 +00:00
}
if (metaflag == 0 || lstat(expdir, &statb) >= 0)
appendarglist(arglist, stsavestr(expdir));
1994-05-26 06:18:55 +00:00
return;
}
endname = name + (p - name);
1994-05-26 06:18:55 +00:00
if (start != name) {
p = name;
while (p < start) {
if (*p == CTLESC)
p++;
*enddir++ = *p++;
if (enddir == expdir_end)
return;
1994-05-26 06:18:55 +00:00
}
}
if (enddir == expdir) {
p = ".";
} else if (enddir == expdir + 1 && *expdir == '/') {
p = "/";
} else {
p = expdir;
enddir[-1] = '\0';
}
if ((dirp = opendir(p)) == NULL)
return;
if (enddir != expdir)
enddir[-1] = '/';
if (*endname == 0) {
atend = 1;
} else {
atend = 0;
*endname = '\0';
endname += esc + 1;
1994-05-26 06:18:55 +00:00
}
matchdot = 0;
p = start;
if (*p == CTLESC)
p++;
if (*p == '.')
1994-05-26 06:18:55 +00:00
matchdot++;
while (! int_pending() && (dp = readdir(dirp)) != NULL) {
if (dp->d_name[0] == '.' && ! matchdot)
continue;
if (patmatch(start, dp->d_name)) {
namlen = dp->d_namlen;
if (enddir + namlen + 1 > expdir_end)
continue;
memcpy(enddir, dp->d_name, namlen + 1);
if (atend)
appendarglist(arglist, stsavestr(expdir));
else {
if (dp->d_type != DT_UNKNOWN &&
dp->d_type != DT_DIR &&
dp->d_type != DT_LNK)
continue;
if (enddir + namlen + 2 > expdir_end)
continue;
enddir[namlen] = '/';
enddir[namlen + 1] = '\0';
expmeta(enddir + namlen + 1, endname, arglist);
1994-05-26 06:18:55 +00:00
}
}
}
closedir(dirp);
if (! atend)
endname[-esc - 1] = esc ? CTLESC : '/';
1994-05-26 06:18:55 +00:00
}
static int
expsortcmp(const void *p1, const void *p2)
{
const char *s1 = *(const char * const *)p1;
const char *s2 = *(const char * const *)p2;
1994-05-26 06:18:55 +00:00
return (strcmp(s1, s2));
1994-05-26 06:18:55 +00:00
}
static wchar_t
get_wc(const char **p)
{
wchar_t c;
int chrlen;
chrlen = mbtowc(&c, *p, 4);
if (chrlen == 0)
return 0;
else if (chrlen == -1)
c = 0;
else
*p += chrlen;
return c;
}
/*
* See if a character matches a character class, starting at the first colon
* of "[:class:]".
* If a valid character class is recognized, a pointer to the next character
* after the final closing bracket is stored into *end, otherwise a null
* pointer is stored into *end.
*/
static int
match_charclass(const char *p, wchar_t chr, const char **end)
{
char name[20];
const char *nameend;
wctype_t cclass;
*end = NULL;
p++;
nameend = strstr(p, ":]");
if (nameend == NULL || (size_t)(nameend - p) >= sizeof(name) ||
nameend == p)
return 0;
memcpy(name, p, nameend - p);
name[nameend - p] = '\0';
*end = nameend + 2;
cclass = wctype(name);
/* An unknown class matches nothing but is valid nevertheless. */
if (cclass == 0)
return 0;
return iswctype(chr, cclass);
}
1994-05-26 06:18:55 +00:00
/*
* Returns true if the pattern matches the string.
*/
2012-01-01 22:17:12 +00:00
static int
patmatch(const char *pattern, const char *string)
{
const char *p, *q, *end;
2012-01-01 20:50:19 +00:00
const char *bt_p, *bt_q;
char c;
wchar_t wc, wc2;
1994-05-26 06:18:55 +00:00
p = pattern;
q = string;
2012-01-01 20:50:19 +00:00
bt_p = NULL;
bt_q = NULL;
1994-05-26 06:18:55 +00:00
for (;;) {
switch (c = *p++) {
case '\0':
2012-01-01 20:50:19 +00:00
if (*q != '\0')
goto backtrack;
return 1;
1994-05-26 06:18:55 +00:00
case CTLESC:
if (*q++ != *p++)
2012-01-01 20:50:19 +00:00
goto backtrack;
1994-05-26 06:18:55 +00:00
break;
case '?':
2012-01-01 20:50:19 +00:00
if (*q == '\0')
return 0;
if (localeisutf8) {
wc = get_wc(&q);
2012-01-01 20:50:19 +00:00
/*
* A '?' does not match invalid UTF-8 but a
* '*' does, so backtrack.
*/
if (wc == 0)
goto backtrack;
} else
wc = (unsigned char)*q++;
1994-05-26 06:18:55 +00:00
break;
case '*':
c = *p;
while (c == '*')
c = *++p;
2012-01-01 20:50:19 +00:00
/*
* If the pattern ends here, we know the string
* matches without needing to look at the rest of it.
*/
if (c == '\0')
return 1;
/*
* First try the shortest match for the '*' that
* could work. We can forget any earlier '*' since
* there is no way having it match more characters
* can help us, given that we are already here.
*/
bt_p = p;
bt_q = q;
break;
1994-05-26 06:18:55 +00:00
case '[': {
const char *savep, *saveq;
1994-05-26 06:18:55 +00:00
int invert, found;
wchar_t chr;
1994-05-26 06:18:55 +00:00
savep = p, saveq = q;
1994-05-26 06:18:55 +00:00
invert = 0;
if (*p == '!' || *p == '^') {
1994-05-26 06:18:55 +00:00
invert++;
p++;
}
found = 0;
2012-01-01 20:50:19 +00:00
if (*q == '\0')
return 0;
if (localeisutf8) {
chr = get_wc(&q);
2012-01-01 20:50:19 +00:00
if (chr == 0)
goto backtrack;
} else
chr = (unsigned char)*q++;
1994-05-26 06:18:55 +00:00
c = *p++;
do {
if (c == '\0') {
p = savep, q = saveq;
c = '[';
goto dft;
}
if (c == '[' && *p == ':') {
found |= match_charclass(p, chr, &end);
if (end != NULL)
p = end;
}
1994-05-26 06:18:55 +00:00
if (c == CTLESC)
c = *p++;
if (localeisutf8 && c & 0x80) {
p--;
wc = get_wc(&p);
if (wc == 0) /* bad utf-8 */
return 0;
} else
wc = (unsigned char)c;
1994-05-26 06:18:55 +00:00
if (*p == '-' && p[1] != ']') {
p++;
if (*p == CTLESC)
p++;
if (localeisutf8) {
wc2 = get_wc(&p);
if (wc2 == 0) /* bad utf-8 */
return 0;
} else
wc2 = (unsigned char)*p++;
if ( collate_range_cmp(chr, wc) >= 0
&& collate_range_cmp(chr, wc2) <= 0
1996-08-11 22:51:00 +00:00
)
1994-05-26 06:18:55 +00:00
found = 1;
} else {
if (chr == wc)
1994-05-26 06:18:55 +00:00
found = 1;
}
} while ((c = *p++) != ']');
if (found == invert)
2012-01-01 20:50:19 +00:00
goto backtrack;
1994-05-26 06:18:55 +00:00
break;
}
dft: default:
2012-01-01 20:50:19 +00:00
if (*q == '\0')
return 0;
if (*q++ == c)
break;
backtrack:
/*
* If we have a mismatch (other than hitting the end
* of the string), go back to the last '*' seen and
* have it match one additional character.
*/
if (bt_p == NULL)
return 0;
if (*bt_q == '\0')
1994-05-26 06:18:55 +00:00
return 0;
2012-01-01 20:50:19 +00:00
bt_q++;
p = bt_p;
q = bt_q;
1994-05-26 06:18:55 +00:00
break;
}
}
}
/*
2010-09-05 21:12:48 +00:00
* Remove any CTLESC and CTLQUOTEMARK characters from a string.
1994-05-26 06:18:55 +00:00
*/
void
rmescapes(char *str)
{
char *p, *q;
1994-05-26 06:18:55 +00:00
p = str;
while (*p != CTLESC && *p != CTLQUOTEMARK && *p != CTLQUOTEEND) {
1994-05-26 06:18:55 +00:00
if (*p++ == '\0')
return;
}
q = p;
while (*p) {
if (*p == CTLQUOTEMARK || *p == CTLQUOTEEND) {
p++;
continue;
}
1994-05-26 06:18:55 +00:00
if (*p == CTLESC)
p++;
*q++ = *p++;
}
*q = '\0';
}
/*
* See if a pattern matches in a case statement.
*/
int
casematch(union node *pattern, const char *val)
{
1994-05-26 06:18:55 +00:00
struct stackmark smark;
int result;
char *p;
setstackmark(&smark);
argbackq = pattern->narg.backquote;
STARTSTACKSTR(expdest);
argstr(pattern->narg.text, EXP_TILDE | EXP_CASE, NULL);
1994-05-26 06:18:55 +00:00
STPUTC('\0', expdest);
p = grabstackstr(expdest);
result = patmatch(p, val);
1994-05-26 06:18:55 +00:00
popstackmark(&smark);
return result;
}
/*
* Our own itoa().
*/
static void
cvtnum(int num, char *buf)
{
char temp[32];
int neg = num < 0;
char *p = temp + 31;
temp[31] = '\0';
do {
*--p = num % 10 + '0';
} while ((num /= 10) != 0);
if (neg)
*--p = '-';
memcpy(buf, p, temp + 32 - p);
}
/*
* Do most of the work for wordexp(3).
*/
int
wordexpcmd(int argc, char **argv)
{
size_t len;
int i;
out1fmt("%08x", argc - 1);
for (i = 1, len = 0; i < argc; i++)
len += strlen(argv[i]);
out1fmt("%08x", (int)len);
for (i = 1; i < argc; i++)
outbin(argv[i], strlen(argv[i]) + 1, out1);
return (0);
}
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
/*
* Do most of the work for wordexp(3), new version.
*/
int
freebsd_wordexpcmd(int argc __unused, char **argv __unused)
{
struct arglist arglist;
union node *args, *n;
size_t len;
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
int ch;
int protected = 0;
int fd = -1;
int i;
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
while ((ch = nextopt("f:p")) != '\0') {
switch (ch) {
case 'f':
fd = number(shoptarg);
break;
case 'p':
protected = 1;
break;
}
}
if (*argptr != NULL)
error("wrong number of arguments");
if (fd < 0)
error("missing fd");
INTOFF;
setinputfd(fd, 1);
INTON;
args = parsewordexp();
popfile(); /* will also close fd */
if (protected)
for (n = args; n != NULL; n = n->narg.next) {
if (n->narg.backquote != NULL) {
outcslow('C', out1);
error("command substitution disabled");
}
}
outcslow(' ', out1);
emptyarglist(&arglist);
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
for (n = args; n != NULL; n = n->narg.next)
expandarg(n, &arglist, EXP_FULL | EXP_TILDE);
for (i = 0, len = 0; i < arglist.count; i++)
len += strlen(arglist.args[i]);
out1fmt("%016x %016zx", arglist.count, len);
for (i = 0; i < arglist.count; i++)
outbin(arglist.args[i], strlen(arglist.args[i]) + 1, out1);
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
return (0);
}