1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Miscellaneous string-handling functions. Some are not required for
9 utilities and tests, and are cut out by the COMPILE_UTILITY macro. */
16 #ifndef COMPILE_UTILITY
17 /*************************************************
18 * Test for IP address *
19 *************************************************/
21 /* This used just to be a regular expression, but with IPv6 things are a bit
22 more complicated. If the address contains a colon, it is assumed to be a v6
23 address (assuming HAVE_IPV6 is set). If a mask is permitted and one is present,
24 and maskptr is not NULL, its offset is placed there.
28 maskptr NULL if no mask is permitted to follow
29 otherwise, points to an int where the offset of '/' is placed
30 if there is no / followed by trailing digits, *maskptr is set 0
32 Returns: 0 if the string is not a textual representation of an IP address
33 4 if it is an IPv4 address
34 6 if it is an IPv6 address
38 string_is_ip_address(const uschar *s, int *maskptr)
42 /* If an optional mask is permitted, check for it. If found, pass back the
47 const uschar *ss = s + Ustrlen(s);
49 if (s != ss && isdigit(*(--ss)))
51 while (ss > s && isdigit(ss[-1])) ss--;
52 if (ss > s && *(--ss) == '/') *maskptr = ss - s;
56 /* A colon anywhere in the string => IPv6 address */
58 if (Ustrchr(s, ':') != NULL)
60 BOOL had_double_colon = FALSE;
65 /* An IPv6 address must start with hex digit or double colon. A single
68 if (*s == ':' && *(++s) != ':') return 0;
70 /* Now read up to 8 components consisting of up to 4 hex digits each. There
71 may be one and only one appearance of double colon, which implies any number
72 of binary zero bits. The number of preceding components is held in count. */
74 for (int count = 0; count < 8; count++)
76 /* If the end of the string is reached before reading 8 components, the
77 address is valid provided a double colon has been read. This also applies
78 if we hit the / that introduces a mask or the % that introduces the
79 interface specifier (scope id) of a link-local address. */
81 if (*s == 0 || *s == '%' || *s == '/') return had_double_colon ? yield : 0;
83 /* If a component starts with an additional colon, we have hit a double
84 colon. This is permitted to appear once only, and counts as at least
85 one component. The final component may be of this form. */
89 if (had_double_colon) return 0;
90 had_double_colon = TRUE;
95 /* If the remainder of the string contains a dot but no colons, we
96 can expect a trailing IPv4 address. This is valid if either there has
97 been no double-colon and this is the 7th component (with the IPv4 address
98 being the 7th & 8th components), OR if there has been a double-colon
99 and fewer than 6 components. */
101 if (Ustrchr(s, ':') == NULL && Ustrchr(s, '.') != NULL)
103 if ((!had_double_colon && count != 6) ||
104 (had_double_colon && count > 6)) return 0;
110 /* Check for at least one and not more than 4 hex digits for this
113 if (!isxdigit(*s++)) return 0;
114 if (isxdigit(*s) && isxdigit(*(++s)) && isxdigit(*(++s))) s++;
116 /* If the component is terminated by colon and there is more to
117 follow, skip over the colon. If there is no more to follow the address is
120 if (*s == ':' && *(++s) == 0) return 0;
123 /* If about to handle a trailing IPv4 address, drop through. Otherwise
124 all is well if we are at the end of the string or at the mask or at a percent
125 sign, which introduces the interface specifier (scope id) of a link local
129 return (*s == 0 || *s == '%' ||
130 (*s == '/' && maskptr != NULL && *maskptr != 0))? yield : 0;
133 /* Test for IPv4 address, which may be the tail-end of an IPv6 address. */
135 for (int i = 0; i < 4; i++)
140 if (i != 0 && *s++ != '.') return 0;
141 n = strtol(CCS s, CSS &end, 10);
142 if (n > 255 || n < 0 || end <= s || end > s+3) return 0;
146 return !*s || (*s == '/' && maskptr && *maskptr != 0) ? yield : 0;
148 #endif /* COMPILE_UTILITY */
151 /*************************************************
152 * Format message size *
153 *************************************************/
155 /* Convert a message size in bytes to printing form, rounding
156 according to the magnitude of the number. A value of zero causes
157 a string of spaces to be returned.
160 size the message size in bytes
161 buffer where to put the answer
163 Returns: pointer to the buffer
164 a string of exactly 5 characters is normally returned
168 string_format_size(int size, uschar *buffer)
170 if (size == 0) Ustrcpy(buffer, US" ");
171 else if (size < 1024) sprintf(CS buffer, "%5d", size);
172 else if (size < 10*1024)
173 sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
174 else if (size < 1024*1024)
175 sprintf(CS buffer, "%4dK", (size + 512)/1024);
176 else if (size < 10*1024*1024)
177 sprintf(CS buffer, "%4.1fM", (double)size / (1024.0 * 1024.0));
179 sprintf(CS buffer, "%4dM", (size + 512 * 1024)/(1024*1024));
185 #ifndef COMPILE_UTILITY
186 /*************************************************
187 * Convert a number to base 62 format *
188 *************************************************/
190 /* Convert a long integer into an ASCII base 62 string. For Cygwin the value of
191 BASE_62 is actually 36. Always return exactly 6 characters plus zero, in a
194 Argument: a long integer
195 Returns: pointer to base 62 string
199 string_base62(unsigned long int value)
201 static uschar yield[7];
202 uschar *p = yield + sizeof(yield) - 1;
206 *(--p) = base62_chars[value % BASE_62];
211 #endif /* COMPILE_UTILITY */
215 /*************************************************
216 * Interpret escape sequence *
217 *************************************************/
219 /* This function is called from several places where escape sequences are to be
220 interpreted in strings.
223 pp points a pointer to the initiating "\" in the string;
224 the pointer gets updated to point to the final character
225 If the backslash is the last character in the string, it
227 Returns: the value of the character escape
231 string_interpret_escape(const uschar **pp)
233 #ifdef COMPILE_UTILITY
234 const uschar *hex_digits= CUS"0123456789abcdef";
237 const uschar *p = *pp;
239 if (ch == '\0') return **pp;
240 if (isdigit(ch) && ch != '8' && ch != '9')
243 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
245 ch = ch * 8 + *(++p) - '0';
246 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
247 ch = ch * 8 + *(++p) - '0';
252 case 'b': ch = '\b'; break;
253 case 'f': ch = '\f'; break;
254 case 'n': ch = '\n'; break;
255 case 'r': ch = '\r'; break;
256 case 't': ch = '\t'; break;
257 case 'v': ch = '\v'; break;
263 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
264 if (isxdigit(p[1])) ch = ch * 16 +
265 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
275 #ifndef COMPILE_UTILITY
276 /*************************************************
277 * Ensure string is printable *
278 *************************************************/
280 /* This function is called for critical strings. It checks for any
281 non-printing characters, and if any are found, it makes a new copy
282 of the string with suitable escape sequences. It is most often called by the
283 macro string_printing(), which sets allow_tab TRUE.
287 allow_tab TRUE to allow tab as a printing character
289 Returns: string with non-printers encoded as printing sequences
293 string_printing2(const uschar *s, BOOL allow_tab)
295 int nonprintcount = 0;
303 if (!mac_isprint(c) || (!allow_tab && c == '\t')) nonprintcount++;
307 if (nonprintcount == 0) return s;
309 /* Get a new block of store guaranteed big enough to hold the
312 ss = store_get(length + nonprintcount * 3 + 1, is_tainted(s));
314 /* Copy everything, escaping non printers. */
322 if (mac_isprint(c) && (allow_tab || c != '\t')) *tt++ = *t++; else
327 case '\n': *tt++ = 'n'; break;
328 case '\r': *tt++ = 'r'; break;
329 case '\b': *tt++ = 'b'; break;
330 case '\v': *tt++ = 'v'; break;
331 case '\f': *tt++ = 'f'; break;
332 case '\t': *tt++ = 't'; break;
333 default: sprintf(CS tt, "%03o", *t); tt += 3; break;
341 #endif /* COMPILE_UTILITY */
343 /*************************************************
344 * Undo printing escapes in string *
345 *************************************************/
347 /* This function is the reverse of string_printing2. It searches for
348 backslash characters and if any are found, it makes a new copy of the
349 string with escape sequences parsed. Otherwise it returns the original
355 Returns: string with printing escapes parsed back
359 string_unprinting(uschar *s)
361 uschar *p, *q, *r, *ss;
364 p = Ustrchr(s, '\\');
367 len = Ustrlen(s) + 1;
368 ss = store_get(len, is_tainted(s));
382 *q++ = string_interpret_escape((const uschar **)&p);
387 r = Ustrchr(p, '\\');
413 #if (defined(HAVE_LOCAL_SCAN) || defined(EXPAND_DLFUNC)) \
414 && !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY)
415 /*************************************************
416 * Copy and save string *
417 *************************************************/
420 Argument: string to copy
421 Returns: copy of string in new store with the same taint status
425 string_copy_function(const uschar *s)
427 return string_copy_taint(s, is_tainted(s));
430 /* This function assumes that memcpy() is faster than strcpy().
431 As above, but explicitly specifying the result taint status
435 string_copy_taint_function(const uschar * s, BOOL tainted)
437 int len = Ustrlen(s) + 1;
438 uschar *ss = store_get(len, tainted);
445 /*************************************************
446 * Copy and save string, given length *
447 *************************************************/
449 /* It is assumed the data contains no zeros. A zero is added
454 n number of characters
456 Returns: copy of string in new store
460 string_copyn_function(const uschar *s, int n)
462 uschar *ss = store_get(n + 1, is_tainted(s));
470 /*************************************************
471 * Copy and save string in malloc'd store *
472 *************************************************/
474 /* This function assumes that memcpy() is faster than strcpy().
476 Argument: string to copy
477 Returns: copy of string in new store
481 string_copy_malloc(const uschar *s)
483 int len = Ustrlen(s) + 1;
484 uschar *ss = store_malloc(len);
491 /*************************************************
492 * Copy string if long, inserting newlines *
493 *************************************************/
495 /* If the given string is longer than 75 characters, it is copied, and within
496 the copy, certain space characters are converted into newlines.
498 Argument: pointer to the string
499 Returns: pointer to the possibly altered string
503 string_split_message(uschar *msg)
507 if (msg == NULL || Ustrlen(msg) <= 75) return msg;
508 s = ss = msg = string_copy(msg);
513 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
525 if (t[-1] == ':') { tt = t; break; }
526 if (tt == NULL) tt = t;
530 if (tt == NULL) /* Can't split behind - try ahead */
535 if (*t == ' ' || *t == '\n')
541 if (tt == NULL) break; /* Can't find anywhere to split */
552 /*************************************************
553 * Copy returned DNS domain name, de-escaping *
554 *************************************************/
556 /* If a domain name contains top-bit characters, some resolvers return
557 the fully qualified name with those characters turned into escapes. The
558 convention is a backslash followed by _decimal_ digits. We convert these
559 back into the original binary values. This will be relevant when
560 allow_utf8_domains is set true and UTF-8 characters are used in domain
561 names. Backslash can also be used to escape other characters, though we
562 shouldn't come across them in domain names.
564 Argument: the domain name string
565 Returns: copy of string in new store, de-escaped
569 string_copy_dnsdomain(uschar *s)
572 uschar *ss = yield = store_get(Ustrlen(s) + 1, is_tainted(s));
580 else if (isdigit(s[1]))
582 *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
585 else if (*(++s) != 0)
596 #ifndef COMPILE_UTILITY
597 /*************************************************
598 * Copy space-terminated or quoted string *
599 *************************************************/
601 /* This function copies from a string until its end, or until whitespace is
602 encountered, unless the string begins with a double quote, in which case the
603 terminating quote is sought, and escaping within the string is done. The length
604 of a de-quoted string can be no longer than the original, since escaping always
605 turns n characters into 1 character.
607 Argument: pointer to the pointer to the first character, which gets updated
608 Returns: the new string
612 string_dequote(const uschar **sptr)
614 const uschar *s = *sptr;
617 /* First find the end of the string */
620 while (*s != 0 && !isspace(*s)) s++;
624 while (*s && *s != '\"')
626 if (*s == '\\') (void)string_interpret_escape(&s);
632 /* Get enough store to copy into */
634 t = yield = store_get(s - *sptr + 1, is_tainted(*sptr));
640 while (*s != 0 && !isspace(*s)) *t++ = *s++;
644 while (*s != 0 && *s != '\"')
646 *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
652 /* Update the pointer and return the terminated copy */
658 #endif /* COMPILE_UTILITY */
662 /*************************************************
663 * Format a string and save it *
664 *************************************************/
666 /* The formatting is done by string_vformat, which checks the length of
667 everything. Taint is taken from the worst of the arguments.
670 format a printf() format - deliberately char * rather than uschar *
671 because it will most usually be a literal string
672 ... arguments for format
674 Returns: pointer to fresh piece of store containing sprintf'ed string
678 string_sprintf_trc(const char *format, const uschar * func, unsigned line, ...)
680 #ifdef COMPILE_UTILITY
681 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
682 gstring gs = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
687 unsigned flags = SVFMT_REBUFFER|SVFMT_EXTEND;
692 g = string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
697 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
698 "string_sprintf expansion was longer than %d; format string was (%s)\n"
699 " called from %s %d\n",
700 STRING_SPRINTF_BUFFER_SIZE, format, func, line);
702 #ifdef COMPILE_UTILITY
703 return string_copyn(g->s, g->ptr);
705 gstring_release_unused(g);
706 return string_from_gstring(g);
712 /*************************************************
713 * Case-independent strncmp() function *
714 *************************************************/
720 n number of characters to compare
722 Returns: < 0, = 0, or > 0, according to the comparison
726 strncmpic(const uschar *s, const uschar *t, int n)
730 int c = tolower(*s++) - tolower(*t++);
737 /*************************************************
738 * Case-independent strcmp() function *
739 *************************************************/
746 Returns: < 0, = 0, or > 0, according to the comparison
750 strcmpic(const uschar *s, const uschar *t)
754 int c = tolower(*s++) - tolower(*t++);
755 if (c != 0) return c;
761 /*************************************************
762 * Case-independent strstr() function *
763 *************************************************/
765 /* The third argument specifies whether whitespace is required
766 to follow the matched string.
770 t substring to search for
771 space_follows if TRUE, match only if whitespace follows
773 Returns: pointer to substring in string, or NULL if not found
777 strstric(uschar *s, uschar *t, BOOL space_follows)
780 uschar *yield = NULL;
781 int cl = tolower(*p);
782 int cu = toupper(*p);
786 if (*s == cl || *s == cu)
788 if (yield == NULL) yield = s;
791 if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield;
799 else if (yield != NULL)
813 #ifdef COMPILE_UTILITY
814 /* Dummy version for this function; it should never be called */
816 gstring_grow(gstring * g, int count)
824 #ifndef COMPILE_UTILITY
825 /*************************************************
826 * Get next string from separated list *
827 *************************************************/
829 /* Leading and trailing space is removed from each item. The separator in the
830 list is controlled by the int pointed to by the separator argument as follows:
832 If the value is > 0 it is used as the separator. This is typically used for
833 sublists such as slash-separated options. The value is always a printing
836 (If the value is actually > UCHAR_MAX there is only one item in the list.
837 This is used for some cases when called via functions that sometimes
838 plough through lists, and sometimes are given single items.)
840 If the value is <= 0, the string is inspected for a leading <x, where x is an
841 ispunct() or an iscntrl() character. If found, x is used as the separator. If
844 (a) if separator == 0, ':' is used
845 (b) if separator <0, -separator is used
847 In all cases the value of the separator that is used is written back to the
848 int so that it is used on subsequent calls as we progress through the list.
850 A literal ispunct() separator can be represented in an item by doubling, but
851 there is no way to include an iscntrl() separator as part of the data.
854 listptr points to a pointer to the current start of the list; the
855 pointer gets updated to point after the end of the next item
856 separator a pointer to the separator character in an int (see above)
857 buffer where to put a copy of the next string in the list; or
858 NULL if the next string is returned in new memory
859 buflen when buffer is not NULL, the size of buffer; otherwise ignored
861 Returns: pointer to buffer, containing the next substring,
862 or NULL if no more substrings
866 string_nextinlist(const uschar **listptr, int *separator, uschar *buffer, int buflen)
868 int sep = *separator;
869 const uschar *s = *listptr;
874 /* This allows for a fixed specified separator to be an iscntrl() character,
875 but at the time of implementation, this is never the case. However, it's best
876 to be conservative. */
878 while (isspace(*s) && *s != sep) s++;
880 /* A change of separator is permitted, so look for a leading '<' followed by an
881 allowed character. */
885 if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
889 while (isspace(*s) && *s != sep) s++;
892 sep = sep ? -sep : ':';
896 /* An empty string has no list elements */
898 if (!*s) return NULL;
900 /* Note whether whether or not the separator is an iscntrl() character. */
902 sep_is_special = iscntrl(sep);
904 /* Handle the case when a buffer is provided. */
911 if (*s == sep && (*(++s) != sep || sep_is_special)) break;
912 if (p < buflen - 1) buffer[p++] = *s;
914 while (p > 0 && isspace(buffer[p-1])) p--;
918 /* Handle the case when a buffer is not provided. */
924 /* We know that *s != 0 at this point. However, it might be pointing to a
925 separator, which could indicate an empty string, or (if an ispunct()
926 character) could be doubled to indicate a separator character as data at the
927 start of a string. Avoid getting working memory for an empty item. */
932 if (*s != sep || sep_is_special)
935 return string_copy(US"");
939 /* Not an empty string; the first character is guaranteed to be a data
945 for (ss = s + 1; *ss && *ss != sep; ) ss++;
946 g = string_catn(g, s, ss-s);
948 if (!*s || *++s != sep || sep_is_special) break;
950 while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--;
951 buffer = string_from_gstring(g);
952 gstring_release_unused(g);
955 /* Update the current pointer and return the new string */
962 static const uschar *
963 Ustrnchr(const uschar * s, int c, unsigned * len)
968 if (!*s) return NULL;
981 /************************************************
982 * Add element to separated list *
983 ************************************************/
984 /* This function is used to build a list, returning an allocated null-terminated
985 growable string. The given element has any embedded separator characters
988 Despite having the same growable-string interface as string_cat() the list is
989 always returned null-terminated.
992 list expanding-string for the list that is being built, or NULL
993 if this is a new list that has no contents yet
994 sep list separator character
995 ele new element to be appended to the list
997 Returns: pointer to the start of the list, changed if copied for expansion.
1001 string_append_listele(gstring * list, uschar sep, const uschar * ele)
1005 if (list && list->ptr)
1006 list = string_catn(list, &sep, 1);
1008 while((sp = Ustrchr(ele, sep)))
1010 list = string_catn(list, ele, sp-ele+1);
1011 list = string_catn(list, &sep, 1);
1014 list = string_cat(list, ele);
1015 (void) string_from_gstring(list);
1021 string_append_listele_n(gstring * list, uschar sep, const uschar * ele,
1026 if (list && list->ptr)
1027 list = string_catn(list, &sep, 1);
1029 while((sp = Ustrnchr(ele, sep, &len)))
1031 list = string_catn(list, ele, sp-ele+1);
1032 list = string_catn(list, &sep, 1);
1036 list = string_catn(list, ele, len);
1037 (void) string_from_gstring(list);
1043 /* A slightly-bogus listmaker utility; the separator is a string so
1044 can be multiple chars - there is no checking for the element content
1045 containing any of the separator. */
1048 string_append2_listele_n(gstring * list, const uschar * sepstr,
1049 const uschar * ele, unsigned len)
1051 if (list && list->ptr)
1052 list = string_cat(list, sepstr);
1054 list = string_catn(list, ele, len);
1055 (void) string_from_gstring(list);
1061 /************************************************/
1062 /* Add more space to a growable-string. The caller should check
1063 first if growth is required. The gstring struct is modified on
1064 return; specifically, the string-base-pointer may have been changed.
1067 g the growable-string
1068 count amount needed for g->ptr to increase by
1072 gstring_grow(gstring * g, int count)
1075 int oldsize = g->size;
1076 BOOL tainted = is_tainted(g->s);
1078 /* Mostly, string_cat() is used to build small strings of a few hundred
1079 characters at most. There are times, however, when the strings are very much
1080 longer (for example, a lookup that returns a vast number of alias addresses).
1081 To try to keep things reasonable, we use increments whose size depends on the
1082 existing length of the string. */
1084 unsigned inc = oldsize < 4096 ? 127 : 1023;
1086 if (count <= 0) return;
1087 g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
1089 /* Try to extend an existing allocation. If the result of calling
1090 store_extend() is false, either there isn't room in the current memory block,
1091 or this string is not the top item on the dynamic store stack. We then have
1092 to get a new chunk of store and copy the old string. When building large
1093 strings, it is helpful to call store_release() on the old string, to release
1094 memory blocks that have become empty. (The block will be freed if the string
1095 is at its start.) However, we can do this only if we know that the old string
1096 was the last item on the dynamic memory stack. This is the case if it matches
1099 if (!store_extend(g->s, tainted, oldsize, g->size))
1100 g->s = store_newblock(g->s, tainted, g->size, p);
1105 /*************************************************
1106 * Add chars to string *
1107 *************************************************/
1108 /* This function is used when building up strings of unknown length. Room is
1109 always left for a terminating zero to be added to the string that is being
1110 built. This function does not require the string that is being added to be NUL
1111 terminated, because the number of characters to add is given explicitly. It is
1112 sometimes called to extract parts of other strings.
1115 string points to the start of the string that is being built, or NULL
1116 if this is a new string that has no contents yet
1117 s points to characters to add
1118 count count of characters to add; must not exceed the length of s, if s
1121 Returns: pointer to the start of the string, changed if copied for expansion.
1122 Note that a NUL is not added, though space is left for one. This is
1123 because string_cat() is often called multiple times to build up a
1124 string - there's no point adding the NUL till the end.
1127 /* coverity[+alloc] */
1130 string_catn(gstring * g, const uschar *s, int count)
1133 BOOL srctaint = is_tainted(s);
1137 unsigned inc = count < 4096 ? 127 : 1023;
1138 unsigned size = ((count + inc) & ~inc) + 1;
1139 g = string_get_tainted(size, srctaint);
1141 else if (srctaint && !is_tainted(g->s))
1142 gstring_rebuffer(g);
1145 if (p + count >= g->size)
1146 gstring_grow(g, count);
1148 /* Because we always specify the exact number of characters to copy, we can
1149 use memcpy(), which is likely to be more efficient than strncopy() because the
1150 latter has to check for zero bytes. */
1152 memcpy(g->s + p, s, count);
1159 string_cat(gstring *string, const uschar *s)
1161 return string_catn(string, s, Ustrlen(s));
1166 /*************************************************
1167 * Append strings to another string *
1168 *************************************************/
1170 /* This function can be used to build a string from many other strings.
1171 It calls string_cat() to do the dirty work.
1174 string expanding-string that is being built, or NULL
1175 if this is a new string that has no contents yet
1176 count the number of strings to append
1177 ... "count" uschar* arguments, which must be valid zero-terminated
1180 Returns: pointer to the start of the string, changed if copied for expansion.
1181 The string is not zero-terminated - see string_cat() above.
1184 __inline__ gstring *
1185 string_append(gstring *string, int count, ...)
1189 va_start(ap, count);
1192 uschar *t = va_arg(ap, uschar *);
1193 string = string_cat(string, t);
1203 /*************************************************
1204 * Format a string with length checks *
1205 *************************************************/
1207 /* This function is used to format a string with checking of the length of the
1208 output for all conversions. It protects Exim from absent-mindedness when
1209 calling functions like debug_printf and string_sprintf, and elsewhere. There
1210 are two different entry points to what is actually the same function, depending
1211 on whether the variable length list of data arguments are given explicitly or
1214 The formats are the usual printf() ones, with some omissions (never used) and
1215 three additions for strings: %S forces lower case, %T forces upper case, and
1216 %#s or %#S prints nothing for a NULL string. Without the # "NULL" is printed
1217 (useful in debugging). There is also the addition of %D and %M, which insert
1218 the date in the form used for datestamped log files.
1221 buffer a buffer in which to put the formatted string
1222 buflen the length of the buffer
1223 format the format string - deliberately char * and not uschar *
1224 ... or ap variable list of supplementary arguments
1226 Returns: TRUE if the result fitted in the buffer
1230 string_format_trc(uschar * buffer, int buflen,
1231 const uschar * func, unsigned line, const char * format, ...)
1233 gstring g = { .size = buflen, .ptr = 0, .s = buffer }, *gp;
1235 va_start(ap, format);
1236 gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1246 /* Build or append to a growing-string, sprintf-style.
1250 func called-from function name, for debug
1251 line called-from file line number, for debug
1252 limit maximum string size
1254 format printf-like format string
1255 ap variable-args pointer
1258 SVFMT_EXTEND buffer can be created or exteded as needed
1259 SVFMT_REBUFFER buffer can be recopied to tainted mem as needed
1260 SVFMT_TAINT_NOCHK do not check inputs for taint
1262 If the "extend" flag is true, the string passed in can be NULL,
1263 empty, or non-empty. Growing is subject to an overall limit given
1264 by the limit argument.
1266 If the "extend" flag is false, the string passed in may not be NULL,
1267 will not be grown, and is usable in the original place after return.
1268 The return value can be NULL to signify overflow.
1270 Returns the possibly-new (if copy for growth or taint-handling was needed)
1271 string, not nul-terminated.
1275 string_vformat_trc(gstring * g, const uschar * func, unsigned line,
1276 unsigned size_limit, unsigned flags, const char *format, va_list ap)
1278 enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
1280 int width, precision, off, lim, need;
1281 const char * fp = format; /* Deliberately not unsigned */
1282 BOOL dest_tainted = FALSE;
1284 string_datestamp_offset = -1; /* Datestamp not inserted */
1285 string_datestamp_length = 0; /* Datestamp not inserted */
1286 string_datestamp_type = 0; /* Datestamp not inserted */
1288 #ifdef COMPILE_UTILITY
1289 assert(!(flags & SVFMT_EXTEND));
1293 /* Ensure we have a string, to save on checking later */
1294 if (!g) g = string_get(16);
1295 else if (!(flags & SVFMT_TAINT_NOCHK)) dest_tainted = is_tainted(g->s);
1297 if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(format))
1299 #ifndef MACRO_PREDEF
1300 if (!(flags & SVFMT_REBUFFER))
1301 die_tainted(US"string_vformat", func, line);
1303 gstring_rebuffer(g);
1304 dest_tainted = TRUE;
1306 #endif /*!COMPILE_UTILITY*/
1308 lim = g->size - 1; /* leave one for a nul */
1309 off = g->ptr; /* remember initial offset in gstring */
1311 /* Scan the format and handle the insertions */
1315 int length = L_NORMAL;
1318 const char *null = "NULL"; /* ) These variables */
1319 const char *item_start, *s; /* ) are deliberately */
1320 char newformat[16]; /* ) not unsigned */
1321 char * gp = CS g->s + g->ptr; /* ) */
1323 /* Non-% characters just get copied verbatim */
1327 /* Avoid string_copyn() due to COMPILE_UTILITY */
1328 if ((need = g->ptr + 1) > lim)
1330 if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
1334 g->s[g->ptr++] = (uschar) *fp++;
1338 /* Deal with % characters. Pick off the width and precision, for checking
1339 strings, skipping over the flag and modifier characters. */
1342 width = precision = -1;
1344 if (strchr("-+ #0", *(++fp)) != NULL)
1346 if (*fp == '#') null = "";
1350 if (isdigit((uschar)*fp))
1352 width = *fp++ - '0';
1353 while (isdigit((uschar)*fp)) width = width * 10 + *fp++ - '0';
1355 else if (*fp == '*')
1357 width = va_arg(ap, int);
1364 precision = va_arg(ap, int);
1368 for (precision = 0; isdigit((uschar)*fp); fp++)
1369 precision = precision*10 + *fp - '0';
1371 /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
1374 { fp++; length = L_SHORT; }
1375 else if (*fp == 'L')
1376 { fp++; length = L_LONGDOUBLE; }
1377 else if (*fp == 'l')
1379 { fp += 2; length = L_LONGLONG; }
1381 { fp++; length = L_LONG; }
1382 else if (*fp == 'z')
1383 { fp++; length = L_SIZE; }
1385 /* Handle each specific format type. */
1390 nptr = va_arg(ap, int *);
1391 *nptr = g->ptr - off;
1399 width = length > L_LONG ? 24 : 12;
1400 if ((need = g->ptr + width) > lim)
1402 if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
1403 gstring_grow(g, width);
1405 gp = CS g->s + g->ptr;
1407 strncpy(newformat, item_start, fp - item_start);
1408 newformat[fp - item_start] = 0;
1410 /* Short int is promoted to int when passing through ..., so we must use
1411 int for va_arg(). */
1417 g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
1419 g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
1421 g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
1423 g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
1430 if ((need = g->ptr + 24) > lim)
1432 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1433 gstring_grow(g, 24);
1435 gp = CS g->s + g->ptr;
1437 /* sprintf() saying "(nil)" for a null pointer seems unreliable.
1438 Handle it explicitly. */
1439 if ((ptr = va_arg(ap, void *)))
1441 strncpy(newformat, item_start, fp - item_start);
1442 newformat[fp - item_start] = 0;
1443 g->ptr += sprintf(gp, newformat, ptr);
1446 g->ptr += sprintf(gp, "(nil)");
1450 /* %f format is inherently insecure if the numbers that it may be
1451 handed are unknown (e.g. 1e300). However, in Exim, %f is used for
1452 printing load averages, and these are actually stored as integers
1453 (load average * 1000) so the size of the numbers is constrained.
1454 It is also used for formatting sending rates, where the simplicity
1455 of the format prevents overflow. */
1462 if (precision < 0) precision = 6;
1463 if ((need = g->ptr + precision + 8) > lim)
1465 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1466 gstring_grow(g, precision+8);
1468 gp = CS g->s + g->ptr;
1470 strncpy(newformat, item_start, fp - item_start);
1471 newformat[fp-item_start] = 0;
1472 if (length == L_LONGDOUBLE)
1473 g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
1475 g->ptr += sprintf(gp, newformat, va_arg(ap, double));
1481 if ((need = g->ptr + 1) > lim)
1483 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1487 g->s[g->ptr++] = (uschar) '%';
1491 if ((need = g->ptr + 1) > lim)
1493 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1497 g->s[g->ptr++] = (uschar) va_arg(ap, int);
1500 case 'D': /* Insert daily datestamp for log file names */
1501 s = CS tod_stamp(tod_log_datestamp_daily);
1502 string_datestamp_offset = g->ptr; /* Passed back via global */
1503 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1504 string_datestamp_type = tod_log_datestamp_daily;
1505 slen = string_datestamp_length;
1508 case 'M': /* Insert monthly datestamp for log file names */
1509 s = CS tod_stamp(tod_log_datestamp_monthly);
1510 string_datestamp_offset = g->ptr; /* Passed back via global */
1511 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1512 string_datestamp_type = tod_log_datestamp_monthly;
1513 slen = string_datestamp_length;
1517 case 'S': /* Forces *lower* case */
1518 case 'T': /* Forces *upper* case */
1519 s = va_arg(ap, char *);
1524 if (!(flags & SVFMT_TAINT_NOCHK) && !dest_tainted && is_tainted(s))
1525 if (flags & SVFMT_REBUFFER)
1527 gstring_rebuffer(g);
1528 gp = CS g->s + g->ptr;
1529 dest_tainted = TRUE;
1531 #ifndef MACRO_PREDEF
1533 die_tainted(US"string_vformat", func, line);
1536 INSERT_STRING: /* Come to from %D or %M above */
1539 BOOL truncated = FALSE;
1541 /* If the width is specified, check that there is a precision
1542 set; if not, set it to the width to prevent overruns of long
1547 if (precision < 0) precision = width;
1550 /* If a width is not specified and the precision is specified, set
1551 the width to the precision, or the string length if shorted. */
1553 else if (precision >= 0)
1554 width = precision < slen ? precision : slen;
1556 /* If neither are specified, set them both to the string length. */
1559 width = precision = slen;
1561 if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
1563 if (g->ptr == lim) return NULL;
1567 width = precision = lim - g->ptr - 1;
1568 if (width < 0) width = 0;
1569 if (precision < 0) precision = 0;
1572 else if (need > lim)
1574 gstring_grow(g, width);
1576 gp = CS g->s + g->ptr;
1579 g->ptr += sprintf(gp, "%*.*s", width, precision, s);
1581 while (*gp) { *gp = tolower(*gp); gp++; }
1582 else if (fp[-1] == 'T')
1583 while (*gp) { *gp = toupper(*gp); gp++; }
1585 if (truncated) return NULL;
1589 /* Some things are never used in Exim; also catches junk. */
1592 strncpy(newformat, item_start, fp - item_start);
1593 newformat[fp-item_start] = 0;
1594 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
1595 "in \"%s\" in \"%s\"", newformat, format);
1600 if (g->ptr > g->size)
1601 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1602 "string_format internal error: caller %s %d", func, line);
1608 #ifndef COMPILE_UTILITY
1609 /*************************************************
1610 * Generate an "open failed" message *
1611 *************************************************/
1613 /* This function creates a message after failure to open a file. It includes a
1614 string supplied as data, adds the strerror() text, and if the failure was
1615 "Permission denied", reads and includes the euid and egid.
1618 eno the value of errno after the failure
1619 format a text format string - deliberately not uschar *
1620 ... arguments for the format string
1622 Returns: a message, in dynamic store
1626 string_open_failed_trc(int eno, const uschar * func, unsigned line,
1627 const char *format, ...)
1630 gstring * g = string_get(1024);
1632 g = string_catn(g, US"failed to open ", 15);
1634 /* Use the checked formatting routine to ensure that the buffer
1635 does not overflow. It should not, since this is called only for internally
1636 specified messages. If it does, the message just gets truncated, and there
1637 doesn't seem much we can do about that. */
1639 va_start(ap, format);
1640 (void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1642 string_from_gstring(g);
1643 gstring_release_unused(g);
1646 return eno == EACCES
1647 ? string_sprintf("%s: %s (euid=%ld egid=%ld)", g->s, strerror(eno),
1648 (long int)geteuid(), (long int)getegid())
1649 : string_sprintf("%s: %s", g->s, strerror(eno));
1651 #endif /* COMPILE_UTILITY */
1657 #ifndef COMPILE_UTILITY
1658 /* qsort(3), currently used to sort the environment variables
1659 for -bP environment output, needs a function to compare two pointers to string
1660 pointers. Here it is. */
1663 string_compare_by_pointer(const void *a, const void *b)
1665 return Ustrcmp(* CUSS a, * CUSS b);
1667 #endif /* COMPILE_UTILITY */
1672 /*************************************************
1673 **************************************************
1674 * Stand-alone test program *
1675 **************************************************
1676 *************************************************/
1683 printf("Testing is_ip_address\n");
1685 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1688 buffer[Ustrlen(buffer) - 1] = 0;
1689 printf("%d\n", string_is_ip_address(buffer, NULL));
1690 printf("%d %d %s\n", string_is_ip_address(buffer, &offset), offset, buffer);
1693 printf("Testing string_nextinlist\n");
1695 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1697 uschar *list = buffer;
1705 sep1 = sep2 = list[1];
1712 uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));
1713 uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);
1715 if (item1 == NULL && item2 == NULL) break;
1716 if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)
1718 printf("***ERROR\nitem1=\"%s\"\nitem2=\"%s\"\n",
1719 (item1 == NULL)? "NULL" : CS item1,
1720 (item2 == NULL)? "NULL" : CS item2);
1723 else printf(" \"%s\"\n", CS item1);
1727 /* This is a horrible lash-up, but it serves its purpose. */
1729 printf("Testing string_format\n");
1731 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1734 long long llargs[3];
1744 buffer[Ustrlen(buffer) - 1] = 0;
1746 s = Ustrchr(buffer, ',');
1747 if (s == NULL) s = buffer + Ustrlen(buffer);
1749 Ustrncpy(format, buffer, s - buffer);
1750 format[s-buffer] = 0;
1757 s = Ustrchr(ss, ',');
1758 if (s == NULL) s = ss + Ustrlen(ss);
1762 Ustrncpy(outbuf, ss, s-ss);
1763 if (Ustrchr(outbuf, '.') != NULL)
1766 dargs[n++] = Ustrtod(outbuf, NULL);
1768 else if (Ustrstr(outbuf, "ll") != NULL)
1771 llargs[n++] = strtoull(CS outbuf, NULL, 10);
1775 args[n++] = (void *)Uatoi(outbuf);
1779 else if (Ustrcmp(ss, "*") == 0)
1781 args[n++] = (void *)(&count);
1787 uschar *sss = malloc(s - ss + 1);
1788 Ustrncpy(sss, ss, s-ss);
1795 if (!dflag && !llflag)
1796 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1797 args[0], args[1], args[2])? "True" : "False");
1800 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1801 dargs[0], dargs[1], dargs[2])? "True" : "False");
1803 else printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1804 llargs[0], llargs[1], llargs[2])? "True" : "False");
1806 printf("%s\n", CS outbuf);
1807 if (countset) printf("count=%d\n", count);
1814 /* End of string.c */