1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2002 Tim J. Robbins.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include "namespace.h"
30 #include <sys/types.h>
31 #include <sys/wait.h>
32 #include <errno.h>
33 #include <fcntl.h>
34 #include <paths.h>
35 #include <signal.h>
36 #include <stdbool.h>
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <unistd.h>
41 #include <wordexp.h>
42 #include "un-namespace.h"
43 #include "libc_private.h"
44 static int we_askshell(const char *, wordexp_t *, int);
45 static int we_check(const char *);
46
47 /*
48 * wordexp --
49 * Perform shell word expansion on `words' and place the resulting list
50 * of words in `we'. See wordexp(3).
51 *
52 * Specified by IEEE Std. 1003.1-2001.
53 */
54 int
wordexp(const char * __restrict words,wordexp_t * __restrict we,int flags)55 wordexp(const char * __restrict words, wordexp_t * __restrict we, int flags)
56 {
57 int error;
58
59 if (flags & WRDE_REUSE)
60 wordfree(we);
61 if ((flags & WRDE_APPEND) == 0) {
62 we->we_wordc = 0;
63 we->we_wordv = NULL;
64 we->we_strings = NULL;
65 we->we_nbytes = 0;
66 }
67 if ((error = we_check(words)) != 0) {
68 wordfree(we);
69 return (error);
70 }
71 if ((error = we_askshell(words, we, flags)) != 0) {
72 wordfree(we);
73 return (error);
74 }
75 return (0);
76 }
77
78 static size_t
we_read_fully(int fd,char * buffer,size_t len)79 we_read_fully(int fd, char *buffer, size_t len)
80 {
81 size_t done;
82 ssize_t nread;
83
84 done = 0;
85 do {
86 nread = _read(fd, buffer + done, len - done);
87 if (nread == -1 && errno == EINTR)
88 continue;
89 if (nread <= 0)
90 break;
91 done += nread;
92 } while (done != len);
93 return done;
94 }
95
96 static bool
we_write_fully(int fd,const char * buffer,size_t len)97 we_write_fully(int fd, const char *buffer, size_t len)
98 {
99 size_t done;
100 ssize_t nwritten;
101
102 done = 0;
103 do {
104 nwritten = _write(fd, buffer + done, len - done);
105 if (nwritten == -1 && errno == EINTR)
106 continue;
107 if (nwritten <= 0)
108 return (false);
109 done += nwritten;
110 } while (done != len);
111 return (true);
112 }
113
114 /*
115 * we_askshell --
116 * Use the `freebsd_wordexp' /bin/sh builtin function to do most of the
117 * work in expanding the word string. This function is complicated by
118 * memory management.
119 */
120 static int
we_askshell(const char * words,wordexp_t * we,int flags)121 we_askshell(const char *words, wordexp_t *we, int flags)
122 {
123 int pdesw[2]; /* Pipe for writing words */
124 int pdes[2]; /* Pipe for reading output */
125 char wfdstr[sizeof(int) * 3 + 1];
126 char buf[35]; /* Buffer for byte and word count */
127 long nwords, nbytes; /* Number of words, bytes from child */
128 long i; /* Handy integer */
129 size_t sofs; /* Offset into we->we_strings */
130 size_t vofs; /* Offset into we->we_wordv */
131 pid_t pid; /* Process ID of child */
132 pid_t wpid; /* waitpid return value */
133 int status; /* Child exit status */
134 int error; /* Our return value */
135 int serrno; /* errno to return */
136 char *np, *p; /* Handy pointers */
137 char *nstrings; /* Temporary for realloc() */
138 char **nwv; /* Temporary for realloc() */
139 sigset_t newsigblock, oldsigblock;
140 const char *ifs;
141
142 serrno = errno;
143 ifs = getenv("IFS");
144
145 if (pipe2(pdesw, O_CLOEXEC) < 0)
146 return (WRDE_NOSPACE); /* XXX */
147 snprintf(wfdstr, sizeof(wfdstr), "%d", pdesw[0]);
148 if (pipe2(pdes, O_CLOEXEC) < 0) {
149 _close(pdesw[0]);
150 _close(pdesw[1]);
151 return (WRDE_NOSPACE); /* XXX */
152 }
153 (void)sigemptyset(&newsigblock);
154 (void)sigaddset(&newsigblock, SIGCHLD);
155 (void)__libc_sigprocmask(SIG_BLOCK, &newsigblock, &oldsigblock);
156 if ((pid = fork()) < 0) {
157 serrno = errno;
158 _close(pdesw[0]);
159 _close(pdesw[1]);
160 _close(pdes[0]);
161 _close(pdes[1]);
162 (void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
163 errno = serrno;
164 return (WRDE_NOSPACE); /* XXX */
165 }
166 else if (pid == 0) {
167 /*
168 * We are the child; make /bin/sh expand `words'.
169 */
170 (void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
171 if ((pdes[1] != STDOUT_FILENO ?
172 _dup2(pdes[1], STDOUT_FILENO) :
173 _fcntl(pdes[1], F_SETFD, 0)) < 0)
174 _exit(1);
175 if (_fcntl(pdesw[0], F_SETFD, 0) < 0)
176 _exit(1);
177 execl(_PATH_BSHELL, "sh", flags & WRDE_UNDEF ? "-u" : "+u",
178 "-c", "IFS=$1;eval \"$2\";"
179 "freebsd_wordexp -f \"$3\" ${4:+\"$4\"}",
180 "",
181 ifs != NULL ? ifs : " \t\n",
182 flags & WRDE_SHOWERR ? "" : "exec 2>/dev/null",
183 wfdstr,
184 flags & WRDE_NOCMD ? "-p" : "",
185 (char *)NULL);
186 _exit(1);
187 }
188
189 /*
190 * We are the parent; write the words.
191 */
192 _close(pdes[1]);
193 _close(pdesw[0]);
194 if (!we_write_fully(pdesw[1], words, strlen(words))) {
195 _close(pdesw[1]);
196 error = WRDE_SYNTAX;
197 goto cleanup;
198 }
199 _close(pdesw[1]);
200 /*
201 * Read the output of the shell wordexp function,
202 * which is a byte indicating that the words were parsed successfully,
203 * a 64-bit hexadecimal word count, a dummy byte, a 64-bit hexadecimal
204 * byte count (not including terminating null bytes), followed by the
205 * expanded words separated by nulls.
206 */
207 switch (we_read_fully(pdes[0], buf, 34)) {
208 case 1:
209 error = buf[0] == 'C' ? WRDE_CMDSUB : WRDE_BADVAL;
210 serrno = errno;
211 goto cleanup;
212 case 34:
213 break;
214 default:
215 error = WRDE_SYNTAX;
216 serrno = errno;
217 goto cleanup;
218 }
219 buf[17] = '\0';
220 nwords = strtol(buf + 1, NULL, 16);
221 buf[34] = '\0';
222 nbytes = strtol(buf + 18, NULL, 16) + nwords;
223
224 /*
225 * Allocate or reallocate (when flags & WRDE_APPEND) the word vector
226 * and string storage buffers for the expanded words we're about to
227 * read from the child.
228 */
229 sofs = we->we_nbytes;
230 vofs = we->we_wordc;
231 if ((flags & (WRDE_DOOFFS|WRDE_APPEND)) == (WRDE_DOOFFS|WRDE_APPEND))
232 vofs += we->we_offs;
233 we->we_wordc += nwords;
234 we->we_nbytes += nbytes;
235 if ((nwv = reallocarray(we->we_wordv, (we->we_wordc + 1 +
236 (flags & WRDE_DOOFFS ? we->we_offs : 0)),
237 sizeof(char *))) == NULL) {
238 error = WRDE_NOSPACE;
239 goto cleanup;
240 }
241 we->we_wordv = nwv;
242 if ((nstrings = realloc(we->we_strings, we->we_nbytes)) == NULL) {
243 error = WRDE_NOSPACE;
244 goto cleanup;
245 }
246 for (i = 0; i < vofs; i++)
247 if (we->we_wordv[i] != NULL)
248 we->we_wordv[i] += nstrings - we->we_strings;
249 we->we_strings = nstrings;
250
251 if (we_read_fully(pdes[0], we->we_strings + sofs, nbytes) != nbytes) {
252 error = WRDE_NOSPACE; /* abort for unknown reason */
253 serrno = errno;
254 goto cleanup;
255 }
256
257 error = 0;
258 cleanup:
259 _close(pdes[0]);
260 do
261 wpid = _waitpid(pid, &status, 0);
262 while (wpid < 0 && errno == EINTR);
263 (void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
264 if (error != 0) {
265 errno = serrno;
266 return (error);
267 }
268 if (wpid < 0 || !WIFEXITED(status) || WEXITSTATUS(status) != 0)
269 return (WRDE_NOSPACE); /* abort for unknown reason */
270
271 /*
272 * Break the null-terminated expanded word strings out into
273 * the vector.
274 */
275 if (vofs == 0 && flags & WRDE_DOOFFS)
276 while (vofs < we->we_offs)
277 we->we_wordv[vofs++] = NULL;
278 p = we->we_strings + sofs;
279 while (nwords-- != 0) {
280 we->we_wordv[vofs++] = p;
281 if ((np = memchr(p, '\0', nbytes)) == NULL)
282 return (WRDE_NOSPACE); /* XXX */
283 nbytes -= np - p + 1;
284 p = np + 1;
285 }
286 we->we_wordv[vofs] = NULL;
287
288 return (0);
289 }
290
291 /*
292 * we_check --
293 * Check that the string contains none of the following unquoted
294 * special characters: <newline> |&;<>(){}
295 * This mainly serves for {} which are normally legal in sh.
296 * It deliberately does not attempt to model full sh syntax.
297 */
298 static int
we_check(const char * words)299 we_check(const char *words)
300 {
301 char c;
302 /* Saw \ or $, possibly not special: */
303 bool quote = false, dollar = false;
304 /* Saw ', ", ${, ` or $(, possibly not special: */
305 bool have_sq = false, have_dq = false, have_par_begin = false;
306 bool have_cmd = false;
307 /* Definitely saw a ', ", ${, ` or $(, need a closing character: */
308 bool need_sq = false, need_dq = false, need_par_end = false;
309 bool need_cmd_old = false, need_cmd_new = false;
310
311 while ((c = *words++) != '\0') {
312 switch (c) {
313 case '\\':
314 quote = !quote;
315 continue;
316 case '$':
317 if (quote)
318 quote = false;
319 else
320 dollar = !dollar;
321 continue;
322 case '\'':
323 if (!quote && !have_sq && !have_dq)
324 need_sq = true;
325 else
326 need_sq = false;
327 have_sq = true;
328 break;
329 case '"':
330 if (!quote && !have_sq && !have_dq)
331 need_dq = true;
332 else
333 need_dq = false;
334 have_dq = true;
335 break;
336 case '`':
337 if (!quote && !have_sq && !have_cmd)
338 need_cmd_old = true;
339 else
340 need_cmd_old = false;
341 have_cmd = true;
342 break;
343 case '{':
344 if (!quote && !dollar && !have_sq && !have_dq &&
345 !have_cmd)
346 return (WRDE_BADCHAR);
347 if (dollar) {
348 if (!quote && !have_sq)
349 need_par_end = true;
350 have_par_begin = true;
351 }
352 break;
353 case '}':
354 if (!quote && !have_sq && !have_dq && !have_par_begin &&
355 !have_cmd)
356 return (WRDE_BADCHAR);
357 need_par_end = false;
358 break;
359 case '(':
360 if (!quote && !dollar && !have_sq && !have_dq &&
361 !have_cmd)
362 return (WRDE_BADCHAR);
363 if (dollar) {
364 if (!quote && !have_sq)
365 need_cmd_new = true;
366 have_cmd = true;
367 }
368 break;
369 case ')':
370 if (!quote && !have_sq && !have_dq && !have_cmd)
371 return (WRDE_BADCHAR);
372 need_cmd_new = false;
373 break;
374 case '|': case '&': case ';': case '<': case '>': case '\n':
375 if (!quote && !have_sq && !have_dq && !have_cmd)
376 return (WRDE_BADCHAR);
377 break;
378 default:
379 break;
380 }
381 quote = dollar = false;
382 }
383 if (quote || dollar || need_sq || need_dq || need_par_end ||
384 need_cmd_old || need_cmd_new)
385 return (WRDE_SYNTAX);
386
387 return (0);
388 }
389
390 /*
391 * wordfree --
392 * Free the result of wordexp(). See wordexp(3).
393 *
394 * Specified by IEEE Std. 1003.1-2001.
395 */
396 void
wordfree(wordexp_t * we)397 wordfree(wordexp_t *we)
398 {
399
400 if (we == NULL)
401 return;
402 free(we->we_wordv);
403 free(we->we_strings);
404 we->we_wordv = NULL;
405 we->we_strings = NULL;
406 we->we_nbytes = 0;
407 we->we_wordc = 0;
408 }
409