1/*
2 * I'm tired of doing "vsnprintf()" etc just to open a
3 * file, so here's a "return static buffer with printf"
4 * interface for paths.
5 *
6 * It's obviously not thread-safe. Sue me. But it's quite
7 * useful for doing things like
8 *
9 * f = open(mkpath("%s/%s.git", base, name), O_RDONLY);
10 *
11 * which is what it's designed for.
12 */
13#include "cache.h"
14#include "strbuf.h"
15
16static char bad_path[] = "/bad-path/";
17
18static char *get_pathname(void)
19{
20 static char pathname_array[4][PATH_MAX];
21 static int index;
22 return pathname_array[3 & ++index];
23}
24
25static char *cleanup_path(char *path)
26{
27 /* Clean it up */
28 if (!memcmp(path, "./", 2)) {
29 path += 2;
30 while (*path == '/')
31 path++;
32 }
33 return path;
34}
35
36char *mksnpath(char *buf, size_t n, const char *fmt, ...)
37{
38 va_list args;
39 unsigned len;
40
41 va_start(args, fmt);
42 len = vsnprintf(buf, n, fmt, args);
43 va_end(args);
44 if (len >= n) {
45 strlcpy(buf, bad_path, n);
46 return buf;
47 }
48 return cleanup_path(buf);
49}
50
51static char *git_vsnpath(char *buf, size_t n, const char *fmt, va_list args)
52{
53 const char *git_dir = get_git_dir();
54 size_t len;
55
56 len = strlen(git_dir);
57 if (n < len + 1)
58 goto bad;
59 memcpy(buf, git_dir, len);
60 if (len && !is_dir_sep(git_dir[len-1]))
61 buf[len++] = '/';
62 len += vsnprintf(buf + len, n - len, fmt, args);
63 if (len >= n)
64 goto bad;
65 return cleanup_path(buf);
66bad:
67 strlcpy(buf, bad_path, n);
68 return buf;
69}
70
71char *git_snpath(char *buf, size_t n, const char *fmt, ...)
72{
73 va_list args;
74 va_start(args, fmt);
75 (void)git_vsnpath(buf, n, fmt, args);
76 va_end(args);
77 return buf;
78}
79
80char *git_pathdup(const char *fmt, ...)
81{
82 char path[PATH_MAX];
83 va_list args;
84 va_start(args, fmt);
85 (void)git_vsnpath(path, sizeof(path), fmt, args);
86 va_end(args);
87 return xstrdup(path);
88}
89
90char *mkpath(const char *fmt, ...)
91{
92 va_list args;
93 unsigned len;
94 char *pathname = get_pathname();
95
96 va_start(args, fmt);
97 len = vsnprintf(pathname, PATH_MAX, fmt, args);
98 va_end(args);
99 if (len >= PATH_MAX)
100 return bad_path;
101 return cleanup_path(pathname);
102}
103
104char *git_path(const char *fmt, ...)
105{
106 const char *git_dir = get_git_dir();
107 char *pathname = get_pathname();
108 va_list args;
109 unsigned len;
110
111 len = strlen(git_dir);
112 if (len > PATH_MAX-100)
113 return bad_path;
114 memcpy(pathname, git_dir, len);
115 if (len && git_dir[len-1] != '/')
116 pathname[len++] = '/';
117 va_start(args, fmt);
118 len += vsnprintf(pathname + len, PATH_MAX - len, fmt, args);
119 va_end(args);
120 if (len >= PATH_MAX)
121 return bad_path;
122 return cleanup_path(pathname);
123}
124
125
126/* git_mkstemp() - create tmp file honoring TMPDIR variable */
127int git_mkstemp(char *path, size_t len, const char *template)
128{
129 const char *tmp;
130 size_t n;
131
132 tmp = getenv("TMPDIR");
133 if (!tmp)
134 tmp = "/tmp";
135 n = snprintf(path, len, "%s/%s", tmp, template);
136 if (len <= n) {
137 errno = ENAMETOOLONG;
138 return -1;
139 }
140 return mkstemp(path);
141}
142
143/* git_mkstemps() - create tmp file with suffix honoring TMPDIR variable. */
144int git_mkstemps(char *path, size_t len, const char *template, int suffix_len)
145{
146 const char *tmp;
147 size_t n;
148
149 tmp = getenv("TMPDIR");
150 if (!tmp)
151 tmp = "/tmp";
152 n = snprintf(path, len, "%s/%s", tmp, template);
153 if (len <= n) {
154 errno = ENAMETOOLONG;
155 return -1;
156 }
157 return mkstemps(path, suffix_len);
158}
159
160int validate_headref(const char *path)
161{
162 struct stat st;
163 char *buf, buffer[256];
164 unsigned char sha1[20];
165 int fd;
166 ssize_t len;
167
168 if (lstat(path, &st) < 0)
169 return -1;
170
171 /* Make sure it is a "refs/.." symlink */
172 if (S_ISLNK(st.st_mode)) {
173 len = readlink(path, buffer, sizeof(buffer)-1);
174 if (len >= 5 && !memcmp("refs/", buffer, 5))
175 return 0;
176 return -1;
177 }
178
179 /*
180 * Anything else, just open it and try to see if it is a symbolic ref.
181 */
182 fd = open(path, O_RDONLY);
183 if (fd < 0)
184 return -1;
185 len = read_in_full(fd, buffer, sizeof(buffer)-1);
186 close(fd);
187
188 /*
189 * Is it a symbolic ref?
190 */
191 if (len < 4)
192 return -1;
193 if (!memcmp("ref:", buffer, 4)) {
194 buf = buffer + 4;
195 len -= 4;
196 while (len && isspace(*buf))
197 buf++, len--;
198 if (len >= 5 && !memcmp("refs/", buf, 5))
199 return 0;
200 }
201
202 /*
203 * Is this a detached HEAD?
204 */
205 if (!get_sha1_hex(buffer, sha1))
206 return 0;
207
208 return -1;
209}
210
211static struct passwd *getpw_str(const char *username, size_t len)
212{
213 struct passwd *pw;
214 char *username_z = xmalloc(len + 1);
215 memcpy(username_z, username, len);
216 username_z[len] = '\0';
217 pw = getpwnam(username_z);
218 free(username_z);
219 return pw;
220}
221
222/*
223 * Return a string with ~ and ~user expanded via getpw*. If buf != NULL,
224 * then it is a newly allocated string. Returns NULL on getpw failure or
225 * if path is NULL.
226 */
227char *expand_user_path(const char *path)
228{
229 struct strbuf user_path = STRBUF_INIT;
230 const char *first_slash = strchrnul(path, '/');
231 const char *to_copy = path;
232
233 if (path == NULL)
234 goto return_null;
235 if (path[0] == '~') {
236 const char *username = path + 1;
237 size_t username_len = first_slash - username;
238 if (username_len == 0) {
239 const char *home = getenv("HOME");
240 strbuf_add(&user_path, home, strlen(home));
241 } else {
242 struct passwd *pw = getpw_str(username, username_len);
243 if (!pw)
244 goto return_null;
245 strbuf_add(&user_path, pw->pw_dir, strlen(pw->pw_dir));
246 }
247 to_copy = first_slash;
248 }
249 strbuf_add(&user_path, to_copy, strlen(to_copy));
250 return strbuf_detach(&user_path, NULL);
251return_null:
252 strbuf_release(&user_path);
253 return NULL;
254}
255
256/*
257 * First, one directory to try is determined by the following algorithm.
258 *
259 * (0) If "strict" is given, the path is used as given and no DWIM is
260 * done. Otherwise:
261 * (1) "~/path" to mean path under the running user's home directory;
262 * (2) "~user/path" to mean path under named user's home directory;
263 * (3) "relative/path" to mean cwd relative directory; or
264 * (4) "/absolute/path" to mean absolute directory.
265 *
266 * Unless "strict" is given, we try access() for existence of "%s.git/.git",
267 * "%s/.git", "%s.git", "%s" in this order. The first one that exists is
268 * what we try.
269 *
270 * Second, we try chdir() to that. Upon failure, we return NULL.
271 *
272 * Then, we try if the current directory is a valid git repository.
273 * Upon failure, we return NULL.
274 *
275 * If all goes well, we return the directory we used to chdir() (but
276 * before ~user is expanded), avoiding getcwd() resolving symbolic
277 * links. User relative paths are also returned as they are given,
278 * except DWIM suffixing.
279 */
280char *enter_repo(char *path, int strict)
281{
282 static char used_path[PATH_MAX];
283 static char validated_path[PATH_MAX];
284
285 if (!path)
286 return NULL;
287
288 if (!strict) {
289 static const char *suffix[] = {
290 ".git/.git", "/.git", ".git", "", NULL,
291 };
292 int len = strlen(path);
293 int i;
294 while ((1 < len) && (path[len-1] == '/')) {
295 path[len-1] = 0;
296 len--;
297 }
298 if (PATH_MAX <= len)
299 return NULL;
300 if (path[0] == '~') {
301 char *newpath = expand_user_path(path);
302 if (!newpath || (PATH_MAX - 10 < strlen(newpath))) {
303 free(newpath);
304 return NULL;
305 }
306 /*
307 * Copy back into the static buffer. A pity
308 * since newpath was not bounded, but other
309 * branches of the if are limited by PATH_MAX
310 * anyway.
311 */
312 strcpy(used_path, newpath); free(newpath);
313 strcpy(validated_path, path);
314 path = used_path;
315 }
316 else if (PATH_MAX - 10 < len)
317 return NULL;
318 else {
319 path = strcpy(used_path, path);
320 strcpy(validated_path, path);
321 }
322 len = strlen(path);
323 for (i = 0; suffix[i]; i++) {
324 strcpy(path + len, suffix[i]);
325 if (!access(path, F_OK)) {
326 strcat(validated_path, suffix[i]);
327 break;
328 }
329 }
330 if (!suffix[i] || chdir(path))
331 return NULL;
332 path = validated_path;
333 }
334 else if (chdir(path))
335 return NULL;
336
337 if (access("objects", X_OK) == 0 && access("refs", X_OK) == 0 &&
338 validate_headref("HEAD") == 0) {
339 setenv(GIT_DIR_ENVIRONMENT, ".", 1);
340 check_repository_format();
341 return path;
342 }
343
344 return NULL;
345}
346
347int set_shared_perm(const char *path, int mode)
348{
349 struct stat st;
350 int tweak, shared, orig_mode;
351
352 if (!shared_repository) {
353 if (mode)
354 return chmod(path, mode & ~S_IFMT);
355 return 0;
356 }
357 if (!mode) {
358 if (lstat(path, &st) < 0)
359 return -1;
360 mode = st.st_mode;
361 orig_mode = mode;
362 } else
363 orig_mode = 0;
364 if (shared_repository < 0)
365 shared = -shared_repository;
366 else
367 shared = shared_repository;
368 tweak = shared;
369
370 if (!(mode & S_IWUSR))
371 tweak &= ~0222;
372 if (mode & S_IXUSR)
373 /* Copy read bits to execute bits */
374 tweak |= (tweak & 0444) >> 2;
375 if (shared_repository < 0)
376 mode = (mode & ~0777) | tweak;
377 else
378 mode |= tweak;
379
380 if (S_ISDIR(mode)) {
381 /* Copy read bits to execute bits */
382 mode |= (shared & 0444) >> 2;
383 mode |= FORCE_DIR_SET_GID;
384 }
385
386 if (((shared_repository < 0
387 ? (orig_mode & (FORCE_DIR_SET_GID | 0777))
388 : (orig_mode & mode)) != mode) &&
389 chmod(path, (mode & ~S_IFMT)) < 0)
390 return -2;
391 return 0;
392}
393
394const char *make_relative_path(const char *abs, const char *base)
395{
396 static char buf[PATH_MAX + 1];
397 int baselen;
398 if (!base)
399 return abs;
400 baselen = strlen(base);
401 if (prefixcmp(abs, base))
402 return abs;
403 if (abs[baselen] == '/')
404 baselen++;
405 else if (base[baselen - 1] != '/')
406 return abs;
407 strcpy(buf, abs + baselen);
408 return buf;
409}
410
411/*
412 * It is okay if dst == src, but they should not overlap otherwise.
413 *
414 * Performs the following normalizations on src, storing the result in dst:
415 * - Ensures that components are separated by '/' (Windows only)
416 * - Squashes sequences of '/'.
417 * - Removes "." components.
418 * - Removes ".." components, and the components the precede them.
419 * Returns failure (non-zero) if a ".." component appears as first path
420 * component anytime during the normalization. Otherwise, returns success (0).
421 *
422 * Note that this function is purely textual. It does not follow symlinks,
423 * verify the existence of the path, or make any system calls.
424 */
425int normalize_path_copy(char *dst, const char *src)
426{
427 char *dst0;
428
429 if (has_dos_drive_prefix(src)) {
430 *dst++ = *src++;
431 *dst++ = *src++;
432 }
433 dst0 = dst;
434
435 if (is_dir_sep(*src)) {
436 *dst++ = '/';
437 while (is_dir_sep(*src))
438 src++;
439 }
440
441 for (;;) {
442 char c = *src;
443
444 /*
445 * A path component that begins with . could be
446 * special:
447 * (1) "." and ends -- ignore and terminate.
448 * (2) "./" -- ignore them, eat slash and continue.
449 * (3) ".." and ends -- strip one and terminate.
450 * (4) "../" -- strip one, eat slash and continue.
451 */
452 if (c == '.') {
453 if (!src[1]) {
454 /* (1) */
455 src++;
456 } else if (is_dir_sep(src[1])) {
457 /* (2) */
458 src += 2;
459 while (is_dir_sep(*src))
460 src++;
461 continue;
462 } else if (src[1] == '.') {
463 if (!src[2]) {
464 /* (3) */
465 src += 2;
466 goto up_one;
467 } else if (is_dir_sep(src[2])) {
468 /* (4) */
469 src += 3;
470 while (is_dir_sep(*src))
471 src++;
472 goto up_one;
473 }
474 }
475 }
476
477 /* copy up to the next '/', and eat all '/' */
478 while ((c = *src++) != '\0' && !is_dir_sep(c))
479 *dst++ = c;
480 if (is_dir_sep(c)) {
481 *dst++ = '/';
482 while (is_dir_sep(c))
483 c = *src++;
484 src--;
485 } else if (!c)
486 break;
487 continue;
488
489 up_one:
490 /*
491 * dst0..dst is prefix portion, and dst[-1] is '/';
492 * go up one level.
493 */
494 dst--; /* go to trailing '/' */
495 if (dst <= dst0)
496 return -1;
497 /* Windows: dst[-1] cannot be backslash anymore */
498 while (dst0 < dst && dst[-1] != '/')
499 dst--;
500 }
501 *dst = '\0';
502 return 0;
503}
504
505/*
506 * path = Canonical absolute path
507 * prefix_list = Colon-separated list of absolute paths
508 *
509 * Determines, for each path in prefix_list, whether the "prefix" really
510 * is an ancestor directory of path. Returns the length of the longest
511 * ancestor directory, excluding any trailing slashes, or -1 if no prefix
512 * is an ancestor. (Note that this means 0 is returned if prefix_list is
513 * "/".) "/foo" is not considered an ancestor of "/foobar". Directories
514 * are not considered to be their own ancestors. path must be in a
515 * canonical form: empty components, or "." or ".." components are not
516 * allowed. prefix_list may be null, which is like "".
517 */
518int longest_ancestor_length(const char *path, const char *prefix_list)
519{
520 char buf[PATH_MAX+1];
521 const char *ceil, *colon;
522 int len, max_len = -1;
523
524 if (prefix_list == NULL || !strcmp(path, "/"))
525 return -1;
526
527 for (colon = ceil = prefix_list; *colon; ceil = colon+1) {
528 for (colon = ceil; *colon && *colon != PATH_SEP; colon++);
529 len = colon - ceil;
530 if (len == 0 || len > PATH_MAX || !is_absolute_path(ceil))
531 continue;
532 strlcpy(buf, ceil, len+1);
533 if (normalize_path_copy(buf, buf) < 0)
534 continue;
535 len = strlen(buf);
536 if (len > 0 && buf[len-1] == '/')
537 buf[--len] = '\0';
538
539 if (!strncmp(path, buf, len) &&
540 path[len] == '/' &&
541 len > max_len) {
542 max_len = len;
543 }
544 }
545
546 return max_len;
547}
548
549/* strip arbitrary amount of directory separators at end of path */
550static inline int chomp_trailing_dir_sep(const char *path, int len)
551{
552 while (len && is_dir_sep(path[len - 1]))
553 len--;
554 return len;
555}
556
557/*
558 * If path ends with suffix (complete path components), returns the
559 * part before suffix (sans trailing directory separators).
560 * Otherwise returns NULL.
561 */
562char *strip_path_suffix(const char *path, const char *suffix)
563{
564 int path_len = strlen(path), suffix_len = strlen(suffix);
565
566 while (suffix_len) {
567 if (!path_len)
568 return NULL;
569
570 if (is_dir_sep(path[path_len - 1])) {
571 if (!is_dir_sep(suffix[suffix_len - 1]))
572 return NULL;
573 path_len = chomp_trailing_dir_sep(path, path_len);
574 suffix_len = chomp_trailing_dir_sep(suffix, suffix_len);
575 }
576 else if (path[--path_len] != suffix[--suffix_len])
577 return NULL;
578 }
579
580 if (path_len && !is_dir_sep(path[path_len - 1]))
581 return NULL;
582 return xstrndup(path, chomp_trailing_dir_sep(path, path_len));
583}
584
585int daemon_avoid_alias(const char *p)
586{
587 int sl, ndot;
588
589 /*
590 * This resurrects the belts and suspenders paranoia check by HPA
591 * done in <435560F7.4080006@zytor.com> thread, now enter_repo()
592 * does not do getcwd() based path canonicalizations.
593 *
594 * sl becomes true immediately after seeing '/' and continues to
595 * be true as long as dots continue after that without intervening
596 * non-dot character.
597 */
598 if (!p || (*p != '/' && *p != '~'))
599 return -1;
600 sl = 1; ndot = 0;
601 p++;
602
603 while (1) {
604 char ch = *p++;
605 if (sl) {
606 if (ch == '.')
607 ndot++;
608 else if (ch == '/') {
609 if (ndot < 3)
610 /* reject //, /./ and /../ */
611 return -1;
612 ndot = 0;
613 }
614 else if (ch == 0) {
615 if (0 < ndot && ndot < 3)
616 /* reject /.$ and /..$ */
617 return -1;
618 return 0;
619 }
620 else
621 sl = ndot = 0;
622 }
623 else if (ch == 0)
624 return 0;
625 else if (ch == '/') {
626 sl = 1;
627 ndot = 0;
628 }
629 }
630}