Fossil SCM
Begin splitting up fossil_assert_safe_command_string() into separate windows and unix implementions. Add the test-fossil-system command for testing.
Commit
9c38a004adefea005ba1475952c3768fe18ffec531dfe9773100667bf483c743
Parent
f618a25cc9877c3…
1 file changed
+29
-2
+29
-2
| --- src/util.c | ||
| +++ src/util.c | ||
| @@ -158,11 +158,11 @@ | ||
| 158 | 158 | return zStart; |
| 159 | 159 | } |
| 160 | 160 | |
| 161 | 161 | /* |
| 162 | 162 | ** Check the input string to ensure that it is safe to pass into system(). |
| 163 | -** A string is unsafe for system() if it contains any of the following: | |
| 163 | +** A string is unsafe for system() on unix if it contains any of the following: | |
| 164 | 164 | ** |
| 165 | 165 | ** * Any occurrance of '$' or '`' except after \ |
| 166 | 166 | ** * Any of the following characters, unquoted: ;|& or \n except |
| 167 | 167 | ** these characters are allowed as the very last character in the |
| 168 | 168 | ** string. |
| @@ -174,13 +174,15 @@ | ||
| 174 | 174 | ** safety net in case of bugs elsewhere in the system. |
| 175 | 175 | ** |
| 176 | 176 | ** If an unsafe string is seen, the process aborts. |
| 177 | 177 | */ |
| 178 | 178 | void fossil_assert_safe_command_string(const char *z){ |
| 179 | + int unsafe = 0; | |
| 180 | +#ifndef _WIN32 | |
| 181 | + /* Unix */ | |
| 179 | 182 | int inQuote = 0; |
| 180 | 183 | int i, c; |
| 181 | - int unsafe = 0; | |
| 182 | 184 | for(i=0; (c = z[i])!=0; i++){ |
| 183 | 185 | switch( c ){ |
| 184 | 186 | case '$': |
| 185 | 187 | case '`': { |
| 186 | 188 | unsafe = i+1; |
| @@ -210,10 +212,14 @@ | ||
| 210 | 212 | } |
| 211 | 213 | break; |
| 212 | 214 | } |
| 213 | 215 | } |
| 214 | 216 | } |
| 217 | +#else | |
| 218 | + /* Windows */ | |
| 219 | + | |
| 220 | +#endif | |
| 215 | 221 | if( unsafe ){ |
| 216 | 222 | fossil_fatal("Unsafe command string: %s\n%*shere ----^", |
| 217 | 223 | z, unsafe+13, ""); |
| 218 | 224 | } |
| 219 | 225 | } |
| @@ -254,10 +260,31 @@ | ||
| 254 | 260 | rc = system(zOrigCmd); |
| 255 | 261 | fossil_limit_memory(1); |
| 256 | 262 | #endif |
| 257 | 263 | return rc; |
| 258 | 264 | } |
| 265 | + | |
| 266 | +/* | |
| 267 | +** COMMAND: test-fossil-system | |
| 268 | +** | |
| 269 | +** Read lines of input and send them to fossil_system() for evaluation. | |
| 270 | +*/ | |
| 271 | +void test_fossil_system_cmd(void){ | |
| 272 | + char zLine[10000]; | |
| 273 | + while(1){ | |
| 274 | + size_t n; | |
| 275 | + printf("system-test> "); | |
| 276 | + fflush(stdout); | |
| 277 | + if( !fgets(zLine, sizeof(zLine), stdin) ) break; | |
| 278 | + n = strlen(zLine); | |
| 279 | + while( n>0 && fossil_isspace(zLine[n-1]) ) n--; | |
| 280 | + zLine[n] = 0; | |
| 281 | + printf("cmd: [%s]\n", zLine); | |
| 282 | + fflush(stdout); | |
| 283 | + fossil_system(zLine); | |
| 284 | + } | |
| 285 | +} | |
| 259 | 286 | |
| 260 | 287 | /* |
| 261 | 288 | ** Like strcmp() except that it accepts NULL pointers. NULL sorts before |
| 262 | 289 | ** all non-NULL string pointers. Also, this strcmp() is a binary comparison |
| 263 | 290 | ** that does not consider locale. |
| 264 | 291 |
| --- src/util.c | |
| +++ src/util.c | |
| @@ -158,11 +158,11 @@ | |
| 158 | return zStart; |
| 159 | } |
| 160 | |
| 161 | /* |
| 162 | ** Check the input string to ensure that it is safe to pass into system(). |
| 163 | ** A string is unsafe for system() if it contains any of the following: |
| 164 | ** |
| 165 | ** * Any occurrance of '$' or '`' except after \ |
| 166 | ** * Any of the following characters, unquoted: ;|& or \n except |
| 167 | ** these characters are allowed as the very last character in the |
| 168 | ** string. |
| @@ -174,13 +174,15 @@ | |
| 174 | ** safety net in case of bugs elsewhere in the system. |
| 175 | ** |
| 176 | ** If an unsafe string is seen, the process aborts. |
| 177 | */ |
| 178 | void fossil_assert_safe_command_string(const char *z){ |
| 179 | int inQuote = 0; |
| 180 | int i, c; |
| 181 | int unsafe = 0; |
| 182 | for(i=0; (c = z[i])!=0; i++){ |
| 183 | switch( c ){ |
| 184 | case '$': |
| 185 | case '`': { |
| 186 | unsafe = i+1; |
| @@ -210,10 +212,14 @@ | |
| 210 | } |
| 211 | break; |
| 212 | } |
| 213 | } |
| 214 | } |
| 215 | if( unsafe ){ |
| 216 | fossil_fatal("Unsafe command string: %s\n%*shere ----^", |
| 217 | z, unsafe+13, ""); |
| 218 | } |
| 219 | } |
| @@ -254,10 +260,31 @@ | |
| 254 | rc = system(zOrigCmd); |
| 255 | fossil_limit_memory(1); |
| 256 | #endif |
| 257 | return rc; |
| 258 | } |
| 259 | |
| 260 | /* |
| 261 | ** Like strcmp() except that it accepts NULL pointers. NULL sorts before |
| 262 | ** all non-NULL string pointers. Also, this strcmp() is a binary comparison |
| 263 | ** that does not consider locale. |
| 264 |
| --- src/util.c | |
| +++ src/util.c | |
| @@ -158,11 +158,11 @@ | |
| 158 | return zStart; |
| 159 | } |
| 160 | |
| 161 | /* |
| 162 | ** Check the input string to ensure that it is safe to pass into system(). |
| 163 | ** A string is unsafe for system() on unix if it contains any of the following: |
| 164 | ** |
| 165 | ** * Any occurrance of '$' or '`' except after \ |
| 166 | ** * Any of the following characters, unquoted: ;|& or \n except |
| 167 | ** these characters are allowed as the very last character in the |
| 168 | ** string. |
| @@ -174,13 +174,15 @@ | |
| 174 | ** safety net in case of bugs elsewhere in the system. |
| 175 | ** |
| 176 | ** If an unsafe string is seen, the process aborts. |
| 177 | */ |
| 178 | void fossil_assert_safe_command_string(const char *z){ |
| 179 | int unsafe = 0; |
| 180 | #ifndef _WIN32 |
| 181 | /* Unix */ |
| 182 | int inQuote = 0; |
| 183 | int i, c; |
| 184 | for(i=0; (c = z[i])!=0; i++){ |
| 185 | switch( c ){ |
| 186 | case '$': |
| 187 | case '`': { |
| 188 | unsafe = i+1; |
| @@ -210,10 +212,14 @@ | |
| 212 | } |
| 213 | break; |
| 214 | } |
| 215 | } |
| 216 | } |
| 217 | #else |
| 218 | /* Windows */ |
| 219 | |
| 220 | #endif |
| 221 | if( unsafe ){ |
| 222 | fossil_fatal("Unsafe command string: %s\n%*shere ----^", |
| 223 | z, unsafe+13, ""); |
| 224 | } |
| 225 | } |
| @@ -254,10 +260,31 @@ | |
| 260 | rc = system(zOrigCmd); |
| 261 | fossil_limit_memory(1); |
| 262 | #endif |
| 263 | return rc; |
| 264 | } |
| 265 | |
| 266 | /* |
| 267 | ** COMMAND: test-fossil-system |
| 268 | ** |
| 269 | ** Read lines of input and send them to fossil_system() for evaluation. |
| 270 | */ |
| 271 | void test_fossil_system_cmd(void){ |
| 272 | char zLine[10000]; |
| 273 | while(1){ |
| 274 | size_t n; |
| 275 | printf("system-test> "); |
| 276 | fflush(stdout); |
| 277 | if( !fgets(zLine, sizeof(zLine), stdin) ) break; |
| 278 | n = strlen(zLine); |
| 279 | while( n>0 && fossil_isspace(zLine[n-1]) ) n--; |
| 280 | zLine[n] = 0; |
| 281 | printf("cmd: [%s]\n", zLine); |
| 282 | fflush(stdout); |
| 283 | fossil_system(zLine); |
| 284 | } |
| 285 | } |
| 286 | |
| 287 | /* |
| 288 | ** Like strcmp() except that it accepts NULL pointers. NULL sorts before |
| 289 | ** all non-NULL string pointers. Also, this strcmp() is a binary comparison |
| 290 | ** that does not consider locale. |
| 291 |