This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: [patch 1/2] auto-load safe-path: Permit shell wildcards
On Mon, 18 Jun 2012 18:09:14 +0200, Eli Zaretskii wrote:
> > +/* Return 1 if FILENAME matches PATTERN or if FILENAME belongs to
> > + a subdirectory permitted by PATTERN. Return 0 otherwise.
> ^^^^^^^^^^^^
> Why "subdirectory" and not "directory"?
>
> Or did you mean "... or if FILENAME resides in a subdirectory of a
> directory that matches PATTERN"?
This one, used it.
>
> > -filename_is_in_dir (const char *filename, const char *dir)
> > +filename_is_in_pattern (const char *filename_orig, const char *pattern_orig)
>
> The arguments are named differently from what the commentary says.
> (Do you really need the "_orig" suffix here?)
I have split it now into filename_is_in_pattern and filename_is_in_pattern_1.
As an explanation of the previous state:
The problem is that I want to use bare "filename" in the code. Using
"filename_local" (for example) may lead to mistakes as it is easier to
accidentally write "filename" than to accidentally write "filename_orig".
Using just "filename" everywhere would mean to make the parameter non-const
('char *filename') which may lead callers into thinking the string contents
may be modified by this function. The code both uses and modifies the content
of "filename".
> > + /* Trim trailing slashes ("/") from PATTERN. */
> > + while (pattern_len && IS_DIR_SEPARATOR (pattern[pattern_len - 1]))
> > + pattern_len--;
> > + pattern[pattern_len] = '\0';
>
> Wouldn't this will do the wrong thing with a pattern such as "d:/"?
It will trim it to "d:" and then it will try to remove /+[^/]+ each time from
the filename reducing it also down to "d:". Therefore "d:/" will match any
file on drive d:.
> (I'm not sure whether it will DTRT with "/" as well.)
With "/" GDB will strip it to "". There is a shortcut that "" matches
anything.
> > + /* Trim trailing slashes ("/"). */
> > + while (filename_len && IS_DIR_SEPARATOR (filename[filename_len - 1]))
> > + filename_len--;
> > + filename[filename_len] = '\0';
>
> Same here, I think.
fnmatch is something like strcmp. When I trim slashes from both strings I do
not see any problems here.
I do not see a problem there. Thanks for the comments.
> > @value{GDBN} provides the @samp{set auto-load safe-path} setting to list
> > directories trusted for loading files not explicitly requested by user.
> > +Each directory can be also shell wildcard pattern.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "... can also be a shell wildcard."
I believe there should still be "shell wildcard pattern":
set auto-load safe-path patternX:patternY
set auto-load safe-path /directoryX1/directoryX2:/directoryY1/directoryY2
I can say:
set auto-load safe-path /usr/src*/.gdbinit
So even a part of the directory ("src*") can be shell wildcard ("*").
"src*" is IMO 'shell wildcard pattern' and not 'shell wildcard'.
"*" is 'shell wildcard'.
Do you still insist on your wording?
> > + '*' matches only single
> > +component, it does not match across directory separator.
>
> "... @samp{*} matches a single component ..."
>
> Should we describe all of the wildcard meta-characters, not just '*'?
The goal was to express FNM_FILE_NAME is in use.
Therefore to say that:
set auto-load safe-path /usr/src/debug/*/.gdbinit
matches
/usr/src/debug/zlib-1.2.5/.gdbinit
/usr/src/debug/glib-2.30.3/.gdbinit
but it does not match:
/usr/src/debug/zlib-1.2.5/contrib/.gdbinit
Without FNM_FILE_NAME it would mean .gdbinit anywhere under the directory
/usr/src/debug. This is wrong, it is not that way.
With FNM_FILE_NAME '*' in /usr/src/debug/*/.gdbinit means only single
component and not more.
Thanks,
Jan
gdb/
2012-06-20 Jan Kratochvil <jan.kratochvil@redhat.com>
Support shell wildcards for 'set auto-load safe-path'.
* auto-load.c: Include fnmatch.h.
(filename_is_in_dir): Rename to ...
(filename_is_in_pattern_1, filename_is_in_pattern): ... here and split
it. Update function comment. Rename dir_len to pattern_len. New
variables filename_len, pattern and filename. Add more DEBUG_AUTO_LOAD
messages. Use gdb_filename_fnmatch.
(filename_is_in_auto_load_safe_path_vec): Rename variable dir to
pattern.
(_initialize_auto_load): Extend the "set auto-load safe-path" help text.
* defs.h (gdb_filename_fnmatch): New declaration.
* utils.c: Include fnmatch.h.
(gdb_filename_fnmatch): New function.
gdb/doc/
2012-06-20 Jan Kratochvil <jan.kratochvil@redhat.com>
* gdb.texinfo (Auto-loading safe path): Note the shell wildcard
possibility.
diff --git a/gdb/auto-load.c b/gdb/auto-load.c
index cfcab7b..b811cf1 100644
--- a/gdb/auto-load.c
+++ b/gdb/auto-load.c
@@ -36,6 +36,7 @@
#include "readline/tilde.h"
#include "completer.h"
#include "observer.h"
+#include "fnmatch.h"
/* The suffix of per-objfile scripts to auto-load as non-Python command files.
E.g. When the program loads libfoo.so, look for libfoo-gdb.gdb. */
@@ -297,27 +298,82 @@ Use 'set auto-load safe-path /' for disabling the auto-load safe-path security.\
auto_load_safe_path_vec_update ();
}
-/* Return 1 if FILENAME is equal to DIR or if FILENAME belongs to the
- subdirectory DIR. Return 0 otherwise. gdb_realpath normalization is never
- done here. */
+/* Implementation for filename_is_in_pattern overwriting the caller's FILENAME
+ and PATTERN. */
-static ATTRIBUTE_PURE int
-filename_is_in_dir (const char *filename, const char *dir)
+static int
+filename_is_in_pattern_1 (char *filename, char *pattern)
{
- size_t dir_len = strlen (dir);
+ size_t pattern_len = strlen (pattern);
+ size_t filename_len = strlen (filename);
+
+ if (debug_auto_load)
+ fprintf_unfiltered (gdb_stdlog, _("auto-load: Matching file \"%s\" "
+ "to pattern \"%s\"\n"),
+ filename, pattern);
- while (dir_len && IS_DIR_SEPARATOR (dir[dir_len - 1]))
- dir_len--;
+ /* Trim trailing slashes ("/") from PATTERN. */
+ while (pattern_len && IS_DIR_SEPARATOR (pattern[pattern_len - 1]))
+ pattern_len--;
+ pattern[pattern_len] = '\0';
/* Ensure auto_load_safe_path "/" matches any FILENAME. On MS-Windows
platform FILENAME even after gdb_realpath does not have to start with
IS_DIR_SEPARATOR character, such as the 'C:\x.exe' filename. */
- if (dir_len == 0)
- return 1;
+ if (pattern_len == 0)
+ {
+ if (debug_auto_load)
+ fprintf_unfiltered (gdb_stdlog,
+ _("auto-load: Matched - empty pattern\n"));
+ return 1;
+ }
+
+ for (;;)
+ {
+ /* Trim trailing slashes ("/"). */
+ while (filename_len && IS_DIR_SEPARATOR (filename[filename_len - 1]))
+ filename_len--;
+ filename[filename_len] = '\0';
+ if (filename_len == 0)
+ {
+ if (debug_auto_load)
+ fprintf_unfiltered (gdb_stdlog,
+ _("auto-load: Not matched - pattern \"%s\".\n"),
+ pattern);
+ return 0;
+ }
+
+ if (gdb_filename_fnmatch (pattern, filename, FNM_FILE_NAME | FNM_NOESCAPE)
+ == 0)
+ {
+ if (debug_auto_load)
+ fprintf_unfiltered (gdb_stdlog, _("auto-load: Matched - file "
+ "\"%s\" to pattern \"%s\".\n"),
+ filename, pattern);
+ return 1;
+ }
+
+ /* Trim trailing FILENAME component. */
+ while (filename_len > 0 && !IS_DIR_SEPARATOR (filename[filename_len - 1]))
+ filename_len--;
+ }
+}
+
+/* Return 1 if FILENAME matches PATTERN or if FILENAME resides in
+ a subdirectory of a directory that matches PATTERN. Return 0 otherwise.
+ gdb_realpath normalization is never done here. */
+
+static ATTRIBUTE_PURE int
+filename_is_in_pattern (const char *filename, const char *pattern)
+{
+ char *filename_copy, *pattern_copy;
+
+ filename_copy = alloca (strlen (filename) + 1);
+ strcpy (filename_copy, filename);
+ pattern_copy = alloca (strlen (pattern) + 1);
+ strcpy (pattern_copy, pattern);
- return (filename_ncmp (dir, filename, dir_len) == 0
- && (IS_DIR_SEPARATOR (filename[dir_len])
- || filename[dir_len] == '\0'));
+ return filename_is_in_pattern_1 (filename_copy, pattern_copy);
}
/* Return 1 if FILENAME belongs to one of directory components of
@@ -330,14 +386,15 @@ static int
filename_is_in_auto_load_safe_path_vec (const char *filename,
char **filename_realp)
{
- char *dir;
+ char *pattern;
int ix;
- for (ix = 0; VEC_iterate (char_ptr, auto_load_safe_path_vec, ix, dir); ++ix)
- if (*filename_realp == NULL && filename_is_in_dir (filename, dir))
+ for (ix = 0; VEC_iterate (char_ptr, auto_load_safe_path_vec, ix, pattern);
+ ++ix)
+ if (*filename_realp == NULL && filename_is_in_pattern (filename, pattern))
break;
- if (dir == NULL)
+ if (pattern == NULL)
{
if (*filename_realp == NULL)
{
@@ -350,18 +407,18 @@ filename_is_in_auto_load_safe_path_vec (const char *filename,
}
if (strcmp (*filename_realp, filename) != 0)
- for (ix = 0; VEC_iterate (char_ptr, auto_load_safe_path_vec, ix, dir);
- ++ix)
- if (filename_is_in_dir (*filename_realp, dir))
+ for (ix = 0;
+ VEC_iterate (char_ptr, auto_load_safe_path_vec, ix, pattern); ++ix)
+ if (filename_is_in_pattern (*filename_realp, pattern))
break;
}
- if (dir != NULL)
+ if (pattern != NULL)
{
if (debug_auto_load)
fprintf_unfiltered (gdb_stdlog, _("auto-load: File \"%s\" matches "
"directory \"%s\".\n"),
- filename, dir);
+ filename, pattern);
return 1;
}
@@ -1135,7 +1192,8 @@ be located in one of the directories listed by this option. Warning will be\n\
printed and file will not be used otherwise.\n\
Setting this parameter to an empty list resets it to its default value.\n\
Setting this parameter to '/' (without the quotes) allows any file\n\
-for the 'set auto-load ...' options.\n\
+for the 'set auto-load ...' options. Each directory can be also shell\n\
+wildcard pattern; '*' does not match directory separator.\n\
This option is ignored for the kinds of files having 'set auto-load ... off'.\n\
This options has security implications for untrusted inferiors."),
set_auto_load_safe_path,
diff --git a/gdb/defs.h b/gdb/defs.h
index 03092aa..1c6fa79 100644
--- a/gdb/defs.h
+++ b/gdb/defs.h
@@ -388,6 +388,9 @@ extern void substitute_path_component (char **stringp, const char *from,
extern pid_t wait_to_die_with_timeout (pid_t pid, int *status, int timeout);
#endif
+extern int gdb_filename_fnmatch (const char *pattern, const char *string,
+ int flags);
+
/* Annotation stuff. */
diff --git a/gdb/doc/gdb.texinfo b/gdb/doc/gdb.texinfo
index f7946cd..3c9615c 100644
--- a/gdb/doc/gdb.texinfo
+++ b/gdb/doc/gdb.texinfo
@@ -21451,6 +21451,7 @@ As the files of inferior can come from untrusted source (such as submitted by
an application user) @value{GDBN} does not always load any files automatically.
@value{GDBN} provides the @samp{set auto-load safe-path} setting to list
directories trusted for loading files not explicitly requested by user.
+Each directory can also be a shell wildcard pattern.
If the path is not set properly you will see a warning and the file will not
get loaded:
@@ -21474,6 +21475,8 @@ The list of trusted directories is controlled by the following commands:
@item set auto-load safe-path @r{[}@var{directories}@r{]}
Set the list of directories (and their subdirectories) trusted for automatic
loading and execution of scripts. You can also enter a specific trusted file.
+Each directory can also be a shell wildcard pattern; @samp{*} matches only
+single component, it does not match across directory separator.
If you omit @var{directories}, @samp{auto-load safe-path} will be reset to
its default value as specified during @value{GDBN} compilation.
diff --git a/gdb/utils.c b/gdb/utils.c
index 2d607ef..5566149 100644
--- a/gdb/utils.c
+++ b/gdb/utils.c
@@ -26,6 +26,7 @@
#include "event-top.h"
#include "exceptions.h"
#include "gdbthread.h"
+#include "fnmatch.h"
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif /* HAVE_SYS_RESOURCE_H */
@@ -3840,6 +3841,49 @@ wait_to_die_with_timeout (pid_t pid, int *status, int timeout)
#endif /* HAVE_WAITPID */
+/* Provide fnmatch compatible function for FNM_FILE_NAME matching of host files.
+ Both FNM_FILE_NAME and FNM_NOESCAPE must be set in FLAGS.
+
+ It handles correctly HAVE_DOS_BASED_FILE_SYSTEM and
+ HAVE_CASE_INSENSITIVE_FILE_SYSTEM. */
+
+int
+gdb_filename_fnmatch (const char *pattern, const char *string, int flags)
+{
+ gdb_assert ((flags & FNM_FILE_NAME) != 0);
+
+ /* It is unclear how '\' escaping vs. directory separator should coexist. */
+ gdb_assert ((flags & FNM_NOESCAPE) != 0);
+
+#ifdef HAVE_DOS_BASED_FILE_SYSTEM
+ {
+ char *pattern_slash, *string_slash;
+
+ /* Replace '\' by '/' in both strings. */
+
+ pattern_slash = alloca (strlen (pattern) + 1);
+ strcpy (pattern_slash, pattern);
+ pattern = pattern_slash;
+ for (; *pattern_slash != 0; pattern_slash++)
+ if (IS_DIR_SEPARATOR (*pattern_slash))
+ *pattern_slash = '/';
+
+ string_slash = alloca (strlen (string) + 1);
+ strcpy (string_slash, string);
+ string = string_slash;
+ for (; *string_slash != 0; string_slash++)
+ if (IS_DIR_SEPARATOR (*string_slash))
+ *string_slash = '/';
+ }
+#endif /* HAVE_DOS_BASED_FILE_SYSTEM */
+
+#ifdef HAVE_CASE_INSENSITIVE_FILE_SYSTEM
+ flags |= FNM_CASEFOLD;
+#endif /* HAVE_CASE_INSENSITIVE_FILE_SYSTEM */
+
+ return fnmatch (pattern, string, flags);
+}
+
/* Provide a prototype to silence -Wmissing-prototypes. */
extern initialize_file_ftype _initialize_utils;