/src/glib/glib/gshell.c

Source
/* gshell.c - Shell-related utilities
 *
 *  Copyright 2000 Red Hat, Inc.
 *  g_execvpe implementation based on GNU libc execvp:
 *   Copyright 1991, 92, 95, 96, 97, 98, 99 Free Software Foundation, Inc.
 *
 * SPDX-License-Identifier: LGPL-2.1-or-later
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this library; if not, see <http://www.gnu.org/licenses/>.
 */

#include "config.h"

#include <string.h>

#include "gshell.h"

#include "gslist.h"
#include "gstrfuncs.h"
#include "gstring.h"
#include "gtestutils.h"
#include "glibintl.h"
#include "gthread.h"

/**
 * G_SHELL_ERROR:
 *
 * Error domain for shell functions.
 *
 * Errors in this domain will be from the #GShellError enumeration.
 *
 * See #GError for information on error domains.
 **/

/**
 * GShellError:
 * @G_SHELL_ERROR_BAD_QUOTING: Mismatched or otherwise mangled quoting.
 * @G_SHELL_ERROR_EMPTY_STRING: String to be parsed was empty.
 * @G_SHELL_ERROR_FAILED: Some other error.
 *
 * Error codes returned by shell functions.
 **/
G_DEFINE_QUARK (g-shell-error-quark, g_shell_error)

/* Single quotes preserve the literal string exactly. escape
 * sequences are not allowed; not even \' - if you want a '
 * in the quoted text, you have to do something like 'foo'\''bar'
 *
 * Double quotes allow $ ` " \ and newline to be escaped with backslash.
 * Otherwise double quotes preserve things literally.
 */

static gboolean 
unquote_string_inplace (gchar* str, gchar** end, GError** err)
{
  gchar* dest;
  gchar* s;
  gchar quote_char;
  
  g_return_val_if_fail(end != NULL, FALSE);
  g_return_val_if_fail(err == NULL || *err == NULL, FALSE);
  g_return_val_if_fail(str != NULL, FALSE);
  
  dest = s = str;

  quote_char = *s;
  
  if (!(*s == '"' || *s == '\''))
    {
      g_set_error_literal (err,
                           G_SHELL_ERROR,
                           G_SHELL_ERROR_BAD_QUOTING,
                           _("Quoted text doesn’t begin with a quotation mark"));
      *end = str;
      return FALSE;
    }

  /* Skip the initial quote mark */
  ++s;

  if (quote_char == '"')
    {
      while (*s)
        {
          g_assert(s > dest); /* loop invariant */
      
          switch (*s)
            {
            case '"':
              /* End of the string, return now */
              *dest = '\0';
              ++s;
              *end = s;
              return TRUE;
              break;

            case '\\':
              /* Possible escaped quote or \ */
              ++s;
              switch (*s)
                {
                case '"':
                case '\\':
                case '`':
                case '$':
                case '\n':
                  *dest = *s;
                  ++s;
                  ++dest;
                  break;

                default:
                  /* not an escaped char */
                  *dest = '\\';
                  ++dest;
                  /* ++s already done. */
                  break;
                }
              break;

            default:
              *dest = *s;
              ++dest;
              ++s;
              break;
            }

          g_assert(s > dest); /* loop invariant */
        }
    }
  else
    {
      while (*s)
        {
          g_assert(s > dest); /* loop invariant */
          
          if (*s == '\'')
            {
              /* End of the string, return now */
              *dest = '\0';
              ++s;
              *end = s;
              return TRUE;
            }
          else
            {
              *dest = *s;
              ++dest;
              ++s;
            }

          g_assert(s > dest); /* loop invariant */
        }
    }
  
  /* If we reach here this means the close quote was never encountered */

  *dest = '\0';
  
  g_set_error_literal (err,
                       G_SHELL_ERROR,
                       G_SHELL_ERROR_BAD_QUOTING,
                       _("Unmatched quotation mark in command line or other shell-quoted text"));
  *end = s;
  return FALSE;
}

/**
 * g_shell_quote:
 * @unquoted_string: (type filename): a literal string
 * 
 * Quotes a string so that the shell (/bin/sh) will interpret the
 * quoted string to mean @unquoted_string.
 *
 * If you pass a filename or other untrusted input to [func@GLib.shell_parse_argv],
 * you should first quote it with this function. This is sufficient to ensure
 * untrusted input cannot ‘break out’ of the quotes. Beware: this only works
 * because [func@GLib.shell_parse_argv] is not a real Unix shell. Quoting untrusted
 * input is not an adequate security mechanism when using a real shell.
 *
 * The return value must be freed with g_free().
 *
 * The quoting style used is undefined (single or double quotes may be
 * used).
 * 
 * Returns: (type filename) (transfer full): quoted string
 **/
gchar*
g_shell_quote (const gchar *unquoted_string)
{
  /* We always use single quotes, because the algorithm is cheesier.
   * We could use double if we felt like it, that might be more
   * human-readable.
   */

  const gchar *p;
  GString *dest;

  g_return_val_if_fail (unquoted_string != NULL, NULL);
  
  dest = g_string_new ("'");

  p = unquoted_string;

  /* could speed this up a lot by appending chunks of text at a
   * time.
   */
  while (*p)
    {
      /* Replace literal ' with a close ', a \', and an open ' */
      if (*p == '\'')
        g_string_append (dest, "'\\''");
      else
        g_string_append_c (dest, *p);

      ++p;
    }

  /* close the quote */
  g_string_append_c (dest, '\'');
  
  return g_string_free (dest, FALSE);
}

/**
 * g_shell_unquote:
 * @quoted_string: (type filename): shell-quoted string
 * @error: error return location or NULL
 * 
 * Unquotes a string as the shell (/bin/sh) would.
 *
 * This function only handles quotes; if a string contains file globs,
 * arithmetic operators, variables, backticks, redirections, or other
 * special-to-the-shell features, the result will be different from the
 * result a real shell would produce (the variables, backticks, etc.
 * will be passed through literally instead of being expanded).
 *
 * This function is guaranteed to succeed if applied to the result of
 * g_shell_quote(). If it fails, it returns %NULL and sets the
 * error.
 *
 * The @quoted_string need not actually contain quoted or escaped text;
 * g_shell_unquote() simply goes through the string and unquotes/unescapes
 * anything that the shell would. Both single and double quotes are
 * handled, as are escapes including escaped newlines.
 *
 * The return value must be freed with g_free().
 *
 * Possible errors are in the %G_SHELL_ERROR domain.
 * 
 * Shell quoting rules are a bit strange. Single quotes preserve the
 * literal string exactly. escape sequences are not allowed; not even
 * `\'` - if you want a `'` in the quoted text, you have to do something
 * like `'foo'\''bar'`. Double quotes allow `$`, ```, `"`, `\`, and
 * newline to be escaped with backslash. Otherwise double quotes
 * preserve things literally.
 *
 * Returns: (type filename): an unquoted string
 **/
gchar*
g_shell_unquote (const gchar *quoted_string,
                 GError     **error)
{
  gchar *unquoted;
  gchar *end;
  gchar *start;
  GString *retval;
  
  g_return_val_if_fail (quoted_string != NULL, NULL);
  
  unquoted = g_strdup (quoted_string);

  start = unquoted;
  end = unquoted;
  retval = g_string_new (NULL);

  /* The loop allows cases such as
   * "foo"blah blah'bar'woo foo"baz"la la la\'\''foo'
   */
  while (*start)
    {
      /* Append all non-quoted chars, honoring backslash escape
       */
      
      while (*start && !(*start == '"' || *start == '\''))
        {
          if (*start == '\\')
            {
              /* all characters can get escaped by backslash,
               * except newline, which is removed if it follows
               * a backslash outside of quotes
               */
              
              ++start;
              if (*start)
                {
                  if (*start != '\n')
                    g_string_append_c (retval, *start);
                  ++start;
                }
            }
          else
            {
              g_string_append_c (retval, *start);
              ++start;
            }
        }

      if (*start)
        {
          if (!unquote_string_inplace (start, &end, error))
            {
              goto error;
            }
          else
            {
              g_string_append (retval, start);
              start = end;
            }
        }
    }

  g_free (unquoted);
  return g_string_free (retval, FALSE);
  
 error:
  g_assert (error == NULL || *error != NULL);
  
  g_free (unquoted);
  g_string_free (retval, TRUE);
  return NULL;
}

/* g_parse_argv() does a semi-arbitrary weird subset of the way
 * the shell parses a command line. We don't do variable expansion,
 * don't understand that operators are tokens, don't do tilde expansion,
 * don't do command substitution, no arithmetic expansion, IFS gets ignored,
 * don't do filename globs, don't remove redirection stuff, etc.
 *
 * READ THE UNIX98 SPEC on "Shell Command Language" before changing
 * the behavior of this code.
 *
 * Steps to parsing the argv string:
 *
 *  - tokenize the string (but since we ignore operators,
 *    our tokenization may diverge from what the shell would do)
 *    note that tokenization ignores the internals of a quoted
 *    word and it always splits on spaces, not on IFS even
 *    if we used IFS. We also ignore "end of input indicator"
 *    (I guess this is control-D?)
 *
 *    Tokenization steps, from UNIX98 with operator stuff removed,
 *    are:
 * 
 *    1) "If the current character is backslash, single-quote or
 *        double-quote (\, ' or ") and it is not quoted, it will affect
 *        quoting for subsequent characters up to the end of the quoted
 *        text. The rules for quoting are as described in Quoting
 *        . During token recognition no substitutions will be actually
 *        performed, and the result token will contain exactly the
 *        characters that appear in the input (except for newline
 *        character joining), unmodified, including any embedded or
 *        enclosing quotes or substitution operators, between the quote
 *        mark and the end of the quoted text. The token will not be
 *        delimited by the end of the quoted field."
 *
 *    2) "If the current character is an unquoted newline character,
 *        the current token will be delimited."
 *
 *    3) "If the current character is an unquoted blank character, any
 *        token containing the previous character is delimited and the
 *        current character will be discarded."
 *
 *    4) "If the previous character was part of a word, the current
 *        character will be appended to that word."
 *
 *    5) "If the current character is a "#", it and all subsequent
 *        characters up to, but excluding, the next newline character
 *        will be discarded as a comment. The newline character that
 *        ends the line is not considered part of the comment. The
 *        "#" starts a comment only when it is at the beginning of a
 *        token. Since the search for the end-of-comment does not
 *        consider an escaped newline character specially, a comment
 *        cannot be continued to the next line."
 *
 *    6) "The current character will be used as the start of a new word."
 *
 *
 *  - for each token (word), perform portions of word expansion, namely
 *    field splitting (using default whitespace IFS) and quote
 *    removal.  Field splitting may increase the number of words.
 *    Quote removal does not increase the number of words.
 *
 *   "If the complete expansion appropriate for a word results in an
 *   empty field, that empty field will be deleted from the list of
 *   fields that form the completely expanded command, unless the
 *   original word contained single-quote or double-quote characters."
 *    - UNIX98 spec
 *
 *
 */

static inline void
ensure_token (GString **token)
{
  if (*token == NULL)
    *token = g_string_new (NULL);
}

static void
delimit_token (GString **token,
               GSList **retval)
{
  if (*token == NULL)
    return;

  *retval = g_slist_prepend (*retval, g_string_free (*token, FALSE));

  *token = NULL;
}

static GSList*
tokenize_command_line (const gchar *command_line,
                       GError **error)
{
  gchar current_quote;
  const gchar *p;
  GString *current_token = NULL;
  GSList *retval = NULL;
  gboolean quoted;

  current_quote = '\0';
  quoted = FALSE;
  p = command_line;
 
  while (*p)
    {
      if (current_quote == '\\')
        {
          if (*p == '\n')
            {
              /* we append nothing; backslash-newline become nothing */
            }
          else
            {
              /* we append the backslash and the current char,
               * to be interpreted later after tokenization
               */
              ensure_token (&current_token);
              g_string_append_c (current_token, '\\');
              g_string_append_c (current_token, *p);
            }

          current_quote = '\0';
        }
      else if (current_quote == '#')
        {
          /* Discard up to and including next newline */
          while (*p && *p != '\n')
            ++p;

          current_quote = '\0';
          
          if (*p == '\0')
            break;
        }
      else if (current_quote)
        {
          if (*p == current_quote &&
              /* check that it isn't an escaped double quote */
              !(current_quote == '"' && quoted))
            {
              /* close the quote */
              current_quote = '\0';
            }

          /* Everything inside quotes, and the close quote,
           * gets appended literally.
           */

          ensure_token (&current_token);
          g_string_append_c (current_token, *p);
        }
      else
        {
          switch (*p)
            {
            case '\n':
              delimit_token (&current_token, &retval);
              break;

            case ' ':
            case '\t':
              /* If the current token contains the previous char, delimit
               * the current token. A nonzero length
               * token should always contain the previous char.
               */
              if (current_token &&
                  current_token->len > 0)
                {
                  delimit_token (&current_token, &retval);
                }
              
              /* discard all unquoted blanks (don't add them to a token) */
              break;


              /* single/double quotes are appended to the token,
               * escapes are maybe appended next time through the loop,
               * comment chars are never appended.
               */
              
            case '\'':
            case '"':
              ensure_token (&current_token);
              g_string_append_c (current_token, *p);

              G_GNUC_FALLTHROUGH;
            case '\\':
              current_quote = *p;
              break;

            case '#':
              if (p == command_line)
          { /* '#' was the first char */
                  current_quote = *p;
                  break;
                }
              switch(*(p-1))
                {
                  case ' ':
                  case '\n':
                  case '\0':
                    current_quote = *p;
                    break;
                  default:
                    ensure_token (&current_token);
                    g_string_append_c (current_token, *p);
        break;
                }
              break;

            default:
              /* Combines rules 4) and 6) - if we have a token, append to it,
               * otherwise create a new token.
               */
              ensure_token (&current_token);
              g_string_append_c (current_token, *p);
              break;
            }
        }

      /* We need to count consecutive backslashes mod 2, 
       * to detect escaped doublequotes.
       */
      if (*p != '\\')
  quoted = FALSE;
      else
  quoted = !quoted;

      ++p;
    }

  delimit_token (&current_token, &retval);

  if (current_quote)
    {
      if (current_quote == '\\')
        g_set_error (error,
                     G_SHELL_ERROR,
                     G_SHELL_ERROR_BAD_QUOTING,
                     _("Text ended just after a “\\” character."
                       " (The text was “%s”)"),
                     command_line);
      else if (current_quote == '#')
        g_set_error (error,
                     G_SHELL_ERROR,
                     G_SHELL_ERROR_EMPTY_STRING,
                     _("Text was empty (or contained only whitespace)"));
      else
        g_set_error (error,
                     G_SHELL_ERROR,
                     G_SHELL_ERROR_BAD_QUOTING,
                     _("Text ended before matching quote was found for %c."
                       " (The text was “%s”)"),
                     current_quote, command_line);
      
      goto error;
    }

  if (retval == NULL)
    {
      g_set_error_literal (error,
                           G_SHELL_ERROR,
                           G_SHELL_ERROR_EMPTY_STRING,
                           _("Text was empty (or contained only whitespace)"));

      goto error;
    }
  
  /* we appended backward */
  retval = g_slist_reverse (retval);

  return retval;

 error:
  g_assert (error == NULL || *error != NULL);

  g_slist_free_full (retval, g_free);

  return NULL;
}

/**
 * g_shell_parse_argv:
 * @command_line: (type filename): command line to parse
 * @argcp: (out) (optional): return location for number of args
 * @argvp: (out) (optional) (array length=argcp zero-terminated=1) (element-type filename):
 *   return location for array of args
 * @error: (optional): return location for error
 * 
 * Parses a command line into an argument vector, in much the same way
 * the shell would, but without many of the expansions the shell would
 * perform (variable expansion, globs, operators, filename expansion,
 * etc. are not supported).
 *
 * The results are defined to be the same as those you would get from
 * a UNIX98 `/bin/sh`, as long as the input contains none of the
 * unsupported shell expansions. If the input does contain such expansions,
 * they are passed through literally.
 *
 * Possible errors are those from the %G_SHELL_ERROR domain.
 *
 * In particular, if @command_line is an empty string (or a string containing
 * only whitespace), %G_SHELL_ERROR_EMPTY_STRING will be returned. It’s
 * guaranteed that @argvp will be a non-empty array if this function returns
 * successfully.
 *
 * When constructing @command_line, quote any filenames or potentially
 * untrusted input using [func@GLib.shell_quote].
 *
 * Free the returned vector with g_strfreev().
 * 
 * Returns: %TRUE on success, %FALSE if error set
 **/
gboolean
g_shell_parse_argv (const gchar *command_line,
                    gint        *argcp,
                    gchar     ***argvp,
                    GError     **error)
{
  /* Code based on poptParseArgvString() from libpopt */
  gint argc = 0;
  gchar **argv = NULL;
  GSList *tokens = NULL;
  gint i;
  GSList *tmp_list;
  
  g_return_val_if_fail (command_line != NULL, FALSE);

  tokens = tokenize_command_line (command_line, error);
  if (tokens == NULL)
    return FALSE;

  /* Because we can't have introduced any new blank space into the
   * tokens (we didn't do any new expansions), we don't need to
   * perform field splitting. If we were going to honor IFS or do any
   * expansions, we would have to do field splitting on each word
   * here. Also, if we were going to do any expansion we would need to
   * remove any zero-length words that didn't contain quotes
   * originally; but since there's no expansion we know all words have
   * nonzero length, unless they contain quotes.
   * 
   * So, we simply remove quotes, and don't do any field splitting or
   * empty word removal, since we know there was no way to introduce
   * such things.
   */

  argc = g_slist_length (tokens);
  argv = g_new0 (gchar*, argc + 1);
  i = 0;
  tmp_list = tokens;
  while (tmp_list)
    {
      argv[i] = g_shell_unquote (tmp_list->data, error);

      /* Since we already checked that quotes matched up in the
       * tokenizer, this shouldn't be possible to reach I guess.
       */
      if (argv[i] == NULL)
        goto failed;

      tmp_list = g_slist_next (tmp_list);
      ++i;
    }
  
  g_slist_free_full (tokens, g_free);

  g_assert (argc > 0);
  g_assert (argv != NULL && argv[0] != NULL);

  if (argcp)
    *argcp = argc;

  if (argvp)
    *argvp = argv;
  else
    g_strfreev (argv);

  return TRUE;

 failed:

  g_assert (error == NULL || *error != NULL);
  g_strfreev (argv);
  g_slist_free_full (tokens, g_free);
  
  return FALSE;
}

Coverage Report

Created: 2026-05-23 06:16

Line	Count	Source
1		/* gshell.c - Shell-related utilities
2		*
3		* Copyright 2000 Red Hat, Inc.
4		* g_execvpe implementation based on GNU libc execvp:
5		* Copyright 1991, 92, 95, 96, 97, 98, 99 Free Software Foundation, Inc.
6		*
7		* SPDX-License-Identifier: LGPL-2.1-or-later
8		*
9		* This library is free software; you can redistribute it and/or
10		* modify it under the terms of the GNU Lesser General Public
11		* License as published by the Free Software Foundation; either
12		* version 2.1 of the License, or (at your option) any later version.
13		*
14		* This library is distributed in the hope that it will be useful,
15		* but WITHOUT ANY WARRANTY; without even the implied warranty of
16		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17		* Lesser General Public License for more details.
18		*
19		* You should have received a copy of the GNU Lesser General Public License
20		* along with this library; if not, see <http://www.gnu.org/licenses/>.
21		*/
22
23		#include "config.h"
24
25		#include <string.h>
26
27		#include "gshell.h"
28
29		#include "gslist.h"
30		#include "gstrfuncs.h"
31		#include "gstring.h"
32		#include "gtestutils.h"
33		#include "glibintl.h"
34		#include "gthread.h"
35
36		/**
37		* G_SHELL_ERROR:
38		*
39		* Error domain for shell functions.
40		*
41		* Errors in this domain will be from the #GShellError enumeration.
42		*
43		* See #GError for information on error domains.
44		**/
45
46		/**
47		* GShellError:
48		* @G_SHELL_ERROR_BAD_QUOTING: Mismatched or otherwise mangled quoting.
49		* @G_SHELL_ERROR_EMPTY_STRING: String to be parsed was empty.
50		* @G_SHELL_ERROR_FAILED: Some other error.
51		*
52		* Error codes returned by shell functions.
53		**/
54		G_DEFINE_QUARK (g-shell-error-quark, g_shell_error)
55
56		/* Single quotes preserve the literal string exactly. escape
57		* sequences are not allowed; not even \' - if you want a '
58		* in the quoted text, you have to do something like 'foo'\''bar'
59		*
60		* Double quotes allow $ ` " \ and newline to be escaped with backslash.
61		* Otherwise double quotes preserve things literally.
62		*/
63
64		static gboolean
65		unquote_string_inplace (gchar* str, gchar end, GError err)
66	0	{
67	0	gchar* dest;
68	0	gchar* s;
69	0	gchar quote_char;
70
71	0	g_return_val_if_fail(end != NULL, FALSE);
72	0	g_return_val_if_fail(err == NULL \|\| *err == NULL, FALSE);
73	0	g_return_val_if_fail(str != NULL, FALSE);
74
75	0	dest = s = str;
76
77	0	quote_char = *s;
78
79	0	if (!(s == '"' \|\| s == '\''))
80	0	{
81	0	g_set_error_literal (err,
82	0	G_SHELL_ERROR,
83	0	G_SHELL_ERROR_BAD_QUOTING,
84	0	_("Quoted text doesn’t begin with a quotation mark"));
85	0	*end = str;
86	0	return FALSE;
87	0	}
88
89		/* Skip the initial quote mark */
90	0	++s;
91
92	0	if (quote_char == '"')
93	0	{
94	0	while (*s)
95	0	{
96	0	g_assert(s > dest); /* loop invariant */
97
98	0	switch (*s)
99	0	{
100	0	case '"':
101		/* End of the string, return now */
102	0	*dest = '\0';
103	0	++s;
104	0	*end = s;
105	0	return TRUE;
106	0	break;
107
108	0	case '\\':
109		/* Possible escaped quote or \ */
110	0	++s;
111	0	switch (*s)
112	0	{
113	0	case '"':
114	0	case '\\':
115	0	case '`':
116	0	case '$':
117	0	case '\n':
118	0	dest = s;
119	0	++s;
120	0	++dest;
121	0	break;
122
123	0	default:
124		/* not an escaped char */
125	0	*dest = '\\';
126	0	++dest;
127		/* ++s already done. */
128	0	break;
129	0	}
130	0	break;
131
132	0	default:
133	0	dest = s;
134	0	++dest;
135	0	++s;
136	0	break;
137	0	}
138
139	0	g_assert(s > dest); /* loop invariant */
140	0	}
141	0	}
142	0	else
143	0	{
144	0	while (*s)
145	0	{
146	0	g_assert(s > dest); /* loop invariant */
147
148	0	if (*s == '\'')
149	0	{
150		/* End of the string, return now */
151	0	*dest = '\0';
152	0	++s;
153	0	*end = s;
154	0	return TRUE;
155	0	}
156	0	else
157	0	{
158	0	dest = s;
159	0	++dest;
160	0	++s;
161	0	}
162
163	0	g_assert(s > dest); /* loop invariant */
164	0	}
165	0	}
166
167		/* If we reach here this means the close quote was never encountered */
168
169	0	*dest = '\0';
170
171	0	g_set_error_literal (err,
172	0	G_SHELL_ERROR,
173	0	G_SHELL_ERROR_BAD_QUOTING,
174	0	_("Unmatched quotation mark in command line or other shell-quoted text"));
175	0	*end = s;
176	0	return FALSE;
177	0	}
178
179		/**
180		* g_shell_quote:
181		* @unquoted_string: (type filename): a literal string
182		*
183		* Quotes a string so that the shell (/bin/sh) will interpret the
184		* quoted string to mean @unquoted_string.
185		*
186		* If you pass a filename or other untrusted input to [func@GLib.shell_parse_argv],
187		* you should first quote it with this function. This is sufficient to ensure
188		* untrusted input cannot ‘break out’ of the quotes. Beware: this only works
189		* because [func@GLib.shell_parse_argv] is not a real Unix shell. Quoting untrusted
190		* input is not an adequate security mechanism when using a real shell.
191		*
192		* The return value must be freed with g_free().
193		*
194		* The quoting style used is undefined (single or double quotes may be
195		* used).
196		*
197		* Returns: (type filename) (transfer full): quoted string
198		**/
199		gchar*
200		g_shell_quote (const gchar *unquoted_string)
201	0	{
202		/* We always use single quotes, because the algorithm is cheesier.
203		* We could use double if we felt like it, that might be more
204		* human-readable.
205		*/
206
207	0	const gchar *p;
208	0	GString *dest;
209
210	0	g_return_val_if_fail (unquoted_string != NULL, NULL);
211
212	0	dest = g_string_new ("'");
213
214	0	p = unquoted_string;
215
216		/* could speed this up a lot by appending chunks of text at a
217		* time.
218		*/
219	0	while (*p)
220	0	{
221		/* Replace literal ' with a close ', a \', and an open ' */
222	0	if (*p == '\'')
223	0	g_string_append (dest, "'\\''");
224	0	else
225	0	g_string_append_c (dest, *p);
226
227	0	++p;
228	0	}
229
230		/* close the quote */
231	0	g_string_append_c (dest, '\'');
232
233	0	return g_string_free (dest, FALSE);
234	0	}
235
236		/**
237		* g_shell_unquote:
238		* @quoted_string: (type filename): shell-quoted string
239		* @error: error return location or NULL
240		*
241		* Unquotes a string as the shell (/bin/sh) would.
242		*
243		* This function only handles quotes; if a string contains file globs,
244		* arithmetic operators, variables, backticks, redirections, or other
245		* special-to-the-shell features, the result will be different from the
246		* result a real shell would produce (the variables, backticks, etc.
247		* will be passed through literally instead of being expanded).
248		*
249		* This function is guaranteed to succeed if applied to the result of
250		* g_shell_quote(). If it fails, it returns %NULL and sets the
251		* error.
252		*
253		* The @quoted_string need not actually contain quoted or escaped text;
254		* g_shell_unquote() simply goes through the string and unquotes/unescapes
255		* anything that the shell would. Both single and double quotes are
256		* handled, as are escapes including escaped newlines.
257		*
258		* The return value must be freed with g_free().
259		*
260		* Possible errors are in the %G_SHELL_ERROR domain.
261		*
262		* Shell quoting rules are a bit strange. Single quotes preserve the
263		* literal string exactly. escape sequences are not allowed; not even
264		* `\'` - if you want a `'` in the quoted text, you have to do something
265		* like `'foo'\''bar'`. Double quotes allow `$`, ```, `"`, `\`, and
266		* newline to be escaped with backslash. Otherwise double quotes
267		* preserve things literally.
268		*
269		* Returns: (type filename): an unquoted string
270		**/
271		gchar*
272		g_shell_unquote (const gchar *quoted_string,
273		GError **error)
274	0	{
275	0	gchar *unquoted;
276	0	gchar *end;
277	0	gchar *start;
278	0	GString *retval;
279
280	0	g_return_val_if_fail (quoted_string != NULL, NULL);
281
282	0	unquoted = g_strdup (quoted_string);
283
284	0	start = unquoted;
285	0	end = unquoted;
286	0	retval = g_string_new (NULL);
287
288		/* The loop allows cases such as
289		* "foo"blah blah'bar'woo foo"baz"la la la\'\''foo'
290		*/
291	0	while (*start)
292	0	{
293		/* Append all non-quoted chars, honoring backslash escape
294		*/
295
296	0	while (start && !(start == '"' \|\| *start == '\''))
297	0	{
298	0	if (*start == '\\')
299	0	{
300		/* all characters can get escaped by backslash,
301		* except newline, which is removed if it follows
302		* a backslash outside of quotes
303		*/
304
305	0	++start;
306	0	if (*start)
307	0	{
308	0	if (*start != '\n')
309	0	g_string_append_c (retval, *start);
310	0	++start;
311	0	}
312	0	}
313	0	else
314	0	{
315	0	g_string_append_c (retval, *start);
316	0	++start;
317	0	}
318	0	}
319
320	0	if (*start)
321	0	{
322	0	if (!unquote_string_inplace (start, &end, error))
323	0	{
324	0	goto error;
325	0	}
326	0	else
327	0	{
328	0	g_string_append (retval, start);
329	0	start = end;
330	0	}
331	0	}
332	0	}
333
334	0	g_free (unquoted);
335	0	return g_string_free (retval, FALSE);
336
337	0	error:
338	0	g_assert (error == NULL \|\| *error != NULL);
339
340	0	g_free (unquoted);
341	0	g_string_free (retval, TRUE);
342	0	return NULL;
343	0	}
344
345		/* g_parse_argv() does a semi-arbitrary weird subset of the way
346		* the shell parses a command line. We don't do variable expansion,
347		* don't understand that operators are tokens, don't do tilde expansion,
348		* don't do command substitution, no arithmetic expansion, IFS gets ignored,
349		* don't do filename globs, don't remove redirection stuff, etc.
350		*
351		* READ THE UNIX98 SPEC on "Shell Command Language" before changing
352		* the behavior of this code.
353		*
354		* Steps to parsing the argv string:
355		*
356		* - tokenize the string (but since we ignore operators,
357		* our tokenization may diverge from what the shell would do)
358		* note that tokenization ignores the internals of a quoted
359		* word and it always splits on spaces, not on IFS even
360		* if we used IFS. We also ignore "end of input indicator"
361		* (I guess this is control-D?)
362		*
363		* Tokenization steps, from UNIX98 with operator stuff removed,
364		* are:
365		*
366		* 1) "If the current character is backslash, single-quote or
367		* double-quote (\, ' or ") and it is not quoted, it will affect
368		* quoting for subsequent characters up to the end of the quoted
369		* text. The rules for quoting are as described in Quoting
370		* . During token recognition no substitutions will be actually
371		* performed, and the result token will contain exactly the
372		* characters that appear in the input (except for newline
373		* character joining), unmodified, including any embedded or
374		* enclosing quotes or substitution operators, between the quote
375		* mark and the end of the quoted text. The token will not be
376		* delimited by the end of the quoted field."
377		*
378		* 2) "If the current character is an unquoted newline character,
379		* the current token will be delimited."
380		*
381		* 3) "If the current character is an unquoted blank character, any
382		* token containing the previous character is delimited and the
383		* current character will be discarded."
384		*
385		* 4) "If the previous character was part of a word, the current
386		* character will be appended to that word."
387		*
388		* 5) "If the current character is a "#", it and all subsequent
389		* characters up to, but excluding, the next newline character
390		* will be discarded as a comment. The newline character that
391		* ends the line is not considered part of the comment. The
392		* "#" starts a comment only when it is at the beginning of a
393		* token. Since the search for the end-of-comment does not
394		* consider an escaped newline character specially, a comment
395		* cannot be continued to the next line."
396		*
397		* 6) "The current character will be used as the start of a new word."
398		*
399		*
400		* - for each token (word), perform portions of word expansion, namely
401		* field splitting (using default whitespace IFS) and quote
402		* removal. Field splitting may increase the number of words.
403		* Quote removal does not increase the number of words.
404		*
405		* "If the complete expansion appropriate for a word results in an
406		* empty field, that empty field will be deleted from the list of
407		* fields that form the completely expanded command, unless the
408		* original word contained single-quote or double-quote characters."
409		* - UNIX98 spec
410		*
411		*
412		*/
413
414		static inline void
415		ensure_token (GString **token)
416	0	{
417	0	if (*token == NULL)
418	0	*token = g_string_new (NULL);
419	0	}
420
421		static void
422		delimit_token (GString **token,
423		GSList **retval)
424	0	{
425	0	if (*token == NULL)
426	0	return;
427
428	0	retval = g_slist_prepend (retval, g_string_free (*token, FALSE));
429
430	0	*token = NULL;
431	0	}
432
433		static GSList*
434		tokenize_command_line (const gchar *command_line,
435		GError **error)
436	0	{
437	0	gchar current_quote;
438	0	const gchar *p;
439	0	GString *current_token = NULL;
440	0	GSList *retval = NULL;
441	0	gboolean quoted;
442
443	0	current_quote = '\0';
444	0	quoted = FALSE;
445	0	p = command_line;
446
447	0	while (*p)
448	0	{
449	0	if (current_quote == '\\')
450	0	{
451	0	if (*p == '\n')
452	0	{
453		/* we append nothing; backslash-newline become nothing */
454	0	}
455	0	else
456	0	{
457		/* we append the backslash and the current char,
458		* to be interpreted later after tokenization
459		*/
460	0	ensure_token (&current_token);
461	0	g_string_append_c (current_token, '\\');
462	0	g_string_append_c (current_token, *p);
463	0	}
464
465	0	current_quote = '\0';
466	0	}
467	0	else if (current_quote == '#')
468	0	{
469		/* Discard up to and including next newline */
470	0	while (p && p != '\n')
471	0	++p;
472
473	0	current_quote = '\0';
474
475	0	if (*p == '\0')
476	0	break;
477	0	}
478	0	else if (current_quote)
479	0	{
480	0	if (*p == current_quote &&
481		/* check that it isn't an escaped double quote */
482	0	!(current_quote == '"' && quoted))
483	0	{
484		/* close the quote */
485	0	current_quote = '\0';
486	0	}
487
488		/* Everything inside quotes, and the close quote,
489		* gets appended literally.
490		*/
491
492	0	ensure_token (&current_token);
493	0	g_string_append_c (current_token, *p);
494	0	}
495	0	else
496	0	{
497	0	switch (*p)
498	0	{
499	0	case '\n':
500	0	delimit_token (&current_token, &retval);
501	0	break;
502
503	0	case ' ':
504	0	case '\t':
505		/* If the current token contains the previous char, delimit
506		* the current token. A nonzero length
507		* token should always contain the previous char.
508		*/
509	0	if (current_token &&
510	0	current_token->len > 0)
511	0	{
512	0	delimit_token (&current_token, &retval);
513	0	}
514
515		/* discard all unquoted blanks (don't add them to a token) */
516	0	break;
517
518
519		/* single/double quotes are appended to the token,
520		* escapes are maybe appended next time through the loop,
521		* comment chars are never appended.
522		*/
523
524	0	case '\'':
525	0	case '"':
526	0	ensure_token (&current_token);
527	0	g_string_append_c (current_token, *p);
528
529	0	G_GNUC_FALLTHROUGH;
530	0	case '\\':
531	0	current_quote = *p;
532	0	break;
533
534	0	case '#':
535	0	if (p == command_line)
536	0	{ /* '#' was the first char */
537	0	current_quote = *p;
538	0	break;
539	0	}
540	0	switch(*(p-1))
541	0	{
542	0	case ' ':
543	0	case '\n':
544	0	case '\0':
545	0	current_quote = *p;
546	0	break;
547	0	default:
548	0	ensure_token (&current_token);
549	0	g_string_append_c (current_token, *p);
550	0	break;
551	0	}
552	0	break;
553
554	0	default:
555		/* Combines rules 4) and 6) - if we have a token, append to it,
556		* otherwise create a new token.
557		*/
558	0	ensure_token (&current_token);
559	0	g_string_append_c (current_token, *p);
560	0	break;
561	0	}
562	0	}
563
564		/* We need to count consecutive backslashes mod 2,
565		* to detect escaped doublequotes.
566		*/
567	0	if (*p != '\\')
568	0	quoted = FALSE;
569	0	else
570	0	quoted = !quoted;
571
572	0	++p;
573	0	}
574
575	0	delimit_token (&current_token, &retval);
576
577	0	if (current_quote)
578	0	{
579	0	if (current_quote == '\\')
580	0	g_set_error (error,
581	0	G_SHELL_ERROR,
582	0	G_SHELL_ERROR_BAD_QUOTING,
583	0	_("Text ended just after a “\\” character."
584	0	" (The text was “%s”)"),
585	0	command_line);
586	0	else if (current_quote == '#')
587	0	g_set_error (error,
588	0	G_SHELL_ERROR,
589	0	G_SHELL_ERROR_EMPTY_STRING,
590	0	_("Text was empty (or contained only whitespace)"));
591	0	else
592	0	g_set_error (error,
593	0	G_SHELL_ERROR,
594	0	G_SHELL_ERROR_BAD_QUOTING,
595	0	_("Text ended before matching quote was found for %c."
596	0	" (The text was “%s”)"),
597	0	current_quote, command_line);
598
599	0	goto error;
600	0	}
601
602	0	if (retval == NULL)
603	0	{
604	0	g_set_error_literal (error,
605	0	G_SHELL_ERROR,
606	0	G_SHELL_ERROR_EMPTY_STRING,
607	0	_("Text was empty (or contained only whitespace)"));
608
609	0	goto error;
610	0	}
611
612		/* we appended backward */
613	0	retval = g_slist_reverse (retval);
614
615	0	return retval;
616
617	0	error:
618	0	g_assert (error == NULL \|\| *error != NULL);
619
620	0	g_slist_free_full (retval, g_free);
621
622	0	return NULL;
623	0	}
624
625		/**
626		* g_shell_parse_argv:
627		* @command_line: (type filename): command line to parse
628		* @argcp: (out) (optional): return location for number of args
629		* @argvp: (out) (optional) (array length=argcp zero-terminated=1) (element-type filename):
630		* return location for array of args
631		* @error: (optional): return location for error
632		*
633		* Parses a command line into an argument vector, in much the same way
634		* the shell would, but without many of the expansions the shell would
635		* perform (variable expansion, globs, operators, filename expansion,
636		* etc. are not supported).
637		*
638		* The results are defined to be the same as those you would get from
639		* a UNIX98 `/bin/sh`, as long as the input contains none of the
640		* unsupported shell expansions. If the input does contain such expansions,
641		* they are passed through literally.
642		*
643		* Possible errors are those from the %G_SHELL_ERROR domain.
644		*
645		* In particular, if @command_line is an empty string (or a string containing
646		* only whitespace), %G_SHELL_ERROR_EMPTY_STRING will be returned. It’s
647		* guaranteed that @argvp will be a non-empty array if this function returns
648		* successfully.
649		*
650		* When constructing @command_line, quote any filenames or potentially
651		* untrusted input using [func@GLib.shell_quote].
652		*
653		* Free the returned vector with g_strfreev().
654		*
655		* Returns: %TRUE on success, %FALSE if error set
656		**/
657		gboolean
658		g_shell_parse_argv (const gchar *command_line,
659		gint *argcp,
660		gchar ***argvp,
661		GError **error)
662	0	{
663		/* Code based on poptParseArgvString() from libpopt */
664	0	gint argc = 0;
665	0	gchar **argv = NULL;
666	0	GSList *tokens = NULL;
667	0	gint i;
668	0	GSList *tmp_list;
669
670	0	g_return_val_if_fail (command_line != NULL, FALSE);
671
672	0	tokens = tokenize_command_line (command_line, error);
673	0	if (tokens == NULL)
674	0	return FALSE;
675
676		/* Because we can't have introduced any new blank space into the
677		* tokens (we didn't do any new expansions), we don't need to
678		* perform field splitting. If we were going to honor IFS or do any
679		* expansions, we would have to do field splitting on each word
680		* here. Also, if we were going to do any expansion we would need to
681		* remove any zero-length words that didn't contain quotes
682		* originally; but since there's no expansion we know all words have
683		* nonzero length, unless they contain quotes.
684		*
685		* So, we simply remove quotes, and don't do any field splitting or
686		* empty word removal, since we know there was no way to introduce
687		* such things.
688		*/
689
690	0	argc = g_slist_length (tokens);
691	0	argv = g_new0 (gchar*, argc + 1);
692	0	i = 0;
693	0	tmp_list = tokens;
694	0	while (tmp_list)
695	0	{
696	0	argv[i] = g_shell_unquote (tmp_list->data, error);
697
698		/* Since we already checked that quotes matched up in the
699		* tokenizer, this shouldn't be possible to reach I guess.
700		*/
701	0	if (argv[i] == NULL)
702	0	goto failed;
703
704	0	tmp_list = g_slist_next (tmp_list);
705	0	++i;
706	0	}
707
708	0	g_slist_free_full (tokens, g_free);
709
710	0	g_assert (argc > 0);
711	0	g_assert (argv != NULL && argv[0] != NULL);
712
713	0	if (argcp)
714	0	*argcp = argc;
715
716	0	if (argvp)
717	0	*argvp = argv;
718	0	else
719	0	g_strfreev (argv);
720
721	0	return TRUE;
722
723	0	failed:
724
725	0	g_assert (error == NULL \|\| *error != NULL);
726	0	g_strfreev (argv);
727	0	g_slist_free_full (tokens, g_free);
728
729	0	return FALSE;
730	0	}