[thirdparty/git.git] / path.c

/*
 * I'm tired of doing "vsnprintf()" etc just to open a
 * file, so here's a "return static buffer with printf"
 * interface for paths.
 *
 * It's obviously not thread-safe. Sue me. But it's quite
 * useful for doing things like
 *
 *   f = open(mkpath("%s/%s.git", base, name), O_RDONLY);
 *
 * which is what it's designed for.
 */
#include "cache.h"
#include "strbuf.h"

static char bad_path[] = "/bad-path/";

static char *get_pathname(void)
{
	static char pathname_array[4][PATH_MAX];
	static int index;
	return pathname_array[3 & ++index];
}

static char *cleanup_path(char *path)
{
	/* Clean it up */
	if (!memcmp(path, "./", 2)) {
		path += 2;
		while (*path == '/')
			path++;
	}
	return path;
}

char *mksnpath(char *buf, size_t n, const char *fmt, ...)
{
	va_list args;
	unsigned len;

	va_start(args, fmt);
	len = vsnprintf(buf, n, fmt, args);
	va_end(args);
	if (len >= n) {
		strlcpy(buf, bad_path, n);
		return buf;
	}
	return cleanup_path(buf);
}

static char *git_vsnpath(char *buf, size_t n, const char *fmt, va_list args)
{
	const char *git_dir = get_git_dir();
	size_t len;

	len = strlen(git_dir);
	if (n < len + 1)
		goto bad;
	memcpy(buf, git_dir, len);
	if (len && !is_dir_sep(git_dir[len-1]))
		buf[len++] = '/';
	len += vsnprintf(buf + len, n - len, fmt, args);
	if (len >= n)
		goto bad;
	return cleanup_path(buf);
bad:
	strlcpy(buf, bad_path, n);
	return buf;
}

char *git_snpath(char *buf, size_t n, const char *fmt, ...)
{
	va_list args;
	va_start(args, fmt);
	(void)git_vsnpath(buf, n, fmt, args);
	va_end(args);
	return buf;
}

char *git_pathdup(const char *fmt, ...)
{
	char path[PATH_MAX];
	va_list args;
	va_start(args, fmt);
	(void)git_vsnpath(path, sizeof(path), fmt, args);
	va_end(args);
	return xstrdup(path);
}

char *mkpath(const char *fmt, ...)
{
	va_list args;
	unsigned len;
	char *pathname = get_pathname();

	va_start(args, fmt);
	len = vsnprintf(pathname, PATH_MAX, fmt, args);
	va_end(args);
	if (len >= PATH_MAX)
		return bad_path;
	return cleanup_path(pathname);
}

char *git_path(const char *fmt, ...)
{
	const char *git_dir = get_git_dir();
	char *pathname = get_pathname();
	va_list args;
	unsigned len;

	len = strlen(git_dir);
	if (len > PATH_MAX-100)
		return bad_path;
	memcpy(pathname, git_dir, len);
	if (len && git_dir[len-1] != '/')
		pathname[len++] = '/';
	va_start(args, fmt);
	len += vsnprintf(pathname + len, PATH_MAX - len, fmt, args);
	va_end(args);
	if (len >= PATH_MAX)
		return bad_path;
	return cleanup_path(pathname);
}


/* git_mkstemp() - create tmp file honoring TMPDIR variable */
int git_mkstemp(char *path, size_t len, const char *template)
{
	const char *tmp;
	size_t n;

	tmp = getenv("TMPDIR");
	if (!tmp)
		tmp = "/tmp";
	n = snprintf(path, len, "%s/%s", tmp, template);
	if (len <= n) {
		errno = ENAMETOOLONG;
		return -1;
	}
	return mkstemp(path);
}

/* git_mkstemps() - create tmp file with suffix honoring TMPDIR variable. */
int git_mkstemps(char *path, size_t len, const char *template, int suffix_len)
{
	const char *tmp;
	size_t n;

	tmp = getenv("TMPDIR");
	if (!tmp)
		tmp = "/tmp";
	n = snprintf(path, len, "%s/%s", tmp, template);
	if (len <= n) {
		errno = ENAMETOOLONG;
		return -1;
	}
	return mkstemps(path, suffix_len);
}

/* Adapted from libiberty's mkstemp.c. */

#undef TMP_MAX
#define TMP_MAX 16384

int gitmkstemps(char *pattern, int suffix_len)
{
	static const char letters[] =
		"abcdefghijklmnopqrstuvwxyz"
		"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
		"0123456789";
	static const int num_letters = 62;
	uint64_t value;
	struct timeval tv;
	char *template;
	size_t len;
	int fd, count;

	len = strlen(pattern);

	if (len < 6 + suffix_len) {
		errno = EINVAL;
		return -1;
	}

	if (strncmp(&pattern[len - 6 - suffix_len], "XXXXXX", 6)) {
		errno = EINVAL;
		return -1;
	}

	/*
	 * Replace pattern's XXXXXX characters with randomness.
	 * Try TMP_MAX different filenames.
	 */
	gettimeofday(&tv, NULL);
	value = ((size_t)(tv.tv_usec << 16)) ^ tv.tv_sec ^ getpid();
	template = &pattern[len - 6 - suffix_len];
	for (count = 0; count < TMP_MAX; ++count) {
		uint64_t v = value;
		/* Fill in the random bits. */
		template[0] = letters[v % num_letters]; v /= num_letters;
		template[1] = letters[v % num_letters]; v /= num_letters;
		template[2] = letters[v % num_letters]; v /= num_letters;
		template[3] = letters[v % num_letters]; v /= num_letters;
		template[4] = letters[v % num_letters]; v /= num_letters;
		template[5] = letters[v % num_letters]; v /= num_letters;

		fd = open(pattern, O_CREAT | O_EXCL | O_RDWR, 0600);
		if (fd > 0)
			return fd;
		/*
		 * Fatal error (EPERM, ENOSPC etc).
		 * It doesn't make sense to loop.
		 */
		if (errno != EEXIST)
			break;
		/*
		 * This is a random value.  It is only necessary that
		 * the next TMP_MAX values generated by adding 7777 to
		 * VALUE are different with (module 2^32).
		 */
		value += 7777;
	}
	/* We return the null string if we can't find a unique file name.  */
	pattern[0] = '\0';
	errno = EINVAL;
	return -1;
}

int validate_headref(const char *path)
{
	struct stat st;
	char *buf, buffer[256];
	unsigned char sha1[20];
	int fd;
	ssize_t len;

	if (lstat(path, &st) < 0)
		return -1;

	/* Make sure it is a "refs/.." symlink */
	if (S_ISLNK(st.st_mode)) {
		len = readlink(path, buffer, sizeof(buffer)-1);
		if (len >= 5 && !memcmp("refs/", buffer, 5))
			return 0;
		return -1;
	}

	/*
	 * Anything else, just open it and try to see if it is a symbolic ref.
	 */
	fd = open(path, O_RDONLY);
	if (fd < 0)
		return -1;
	len = read_in_full(fd, buffer, sizeof(buffer)-1);
	close(fd);

	/*
	 * Is it a symbolic ref?
	 */
	if (len < 4)
		return -1;
	if (!memcmp("ref:", buffer, 4)) {
		buf = buffer + 4;
		len -= 4;
		while (len && isspace(*buf))
			buf++, len--;
		if (len >= 5 && !memcmp("refs/", buf, 5))
			return 0;
	}

	/*
	 * Is this a detached HEAD?
	 */
	if (!get_sha1_hex(buffer, sha1))
		return 0;

	return -1;
}

static struct passwd *getpw_str(const char *username, size_t len)
{
	struct passwd *pw;
	char *username_z = xmalloc(len + 1);
	memcpy(username_z, username, len);
	username_z[len] = '\0';
	pw = getpwnam(username_z);
	free(username_z);
	return pw;
}

/*
 * Return a string with ~ and ~user expanded via getpw*.  If buf != NULL,
 * then it is a newly allocated string. Returns NULL on getpw failure or
 * if path is NULL.
 */
char *expand_user_path(const char *path)
{
	struct strbuf user_path = STRBUF_INIT;
	const char *first_slash = strchrnul(path, '/');
	const char *to_copy = path;

	if (path == NULL)
		goto return_null;
	if (path[0] == '~') {
		const char *username = path + 1;
		size_t username_len = first_slash - username;
		if (username_len == 0) {
			const char *home = getenv("HOME");
			strbuf_add(&user_path, home, strlen(home));
		} else {
			struct passwd *pw = getpw_str(username, username_len);
			if (!pw)
				goto return_null;
			strbuf_add(&user_path, pw->pw_dir, strlen(pw->pw_dir));
		}
		to_copy = first_slash;
	}
	strbuf_add(&user_path, to_copy, strlen(to_copy));
	return strbuf_detach(&user_path, NULL);
return_null:
	strbuf_release(&user_path);
	return NULL;
}

/*
 * First, one directory to try is determined by the following algorithm.
 *
 * (0) If "strict" is given, the path is used as given and no DWIM is
 *     done. Otherwise:
 * (1) "~/path" to mean path under the running user's home directory;
 * (2) "~user/path" to mean path under named user's home directory;
 * (3) "relative/path" to mean cwd relative directory; or
 * (4) "/absolute/path" to mean absolute directory.
 *
 * Unless "strict" is given, we try access() for existence of "%s.git/.git",
 * "%s/.git", "%s.git", "%s" in this order.  The first one that exists is
 * what we try.
 *
 * Second, we try chdir() to that.  Upon failure, we return NULL.
 *
 * Then, we try if the current directory is a valid git repository.
 * Upon failure, we return NULL.
 *
 * If all goes well, we return the directory we used to chdir() (but
 * before ~user is expanded), avoiding getcwd() resolving symbolic
 * links.  User relative paths are also returned as they are given,
 * except DWIM suffixing.
 */
char *enter_repo(char *path, int strict)
{
	static char used_path[PATH_MAX];
	static char validated_path[PATH_MAX];

	if (!path)
		return NULL;

	if (!strict) {
		static const char *suffix[] = {
			".git/.git", "/.git", ".git", "", NULL,
		};
		int len = strlen(path);
		int i;
		while ((1 < len) && (path[len-1] == '/')) {
			path[len-1] = 0;
			len--;
		}
		if (PATH_MAX <= len)
			return NULL;
		if (path[0] == '~') {
			char *newpath = expand_user_path(path);
			if (!newpath || (PATH_MAX - 10 < strlen(newpath))) {
				free(newpath);
				return NULL;
			}
			/*
			 * Copy back into the static buffer. A pity
			 * since newpath was not bounded, but other
			 * branches of the if are limited by PATH_MAX
			 * anyway.
			 */
			strcpy(used_path, newpath); free(newpath);
			strcpy(validated_path, path);
			path = used_path;
		}
		else if (PATH_MAX - 10 < len)
			return NULL;
		else {
			path = strcpy(used_path, path);
			strcpy(validated_path, path);
		}
		len = strlen(path);
		for (i = 0; suffix[i]; i++) {
			strcpy(path + len, suffix[i]);
			if (!access(path, F_OK)) {
				strcat(validated_path, suffix[i]);
				break;
			}
		}
		if (!suffix[i] || chdir(path))
			return NULL;
		path = validated_path;
	}
	else if (chdir(path))
		return NULL;

	if (access("objects", X_OK) == 0 && access("refs", X_OK) == 0 &&
	    validate_headref("HEAD") == 0) {
		setenv(GIT_DIR_ENVIRONMENT, ".", 1);
		check_repository_format();
		return path;
	}

	return NULL;
}

int set_shared_perm(const char *path, int mode)
{
	struct stat st;
	int tweak, shared, orig_mode;

	if (!shared_repository) {
		if (mode)
			return chmod(path, mode & ~S_IFMT);
		return 0;
	}
	if (!mode) {
		if (lstat(path, &st) < 0)
			return -1;
		mode = st.st_mode;
		orig_mode = mode;
	} else
		orig_mode = 0;
	if (shared_repository < 0)
		shared = -shared_repository;
	else
		shared = shared_repository;
	tweak = shared;

	if (!(mode & S_IWUSR))
		tweak &= ~0222;
	if (mode & S_IXUSR)
		/* Copy read bits to execute bits */
		tweak |= (tweak & 0444) >> 2;
	if (shared_repository < 0)
		mode = (mode & ~0777) | tweak;
	else
		mode |= tweak;

	if (S_ISDIR(mode)) {
		/* Copy read bits to execute bits */
		mode |= (shared & 0444) >> 2;
		mode |= FORCE_DIR_SET_GID;
	}

	if (((shared_repository < 0
	      ? (orig_mode & (FORCE_DIR_SET_GID | 0777))
	      : (orig_mode & mode)) != mode) &&
	    chmod(path, (mode & ~S_IFMT)) < 0)
		return -2;
	return 0;
}

const char *make_relative_path(const char *abs, const char *base)
{
	static char buf[PATH_MAX + 1];
	int i = 0, j = 0;

	if (!base || !base[0])
		return abs;
	while (base[i]) {
		if (is_dir_sep(base[i])) {
			if (!is_dir_sep(abs[j]))
				return abs;
			while (is_dir_sep(base[i]))
				i++;
			while (is_dir_sep(abs[j]))
				j++;
			continue;
		} else if (abs[j] != base[i]) {
			return abs;
		}
		i++;
		j++;
	}
	if (
	    /* "/foo" is a prefix of "/foo" */
	    abs[j] &&
	    /* "/foo" is not a prefix of "/foobar" */
	    !is_dir_sep(base[i-1]) && !is_dir_sep(abs[j])
	   )
		return abs;
	while (is_dir_sep(abs[j]))
		j++;
	if (!abs[j])
		strcpy(buf, ".");
	else
		strcpy(buf, abs + j);
	return buf;
}

/*
 * It is okay if dst == src, but they should not overlap otherwise.
 *
 * Performs the following normalizations on src, storing the result in dst:
 * - Ensures that components are separated by '/' (Windows only)
 * - Squashes sequences of '/'.
 * - Removes "." components.
 * - Removes ".." components, and the components the precede them.
 * Returns failure (non-zero) if a ".." component appears as first path
 * component anytime during the normalization. Otherwise, returns success (0).
 *
 * Note that this function is purely textual.  It does not follow symlinks,
 * verify the existence of the path, or make any system calls.
 */
int normalize_path_copy(char *dst, const char *src)
{
	char *dst0;

	if (has_dos_drive_prefix(src)) {
		*dst++ = *src++;
		*dst++ = *src++;
	}
	dst0 = dst;

	if (is_dir_sep(*src)) {
		*dst++ = '/';
		while (is_dir_sep(*src))
			src++;
	}

	for (;;) {
		char c = *src;

		/*
		 * A path component that begins with . could be
		 * special:
		 * (1) "." and ends   -- ignore and terminate.
		 * (2) "./"           -- ignore them, eat slash and continue.
		 * (3) ".." and ends  -- strip one and terminate.
		 * (4) "../"          -- strip one, eat slash and continue.
		 */
		if (c == '.') {
			if (!src[1]) {
				/* (1) */
				src++;
			} else if (is_dir_sep(src[1])) {
				/* (2) */
				src += 2;
				while (is_dir_sep(*src))
					src++;
				continue;
			} else if (src[1] == '.') {
				if (!src[2]) {
					/* (3) */
					src += 2;
					goto up_one;
				} else if (is_dir_sep(src[2])) {
					/* (4) */
					src += 3;
					while (is_dir_sep(*src))
						src++;
					goto up_one;
				}
			}
		}

		/* copy up to the next '/', and eat all '/' */
		while ((c = *src++) != '\0' && !is_dir_sep(c))
			*dst++ = c;
		if (is_dir_sep(c)) {
			*dst++ = '/';
			while (is_dir_sep(c))
				c = *src++;
			src--;
		} else if (!c)
			break;
		continue;

	up_one:
		/*
		 * dst0..dst is prefix portion, and dst[-1] is '/';
		 * go up one level.
		 */
		dst--;	/* go to trailing '/' */
		if (dst <= dst0)
			return -1;
		/* Windows: dst[-1] cannot be backslash anymore */
		while (dst0 < dst && dst[-1] != '/')
			dst--;
	}
	*dst = '\0';
	return 0;
}

/*
 * path = Canonical absolute path
 * prefix_list = Colon-separated list of absolute paths
 *
 * Determines, for each path in prefix_list, whether the "prefix" really
 * is an ancestor directory of path.  Returns the length of the longest
 * ancestor directory, excluding any trailing slashes, or -1 if no prefix
 * is an ancestor.  (Note that this means 0 is returned if prefix_list is
 * "/".) "/foo" is not considered an ancestor of "/foobar".  Directories
 * are not considered to be their own ancestors.  path must be in a
 * canonical form: empty components, or "." or ".." components are not
 * allowed.  prefix_list may be null, which is like "".
 */
int longest_ancestor_length(const char *path, const char *prefix_list)
{
	char buf[PATH_MAX+1];
	const char *ceil, *colon;
	int len, max_len = -1;

	if (prefix_list == NULL || !strcmp(path, "/"))
		return -1;

	for (colon = ceil = prefix_list; *colon; ceil = colon+1) {
		for (colon = ceil; *colon && *colon != PATH_SEP; colon++);
		len = colon - ceil;
		if (len == 0 || len > PATH_MAX || !is_absolute_path(ceil))
			continue;
		strlcpy(buf, ceil, len+1);
		if (normalize_path_copy(buf, buf) < 0)
			continue;
		len = strlen(buf);
		if (len > 0 && buf[len-1] == '/')
			buf[--len] = '\0';

		if (!strncmp(path, buf, len) &&
		    path[len] == '/' &&
		    len > max_len) {
			max_len = len;
		}
	}

	return max_len;
}

/* strip arbitrary amount of directory separators at end of path */
static inline int chomp_trailing_dir_sep(const char *path, int len)
{
	while (len && is_dir_sep(path[len - 1]))
		len--;
	return len;
}

/*
 * If path ends with suffix (complete path components), returns the
 * part before suffix (sans trailing directory separators).
 * Otherwise returns NULL.
 */
char *strip_path_suffix(const char *path, const char *suffix)
{
	int path_len = strlen(path), suffix_len = strlen(suffix);

	while (suffix_len) {
		if (!path_len)
			return NULL;

		if (is_dir_sep(path[path_len - 1])) {
			if (!is_dir_sep(suffix[suffix_len - 1]))
				return NULL;
			path_len = chomp_trailing_dir_sep(path, path_len);
			suffix_len = chomp_trailing_dir_sep(suffix, suffix_len);
		}
		else if (path[--path_len] != suffix[--suffix_len])
			return NULL;
	}

	if (path_len && !is_dir_sep(path[path_len - 1]))
		return NULL;
	return xstrndup(path, chomp_trailing_dir_sep(path, path_len));
}

int daemon_avoid_alias(const char *p)
{
	int sl, ndot;

	/*
	 * This resurrects the belts and suspenders paranoia check by HPA
	 * done in <435560F7.4080006@zytor.com> thread, now enter_repo()
	 * does not do getcwd() based path canonicalizations.
	 *
	 * sl becomes true immediately after seeing '/' and continues to
	 * be true as long as dots continue after that without intervening
	 * non-dot character.
	 */
	if (!p || (*p != '/' && *p != '~'))
		return -1;
	sl = 1; ndot = 0;
	p++;

	while (1) {
		char ch = *p++;
		if (sl) {
			if (ch == '.')
				ndot++;
			else if (ch == '/') {
				if (ndot < 3)
					/* reject //, /./ and /../ */
					return -1;
				ndot = 0;
			}
			else if (ch == 0) {
				if (0 < ndot && ndot < 3)
					/* reject /.$ and /..$ */
					return -1;
				return 0;
			}
			else
				sl = ndot = 0;
		}
		else if (ch == 0)
			return 0;
		else if (ch == '/') {
			sl = 1;
			ndot = 0;
		}
	}
}
Commit	Line	Data
26c8a533 LT	1	/*
	2	* I'm tired of doing "vsnprintf()" etc just to open a
	3	* file, so here's a "return static buffer with printf"
	4	* interface for paths.
	5	*
	6	* It's obviously not thread-safe. Sue me. But it's quite
	7	* useful for doing things like
	8	*
	9	* f = open(mkpath("%s/%s.git", base, name), O_RDONLY);
	10	*
	11	* which is what it's designed for.
	12	*/
	13	#include "cache.h"
395de250	14	#include "strbuf.h"
26c8a533	15
26c8a533 LT	16	static char bad_path[] = "/bad-path/";
26c8a533 LT	17
e7676d2f LT	18	static char *get_pathname(void)
	19	{
	20	static char pathname_array[4][PATH_MAX];
	21	static int index;
	22	return pathname_array[3 & ++index];
	23	}
	24
26c8a533 LT	25	static char cleanup_path(char path)
	26	{
	27	/* Clean it up */
	28	if (!memcmp(path, "./", 2)) {
	29	path += 2;
	30	while (*path == '/')
	31	path++;
	32	}
	33	return path;
	34	}
	35
108bebea AR	36	char mksnpath(char buf, size_t n, const char *fmt, ...)
	37	{
	38	va_list args;
	39	unsigned len;
	40
	41	va_start(args, fmt);
	42	len = vsnprintf(buf, n, fmt, args);
	43	va_end(args);
	44	if (len >= n) {
9db56f71	45	strlcpy(buf, bad_path, n);
108bebea AR	46	return buf;
	47	}
	48	return cleanup_path(buf);
	49	}
	50
aba13e7c	51	static char git_vsnpath(char buf, size_t n, const char *fmt, va_list args)
fe2d7776 AR	52	{
fe2d7776 AR	53	const char *git_dir = get_git_dir();
fe2d7776 AR	54	size_t len;
	55
	56	len = strlen(git_dir);
	57	if (n < len + 1)
	58	goto bad;
	59	memcpy(buf, git_dir, len);
	60	if (len && !is_dir_sep(git_dir[len-1]))
	61	buf[len++] = '/';
fe2d7776	62	len += vsnprintf(buf + len, n - len, fmt, args);
fe2d7776 AR	63	if (len >= n)
	64	goto bad;
	65	return cleanup_path(buf);
	66	bad:
9db56f71	67	strlcpy(buf, bad_path, n);
fe2d7776 AR	68	return buf;
	69	}
	70
aba13e7c AR	71	char git_snpath(char buf, size_t n, const char *fmt, ...)
	72	{
	73	va_list args;
	74	va_start(args, fmt);
	75	(void)git_vsnpath(buf, n, fmt, args);
	76	va_end(args);
	77	return buf;
	78	}
	79
	80	char git_pathdup(const char fmt, ...)
	81	{
	82	char path[PATH_MAX];
	83	va_list args;
	84	va_start(args, fmt);
	85	(void)git_vsnpath(path, sizeof(path), fmt, args);
	86	va_end(args);
	87	return xstrdup(path);
	88	}
	89
26c8a533 LT	90	char mkpath(const char fmt, ...)
	91	{
	92	va_list args;
	93	unsigned len;
e7676d2f	94	char *pathname = get_pathname();
26c8a533 LT	95
	96	va_start(args, fmt);
	97	len = vsnprintf(pathname, PATH_MAX, fmt, args);
	98	va_end(args);
	99	if (len >= PATH_MAX)
	100	return bad_path;
	101	return cleanup_path(pathname);
	102	}
	103
	104	char git_path(const char fmt, ...)
	105	{
5da1606d	106	const char *git_dir = get_git_dir();
e7676d2f	107	char *pathname = get_pathname();
26c8a533 LT	108	va_list args;
	109	unsigned len;
	110
	111	len = strlen(git_dir);
	112	if (len > PATH_MAX-100)
	113	return bad_path;
	114	memcpy(pathname, git_dir, len);
	115	if (len && git_dir[len-1] != '/')
	116	pathname[len++] = '/';
	117	va_start(args, fmt);
	118	len += vsnprintf(pathname + len, PATH_MAX - len, fmt, args);
	119	va_end(args);
	120	if (len >= PATH_MAX)
	121	return bad_path;
	122	return cleanup_path(pathname);
	123	}
f2db68ed HE	124
	125
	126	/* git_mkstemp() - create tmp file honoring TMPDIR variable */
	127	int git_mkstemp(char path, size_t len, const char template)
	128	{
e7a7be88 JH	129	const char *tmp;
	130	size_t n;
	131
	132	tmp = getenv("TMPDIR");
	133	if (!tmp)
	134	tmp = "/tmp";
	135	n = snprintf(path, len, "%s/%s", tmp, template);
	136	if (len <= n) {
	137	errno = ENAMETOOLONG;
	138	return -1;
35c3c629	139	}
f2db68ed HE	140	return mkstemp(path);
	141	}
	142
003b33a8 DA	143	/* git_mkstemps() - create tmp file with suffix honoring TMPDIR variable. */
	144	int git_mkstemps(char path, size_t len, const char template, int suffix_len)
	145	{
	146	const char *tmp;
	147	size_t n;
	148
	149	tmp = getenv("TMPDIR");
	150	if (!tmp)
	151	tmp = "/tmp";
	152	n = snprintf(path, len, "%s/%s", tmp, template);
	153	if (len <= n) {
	154	errno = ENAMETOOLONG;
	155	return -1;
	156	}
	157	return mkstemps(path, suffix_len);
	158	}
f2db68ed	159
00787ed5 MM	160	/* Adapted from libiberty's mkstemp.c. */
	161
	162	#undef TMP_MAX
	163	#define TMP_MAX 16384
	164
	165	int gitmkstemps(char *pattern, int suffix_len)
	166	{
	167	static const char letters[] =
	168	"abcdefghijklmnopqrstuvwxyz"
	169	"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
	170	"0123456789";
	171	static const int num_letters = 62;
	172	uint64_t value;
	173	struct timeval tv;
	174	char *template;
	175	size_t len;
	176	int fd, count;
	177
	178	len = strlen(pattern);
	179
	180	if (len < 6 + suffix_len) {
	181	errno = EINVAL;
	182	return -1;
	183	}
	184
	185	if (strncmp(&pattern[len - 6 - suffix_len], "XXXXXX", 6)) {
	186	errno = EINVAL;
	187	return -1;
	188	}
	189
	190	/*
	191	* Replace pattern's XXXXXX characters with randomness.
	192	* Try TMP_MAX different filenames.
	193	*/
	194	gettimeofday(&tv, NULL);
	195	value = ((size_t)(tv.tv_usec << 16)) ^ tv.tv_sec ^ getpid();
	196	template = &pattern[len - 6 - suffix_len];
	197	for (count = 0; count < TMP_MAX; ++count) {
	198	uint64_t v = value;
	199	/* Fill in the random bits. */
	200	template[0] = letters[v % num_letters]; v /= num_letters;
	201	template[1] = letters[v % num_letters]; v /= num_letters;
	202	template[2] = letters[v % num_letters]; v /= num_letters;
	203	template[3] = letters[v % num_letters]; v /= num_letters;
	204	template[4] = letters[v % num_letters]; v /= num_letters;
	205	template[5] = letters[v % num_letters]; v /= num_letters;
	206
	207	fd = open(pattern, O_CREAT \| O_EXCL \| O_RDWR, 0600);
	208	if (fd > 0)
	209	return fd;
	210	/*
	211	* Fatal error (EPERM, ENOSPC etc).
	212	* It doesn't make sense to loop.
	213	*/
	214	if (errno != EEXIST)
	215	break;
	216	/*
	217	* This is a random value. It is only necessary that
	218	* the next TMP_MAX values generated by adding 7777 to
	219	* VALUE are different with (module 2^32).
	220	*/
	221	value += 7777;
	222	}
	223	/* We return the null string if we can't find a unique file name. */
224	pattern[0] = '\0';
225	errno = EINVAL;
226	return -1;
227	}
228
c847f537	229	int validate_headref(const char *path)
0870ca7f JH	230	{
	231	struct stat st;
	232	char *buf, buffer[256];
c847f537	233	unsigned char sha1[20];
0104ca09 HO	234	int fd;
0104ca09 HO	235	ssize_t len;
0870ca7f JH	236
	237	if (lstat(path, &st) < 0)
	238	return -1;
	239
	240	/* Make sure it is a "refs/.." symlink */
	241	if (S_ISLNK(st.st_mode)) {
	242	len = readlink(path, buffer, sizeof(buffer)-1);
222b1673	243	if (len >= 5 && !memcmp("refs/", buffer, 5))
0870ca7f JH	244	return 0;
	245	return -1;
	246	}
	247
	248	/*
	249	* Anything else, just open it and try to see if it is a symbolic ref.
	250	*/
	251	fd = open(path, O_RDONLY);
	252	if (fd < 0)
	253	return -1;
93d26e4c	254	len = read_in_full(fd, buffer, sizeof(buffer)-1);
0870ca7f JH	255	close(fd);
	256
	257	/*
	258	* Is it a symbolic ref?
	259	*/
c847f537	260	if (len < 4)
0870ca7f	261	return -1;
c847f537 JH	262	if (!memcmp("ref:", buffer, 4)) {
	263	buf = buffer + 4;
	264	len -= 4;
	265	while (len && isspace(*buf))
	266	buf++, len--;
222b1673	267	if (len >= 5 && !memcmp("refs/", buf, 5))
c847f537 JH	268	return 0;
	269	}
	270
	271	/*
	272	* Is this a detached HEAD?
	273	*/
	274	if (!get_sha1_hex(buffer, sha1))
0870ca7f	275	return 0;
c847f537	276
0870ca7f JH	277	return -1;
	278	}
	279
395de250	280	static struct passwd getpw_str(const char username, size_t len)
54f4b874	281	{
d79374c7	282	struct passwd *pw;
395de250 MM	283	char *username_z = xmalloc(len + 1);
	284	memcpy(username_z, username, len);
	285	username_z[len] = '\0';
	286	pw = getpwnam(username_z);
	287	free(username_z);
	288	return pw;
	289	}
54f4b874	290
395de250 MM	291	/*
	292	* Return a string with ~ and ~user expanded via getpw*. If buf != NULL,
	293	* then it is a newly allocated string. Returns NULL on getpw failure or
	294	* if path is NULL.
	295	*/
	296	char expand_user_path(const char path)
	297	{
	298	struct strbuf user_path = STRBUF_INIT;
	299	const char *first_slash = strchrnul(path, '/');
	300	const char *to_copy = path;
	301
	302	if (path == NULL)
	303	goto return_null;
	304	if (path[0] == '~') {
	305	const char *username = path + 1;
	306	size_t username_len = first_slash - username;
df2a79f4 MM	307	if (username_len == 0) {
	308	const char *home = getenv("HOME");
	309	strbuf_add(&user_path, home, strlen(home));
	310	} else {
	311	struct passwd *pw = getpw_str(username, username_len);
	312	if (!pw)
	313	goto return_null;
	314	strbuf_add(&user_path, pw->pw_dir, strlen(pw->pw_dir));
54f4b874	315	}
395de250	316	to_copy = first_slash;
d79374c7	317	}
395de250 MM	318	strbuf_add(&user_path, to_copy, strlen(to_copy));
	319	return strbuf_detach(&user_path, NULL);
	320	return_null:
	321	strbuf_release(&user_path);
	322	return NULL;
54f4b874 AE	323	}
54f4b874 AE	324
d79374c7 JH	325	/*
	326	* First, one directory to try is determined by the following algorithm.
	327	*
	328	* (0) If "strict" is given, the path is used as given and no DWIM is
	329	* done. Otherwise:
	330	* (1) "~/path" to mean path under the running user's home directory;
	331	* (2) "~user/path" to mean path under named user's home directory;
	332	* (3) "relative/path" to mean cwd relative directory; or
	333	* (4) "/absolute/path" to mean absolute directory.
	334	*
	335	* Unless "strict" is given, we try access() for existence of "%s.git/.git",
	336	* "%s/.git", "%s.git", "%s" in this order. The first one that exists is
	337	* what we try.
	338	*
	339	* Second, we try chdir() to that. Upon failure, we return NULL.
	340	*
	341	* Then, we try if the current directory is a valid git repository.
	342	* Upon failure, we return NULL.
	343	*
	344	* If all goes well, we return the directory we used to chdir() (but
	345	* before ~user is expanded), avoiding getcwd() resolving symbolic
	346	* links. User relative paths are also returned as they are given,
	347	* except DWIM suffixing.
	348	*/
54f4b874 AE	349	char enter_repo(char path, int strict)
54f4b874 AE	350	{
d79374c7 JH	351	static char used_path[PATH_MAX];
	352	static char validated_path[PATH_MAX];
	353
	354	if (!path)
54f4b874 AE	355	return NULL;
54f4b874 AE	356
d79374c7 JH	357	if (!strict) {
	358	static const char *suffix[] = {
	359	".git/.git", "/.git", ".git", "", NULL,
	360	};
	361	int len = strlen(path);
	362	int i;
	363	while ((1 < len) && (path[len-1] == '/')) {
	364	path[len-1] = 0;
	365	len--;
	366	}
	367	if (PATH_MAX <= len)
54f4b874	368	return NULL;
d79374c7	369	if (path[0] == '~') {
395de250 MM	370	char *newpath = expand_user_path(path);
	371	if (!newpath \|\| (PATH_MAX - 10 < strlen(newpath))) {
	372	free(newpath);
d79374c7	373	return NULL;
395de250 MM	374	}
	375	/*
	376	* Copy back into the static buffer. A pity
	377	* since newpath was not bounded, but other
	378	* branches of the if are limited by PATH_MAX
	379	* anyway.
	380	*/
	381	strcpy(used_path, newpath); free(newpath);
d79374c7 JH	382	strcpy(validated_path, path);
	383	path = used_path;
	384	}
	385	else if (PATH_MAX - 10 < len)
	386	return NULL;
	387	else {
	388	path = strcpy(used_path, path);
	389	strcpy(validated_path, path);
	390	}
	391	len = strlen(path);
	392	for (i = 0; suffix[i]; i++) {
	393	strcpy(path + len, suffix[i]);
	394	if (!access(path, F_OK)) {
	395	strcat(validated_path, suffix[i]);
	396	break;
	397	}
	398	}
	399	if (!suffix[i] \|\| chdir(path))
0870ca7f	400	return NULL;
d79374c7	401	path = validated_path;
0870ca7f	402	}
d79374c7 JH	403	else if (chdir(path))
d79374c7 JH	404	return NULL;
54f4b874	405
d79374c7	406	if (access("objects", X_OK) == 0 && access("refs", X_OK) == 0 &&
c847f537	407	validate_headref("HEAD") == 0) {
7627943a	408	setenv(GIT_DIR_ENVIRONMENT, ".", 1);
1644162a	409	check_repository_format();
d79374c7	410	return path;
54f4b874 AE	411	}
	412
	413	return NULL;
	414	}
138086a7	415
17e61b82	416	int set_shared_perm(const char *path, int mode)
138086a7 JH	417	{
138086a7 JH	418	struct stat st;
17e61b82	419	int tweak, shared, orig_mode;
138086a7	420
17e61b82 JH	421	if (!shared_repository) {
	422	if (mode)
	423	return chmod(path, mode & ~S_IFMT);
138086a7	424	return 0;
17e61b82 JH	425	}
	426	if (!mode) {
	427	if (lstat(path, &st) < 0)
	428	return -1;
	429	mode = st.st_mode;
	430	orig_mode = mode;
	431	} else
	432	orig_mode = 0;
5a688fe4 JH	433	if (shared_repository < 0)
	434	shared = -shared_repository;
	435	else
	436	shared = shared_repository;
	437	tweak = shared;
	438
	439	if (!(mode & S_IWUSR))
	440	tweak &= ~0222;
	441	if (mode & S_IXUSR)
	442	/* Copy read bits to execute bits */
	443	tweak \|= (tweak & 0444) >> 2;
	444	if (shared_repository < 0)
	445	mode = (mode & ~0777) \| tweak;
	446	else
8c6202d8	447	mode \|= tweak;
06cbe855 HO	448
06cbe855 HO	449	if (S_ISDIR(mode)) {
06cbe855	450	/* Copy read bits to execute bits */
5a688fe4 JH	451	mode \|= (shared & 0444) >> 2;
5a688fe4 JH	452	mode \|= FORCE_DIR_SET_GID;
06cbe855 HO	453	}
06cbe855 HO	454
5a688fe4	455	if (((shared_repository < 0
17e61b82 JH	456	? (orig_mode & (FORCE_DIR_SET_GID \| 0777))
	457	: (orig_mode & mode)) != mode) &&
	458	chmod(path, (mode & ~S_IFMT)) < 0)
138086a7 JH	459	return -2;
	460	return 0;
	461	}
e5392c51	462
044bbbcb LT	463	const char make_relative_path(const char abs, const char *base)
	464	{
	465	static char buf[PATH_MAX + 1];
288123f0 JH	466	int i = 0, j = 0;
	467
	468	if (!base \|\| !base[0])
044bbbcb	469	return abs;
288123f0 JH	470	while (base[i]) {
	471	if (is_dir_sep(base[i])) {
	472	if (!is_dir_sep(abs[j]))
	473	return abs;
	474	while (is_dir_sep(base[i]))
	475	i++;
	476	while (is_dir_sep(abs[j]))
	477	j++;
	478	continue;
	479	} else if (abs[j] != base[i]) {
	480	return abs;
	481	}
	482	i++;
	483	j++;
	484	}
	485	if (
	486	/* "/foo" is a prefix of "/foo" */
	487	abs[j] &&
	488	/* "/foo" is not a prefix of "/foobar" */
	489	!is_dir_sep(base[i-1]) && !is_dir_sep(abs[j])
	490	)
044bbbcb	491	return abs;
288123f0 JH	492	while (is_dir_sep(abs[j]))
	493	j++;
	494	if (!abs[j])
	495	strcpy(buf, ".");
	496	else
	497	strcpy(buf, abs + j);
044bbbcb LT	498	return buf;
044bbbcb LT	499	}
ae299be0 DR	500
ae299be0 DR	501	/*
f2a782b8	502	* It is okay if dst == src, but they should not overlap otherwise.
ae299be0	503	*
f2a782b8 JS	504	* Performs the following normalizations on src, storing the result in dst:
	505	* - Ensures that components are separated by '/' (Windows only)
	506	* - Squashes sequences of '/'.
ae299be0 DR	507	* - Removes "." components.
ae299be0 DR	508	* - Removes ".." components, and the components the precede them.
f2a782b8 JS	509	* Returns failure (non-zero) if a ".." component appears as first path
f2a782b8 JS	510	* component anytime during the normalization. Otherwise, returns success (0).
ae299be0 DR	511	*
	512	* Note that this function is purely textual. It does not follow symlinks,
	513	* verify the existence of the path, or make any system calls.
	514	*/
f3cad0ad	515	int normalize_path_copy(char dst, const char src)
ae299be0	516	{
f3cad0ad	517	char *dst0;
ae299be0	518
f3cad0ad JS	519	if (has_dos_drive_prefix(src)) {
	520	dst++ = src++;
	521	dst++ = src++;
ae299be0	522	}
f3cad0ad	523	dst0 = dst;
ae299be0	524
f3cad0ad	525	if (is_dir_sep(*src)) {
ae299be0	526	*dst++ = '/';
f3cad0ad JS	527	while (is_dir_sep(*src))
	528	src++;
	529	}
	530
	531	for (;;) {
	532	char c = *src;
	533
	534	/*
	535	* A path component that begins with . could be
	536	* special:
	537	* (1) "." and ends -- ignore and terminate.
	538	* (2) "./" -- ignore them, eat slash and continue.
	539	* (3) ".." and ends -- strip one and terminate.
	540	* (4) "../" -- strip one, eat slash and continue.
	541	*/
	542	if (c == '.') {
	543	if (!src[1]) {
	544	/* (1) */
	545	src++;
	546	} else if (is_dir_sep(src[1])) {
	547	/* (2) */
	548	src += 2;
	549	while (is_dir_sep(*src))
	550	src++;
	551	continue;
	552	} else if (src[1] == '.') {
	553	if (!src[2]) {
	554	/* (3) */
	555	src += 2;
	556	goto up_one;
	557	} else if (is_dir_sep(src[2])) {
	558	/* (4) */
	559	src += 3;
	560	while (is_dir_sep(*src))
	561	src++;
	562	goto up_one;
	563	}
	564	}
	565	}
ae299be0	566
f3cad0ad JS	567	/* copy up to the next '/', and eat all '/' */
	568	while ((c = *src++) != '\0' && !is_dir_sep(c))
	569	*dst++ = c;
	570	if (is_dir_sep(c)) {
	571	*dst++ = '/';
	572	while (is_dir_sep(c))
	573	c = *src++;
	574	src--;
	575	} else if (!c)
	576	break;
	577	continue;
	578
	579	up_one:
	580	/*
	581	* dst0..dst is prefix portion, and dst[-1] is '/';
	582	* go up one level.
	583	*/
f42302b4 JS	584	dst--; /* go to trailing '/' */
f42302b4 JS	585	if (dst <= dst0)
f3cad0ad	586	return -1;
f42302b4 JS	587	/* Windows: dst[-1] cannot be backslash anymore */
	588	while (dst0 < dst && dst[-1] != '/')
	589	dst--;
f3cad0ad	590	}
ae299be0	591	*dst = '\0';
f3cad0ad	592	return 0;
ae299be0	593	}
0454dd93 DR	594
	595	/*
	596	* path = Canonical absolute path
	597	* prefix_list = Colon-separated list of absolute paths
	598	*
2860b57a	599	* Determines, for each path in prefix_list, whether the "prefix" really
0454dd93 DR	600	* is an ancestor directory of path. Returns the length of the longest
	601	* ancestor directory, excluding any trailing slashes, or -1 if no prefix
	602	* is an ancestor. (Note that this means 0 is returned if prefix_list is
	603	* "/".) "/foo" is not considered an ancestor of "/foobar". Directories
	604	* are not considered to be their own ancestors. path must be in a
	605	* canonical form: empty components, or "." or ".." components are not
	606	* allowed. prefix_list may be null, which is like "".
	607	*/
	608	int longest_ancestor_length(const char path, const char prefix_list)
	609	{
	610	char buf[PATH_MAX+1];
	611	const char ceil, colon;
	612	int len, max_len = -1;
	613
	614	if (prefix_list == NULL \|\| !strcmp(path, "/"))
	615	return -1;
	616
	617	for (colon = ceil = prefix_list; *colon; ceil = colon+1) {
43a7ddb5	618	for (colon = ceil; colon && colon != PATH_SEP; colon++);
0454dd93 DR	619	len = colon - ceil;
	620	if (len == 0 \|\| len > PATH_MAX \|\| !is_absolute_path(ceil))
	621	continue;
	622	strlcpy(buf, ceil, len+1);
43a7ddb5 RS	623	if (normalize_path_copy(buf, buf) < 0)
	624	continue;
	625	len = strlen(buf);
	626	if (len > 0 && buf[len-1] == '/')
	627	buf[--len] = '\0';
0454dd93 DR	628
	629	if (!strncmp(path, buf, len) &&
	630	path[len] == '/' &&
	631	len > max_len) {
	632	max_len = len;
	633	}
	634	}
	635
	636	return max_len;
	637	}
4fcc86b0 JS	638
	639	/* strip arbitrary amount of directory separators at end of path */
	640	static inline int chomp_trailing_dir_sep(const char *path, int len)
	641	{
	642	while (len && is_dir_sep(path[len - 1]))
	643	len--;
	644	return len;
	645	}
	646
	647	/*
	648	* If path ends with suffix (complete path components), returns the
	649	* part before suffix (sans trailing directory separators).
	650	* Otherwise returns NULL.
	651	*/
	652	char strip_path_suffix(const char path, const char *suffix)
	653	{
	654	int path_len = strlen(path), suffix_len = strlen(suffix);
	655
	656	while (suffix_len) {
	657	if (!path_len)
	658	return NULL;
	659
	660	if (is_dir_sep(path[path_len - 1])) {
	661	if (!is_dir_sep(suffix[suffix_len - 1]))
	662	return NULL;
	663	path_len = chomp_trailing_dir_sep(path, path_len);
	664	suffix_len = chomp_trailing_dir_sep(suffix, suffix_len);
	665	}
	666	else if (path[--path_len] != suffix[--suffix_len])
	667	return NULL;
	668	}
	669
	670	if (path_len && !is_dir_sep(path[path_len - 1]))
	671	return NULL;
	672	return xstrndup(path, chomp_trailing_dir_sep(path, path_len));
	673	}
34b6cb8b SP	674
	675	int daemon_avoid_alias(const char *p)
	676	{
	677	int sl, ndot;
	678
	679	/*
	680	* This resurrects the belts and suspenders paranoia check by HPA
	681	* done in <435560F7.4080006@zytor.com> thread, now enter_repo()
	682	* does not do getcwd() based path canonicalizations.
	683	*
	684	* sl becomes true immediately after seeing '/' and continues to
	685	* be true as long as dots continue after that without intervening
	686	* non-dot character.
	687	*/
	688	if (!p \|\| (p != '/' && p != '~'))
	689	return -1;
	690	sl = 1; ndot = 0;
	691	p++;
	692
	693	while (1) {
	694	char ch = *p++;
	695	if (sl) {
	696	if (ch == '.')
	697	ndot++;
	698	else if (ch == '/') {
	699	if (ndot < 3)
	700	/* reject //, /./ and /../ */
	701	return -1;
	702	ndot = 0;
	703	}
	704	else if (ch == 0) {
	705	if (0 < ndot && ndot < 3)
	706	/* reject /.$ and /..$ */
	707	return -1;
	708	return 0;
	709	}
	710	else
	711	sl = ndot = 0;
	712	}
	713	else if (ch == 0)
	714	return 0;
	715	else if (ch == '/') {
	716	sl = 1;
	717	ndot = 0;
	718	}
	719	}
	720	}