Commit Graph

6570 Commits

Author SHA1 Message Date
Sergio Costas
c12762a091 GSubprocessLauncher: allow to close passed FDs
By default, when using g_subprocess_launcher_take_fd() to pass an
FD to a child, the GSubprocessLauncher object also takes ownership
of the FD in the parent, and closes it during finalize(). This is
a reasonable assumption in the majority of the cases, but sometimes
it isn't a good idea.

An example is when creating a GSubprocessLauncher in JavaScript:
here, the destruction process is managed by the Garbage Collector,
which means that those sockets will remain opened for some time
after all the references to the object has been droped. This means
that it could be not possible to detect when the child has closed
that same FD, because in order to make that work, both FDs
instances (the one in the parent and the one in the children) must
be closed. This can be a problem in, as an example, a process that
launches a child that communicates with Wayland using an specific
socket (like when using the new API MetaWaylandClient).

Of course, it isn't a valid solution to manually call close() in
the parent process just after the call to spawn(), because the FD
number could be reused in the time between it is manually closed,
and when the object is destroyed and closes again that FD. If that
happens, it will close an incorrect FD.

One solution could be to call run_dispose() from Javascript on the
GSubprocessLauncher object, to force freeing the resources.
Unfortunately, the current code frees them in the finalize()
method, not in dispose() (this is fixed in !1670 (merged) ) but it
isn't a very elegant solution.

This proposal adds a new method, g_subprocess_launcher_close(),
that allows to close the FDs passed to the child. To avoid problems,
after closing an FD with this method, no more spawns are allowed.

Fix: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1677
2020-10-12 20:29:48 +02:00
Cristian Rodríguez
35bb69bc47 gsocketclient: set IP_BIND_ADDRESS_NO_PORT if binding to local address
The linux kernel does not know that the socket will be used
for connect or listen and if you bind() to a local address it must
reserve a random port (if port == 0) at bind() time, making very easy
to exhaust the ~32k port range, setting IP_BIND_ADDRESS_NO_PORT tells
the kernel to choose random port at connect() time instead, when the
full 4-tuple is known.
2020-10-09 09:44:05 +01:00
Sebastian Dröge
5d97eb9094 Merge branch '2203-fstatat-macos' into 'master'
glocalfileinfo: Fix use of fstatat() on macOS < 10.10

Closes #2203

See merge request GNOME/glib!1684
2020-10-07 13:47:13 +00:00
Philip Withnall
1538a89b11 Merge branch 'close_subprocess_parent_fds_on_dispose' into 'master'
GSubprocessLauncher: Move cleanup to dispose()

See merge request GNOME/glib!1670
2020-10-06 11:41:35 +00:00
Philip Withnall
74756a87fa glocalfileinfo: Fix use of fstatat() on macOS < 10.10
`g_local_file_fstatat()` needs to fall back to returning an error if
`fstatat()` isn’t defined, which is the case on older versions of macOS
(as well as Windows, which was already handled). Callers shouldn’t call
`g_local_file_fstatat()` in these cases. (That’s already the case.)

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2203
2020-10-06 10:26:38 +01:00
Maxim Mikityanskiy
094eca7076 gio: Expose g_file_build_attribute_list_for_copy
Expose a function that prepares an attribute query string to be passed
to g_file_query_info() to get a list of attributes normally copied with
the file. This function is used by the implementation of
g_file_copy_attributes, and it's useful if one needs to split
g_file_copy_attributes into two stages, for example, when nautilus does
a recursive move of a directory. When files are moved from the source
directory, its modification time changes. To preserve the mtime on the
destination directory, it has to be queried before moving files and set
after doing it, hence these two stages.

Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
2020-10-06 10:16:49 +01:00
Sergio Costas
605cff61da GSubprocessLauncher: Move cleanup to dispose()
The GSubprocessLauncher class lacks a dispose() method, and frees
all their resources in the finalize() method.

This is a problem with Javascript because the sockets passed to a
child process using g_subprocess_launcher_take_fd() aren't closed
in the parent space until the object is fully freed. This means
that if the child closes a socket, it won't be detected until the
GSubprocessLauncher object has been freed by the garbage
collector.

Just closing the socket externally is not a valid solution,
because the finalize() method will close it again, and since
another file/pipe/socket could have been opened in the meantime
and use the same FD number, the finalize() method would close
an incorrect FD.

An example is launching a child process that uses its own
socket for Wayland: the parent creates two sockets with
socketpair(), passes one to the Wayland API (wl_client_create()),
and the other is passed to the child process using
g_subprocess_launcher_take_fd(). But now there are two instances
of that second socket: one in the parent, and another one in the
child process. That means that, if the child closes its socket (or
dies), the Wayland server will not detect that until the
GSubprocessLauncher object is fully destroyed. That means that a
GSubprocessLauncher created in Javascript will last for several
seconds after the child dies, and every window or graphical element
will remain in the screen until the Garbage Collector destroys the
GSubprocessLauncher object.

This patch fixes this by moving the resource free code into a
dispose() method, which can be called from Javascript. This allows
to ensure that any socket passed to the child with
g_subprocess_launcher_take_fd() can be closed even from Javascript
just by calling the method run_dispose().

Fix https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1670
2020-10-02 22:55:07 +02:00
Philip Withnall
37d04c2f6b Merge branch 'appinfo-shellany' into 'master'
GWin32AppInfo: Support verbs other than "open"

See merge request GNOME/glib!1502
2020-10-01 16:37:36 +00:00
Руслан Ижбулатов
106e78af97 GWin32AppInfo: Support verbs other than "open"
This combines a massive code re-folding with functionlity expansion
that allows us to track multiple verbs per handler or per application.

Also fixes a few issues and removes a function that made no sense.
2020-10-01 17:18:03 +01:00
Руслан Ижбулатов
b01521b4cd gwin32registrykey: Fix returning subkey_name in subkey_iter_get_name() 2020-10-01 17:18:03 +01:00
Patrick Griffis
f9fc29f0b7 gtlscertificate: Add support for PKCS #11 backed certificates
This reverts commit d58e5de9e9.
2020-10-01 17:09:04 +01:00
Simon McVittie
38a2aed5f0 GDBus: Use G_DBUS_METHOD_INVOCATION_HANDLED in method implementations
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-10-01 16:32:50 +01:00
Simon McVittie
d65c8c30a9 GDBus: Add G_DBUS_METHOD_INVOCATION_HANDLED, _UNHANDLED
Like G_SOURCE_REMOVE and G_SOURCE_CONTINUE, these make it clearer what
it means to return TRUE or FALSE.

In particular, in GDBus methods that fail, the failure case still needs
to return TRUE (unlike the typical GError pattern), leading to comments
like this:

    g_dbus_method_invocation_return_error (invocation, ...);
    return TRUE;    /* handled */

which can now be replaced by:

    g_dbus_method_invocation_return_error (invocation, ...);
    return G_DUS_METHOD_INVOCATION_HANDLED;

G_DBUS_METHOD_INVOCATION_UNHANDLED is added for symmetry, but is very
rarely (perhaps never?) useful in practice.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-10-01 16:32:50 +01:00
Simon McVittie
500d065f3d GDBus tests: Use G_SOURCE_REMOVE, G_SOURCE_CONTINUE
The meaning of the boolean result of a GSource function is clearer if
we use these aliases.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-10-01 16:32:50 +01:00
Philip Withnall
854abcd1af Merge branch 'optdeps' into 'master'
Make libelf dependency optional via meson feature

See merge request GNOME/glib!1650
2020-10-01 13:47:36 +00:00
Niklas Gürtler
aa0e120174 Make libelf dependency optional via meson feature 2020-10-01 13:47:36 +00:00
Philip Withnall
b43fb9cbfb guri: Fix URI scope parsing
The previous parsing code could read off the end of a URI if it had an
incorrect %-escaped character in.

Fix that, and more closely implement parsing for the syntax defined in
RFC 6874, which is the amendment to RFC 3986 which specifies zone ID
syntax.

This requires reworking some network-address tests, which were
previously treating zone IDs incorrectly.

oss-fuzz#23816

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-09-30 19:39:30 +01:00
Peter Bloomfield
a3b5e188aa gthreadedresolver: Fix logic in parse_res_text()
and avoid a sign-compare warning.

Fixes #2209
2020-09-26 11:11:44 -04:00
Philip Withnall
f2df054673 Merge branch 'wip/oholy/trash-recursion' into 'master'
gio-tool-trash: Prevent recursion to speed up emptying trash

See merge request GNOME/glib!1654
2020-09-24 05:59:43 +00:00
Ondrej Holy
f474ec1f72 gio-tool-trash: Prevent recursion to speed up emptying trash
Emptying trash over `gio trash` is a bit slow in comparison to plain
`rm -r`. On my system, it took about 3 min to empty the trash with a
folder containing 600 000 files, which is not ideal as `rm -r` call
took just a few seconds. I found that `g_file_delete` is implemented
differently for locations provided by the trash backend. The trash
backend prevents modifications of trashed content thus the delete
operation is allowed only for the top-level files and folders. So it
is not necessary to recursive delete all files as the permission
denied error is returned anyway. Let's call `g_file_delete` only for
top-level items, which reduces the time necessary for emptying trash
from minutes to seconds...

See: https://gitlab.gnome.org/GNOME/nautilus/-/issues/1589
2020-09-23 15:35:47 +02:00
Philip Withnall
af0b0e98da Merge branch 'trash-portal-error' into 'master'
trash portal: Handle portal failures

See merge request GNOME/glib!1652
2020-09-23 09:36:32 +00:00
Ryan Gonzalez
88032cb541 trash portal: Handle portal failures
Previously, only whether or not the D-Bus call itself succeeded was
checked, regardless of the result code from the actual trash operation.
2020-09-15 18:06:56 -05:00
Simon McVittie
642baa50fa glocalfile: Never require G_LOCAL_FILE_STAT_FIELD_ATIME
Some filesystems don't have meaningful access times under at least some
circumstances (see #2189, #2205). In this situation the traditional stat()
and related kernel interfaces have to put something meaningless in the
st_atime field, and have no way to signal that it is meaningless.

However, statx() does have a way to signal that the atime is meaningless:
if the filesystem doesn't provide a useful access time, it will unset
the STATX_ATIME bit (as well as filling in the same meaningless value
for the stx_atime field that stat() would have used, for compatibility).
We don't actually *need* the atime, so never include it in the required
mask. This was already done for one code path in commit 6fc143bb
"gio: Allow no atime from statx" to fix #2189, but other callers were
left unchanged in that commit, and receive the same change here.

It is not actually guaranteed that *any* of the flags in the
returned stx_mask will be set (the only guarantee is that items in
STATX_BASIC_STATS have at least a harmless compatibility value, even if
their corresponding flag is cleared), so it might be better to follow
this up by removing the concept of the required mask entirely. However,
as of Linux 5.8 it looks as though STATX_ATIME is the only flag in
STATX_BASIC_STATS that might be cleared in practice, so this simpler
change fixes the immediate regression.

Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2205
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-09-15 10:09:46 +01:00
Philip Withnall
c3eda78ada Merge branch '2194-winhttp-file-display-name' into 'master'
gwinhttpfile: Set display-name attribute on file info

Closes #2194

See merge request GNOME/glib!1644
2020-09-11 09:49:04 +00:00
Philip Withnall
6f9b379c08 gwinhttpfile: Set display-name attribute on file info
It is not allowed to be `NULL` or unset if requested by the file
attribute matcher. Derive it from the basename. This doesn’t handle the
situation of a failed UTF-16 to UTF-8 conversion very well, but will at
least return something.

Note that the `g_filename_display_basename()` function can’t be used as
`GWinHttpFile` provides its URI in UTF-16 rather than in the file system
encoding.

This fixes a crash when using GIMP on Windows. Thanks to lillolollo for
in-depth debugging assistance.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #2194
2020-09-10 14:14:32 +01:00
Simon McVittie
92183fb703 gdbusauthmechanismsha1: Use the same timeouts as libdbus
For interoperability with libdbus, we want to use compatible timeouts.
In particular, this fixes a spurious failure of the `gdbus-server-auth`
test caused by libdbus and gdbus choosing to expire the key (cookie) at
different times, as diagnosed by Thiago Macieira. Previously, the libdbus
client would decline to use keys older than 7 minutes, but the GDBus
server would not generate a new key until the old key was 10 minutes old.

For completeness, also adjust the other arbitrary timeouts in the
DBUS_COOKIE_SHA1 mechanism to be the same as in libdbus. To make it
easier to align with libdbus, create internal macros with the same names
and values used in dbus-keyring.c.

* maximum time a key can be in the future due to clock skew between
  systems sharing a home directory
  - spec says "a reasonable time in the future"
  - was 1 day
  - now 5 minutes
  - MAX_TIME_TRAVEL_SECONDS

* time to generate a new key if the newest is older
  - spec says "If no recent keys remain, the server may generate a new
    key", but that isn't practical, because in reality we need a grace
    period during which an old key will not be used for new authentication
    attempts but old authentication attempts can continue (in practice both
    libdbus and GDBus implemented this logic)
  - was 10 minutes
  - now 5 minutes
  - NEW_KEY_TIMEOUT_SECONDS

* time to discard old keys
  - spec says "the timeout can be fairly short"
  - was 15 minutes
  - now 7 minutes
  - EXPIRE_KEYS_TIMEOUT_SECONDS

* time allowed for a client using an old key to authenticate, before
  that key gets deleted
  - was at least 5 minutes
  - now at least 2 minutes
  - at least (EXPIRE_KEYS_TIMEOUT_SECONDS - NEW_KEY_TIMEOUT_SECONDS)

Based on a merge request by Philip Withnall.

Fixes: #2164
Thanks: Philip Withnall
Thanks: Thiago Macieira
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-09-07 11:29:06 +01:00
Philip Withnall
30a31b21fb gcancellable: Mark a variable as unused if built with G_DISABLE_ASSERT
It’s only used in an assertion. This fixes a compiler warning.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-09-01 12:23:19 +01:00
Carlos Garnacho
cf85241aba tests: Add splice cancellation test
This doesn't trigger the cancellation assertion issue when run locally
(the task didn't return yet, so the error is simply overwritten), but
perhaps it ever does in CI. Anyhow, it's good to have a cancellation
test.
2020-08-28 11:38:51 +02:00
Carlos Garnacho
c033450f93 goutputstream: Check individual close operations after splice
After a splice operation is finished, it attempts to 1) close input/output
streams, as per the given flags, and 2) return the operation result (maybe
an error, too).

However, if the operation gets cancelled early and the streams indirectly
closed, the splice operation will try to close both descriptors and return
on the task when both are already closed. The catch here is that getting the
streams closed under its feet is possible, so the completion callback would
find both streams closed after returning on the first close operation and
return the error, but then the second operation could be able to trigger
a second error which would be returned as well.

What happens here is up to further race conditions, if the task didn't
return yet, the returned error will be simply replaced (but the old one not
freed...), if it did already return, it'll result in:

GLib-GIO-FATAL-CRITICAL: g_task_return_error: assertion '!task->ever_returned' failed

Fix this by flagging the close_async() callbacks, and checking that both
close operations did return, instead of checking that both streams are
closed by who knows.

This error triggers a semi-frequent CI failure in tracker, see the summary at
https://gitlab.gnome.org/GNOME/tracker/-/issues/240
2020-08-28 11:22:14 +02:00
Philip Withnall
9674d14175 Merge branch 'g_settings_new' into 'master'
gio: Document g_settings_new() missing schema behaviour

See merge request GNOME/glib!1626
2020-08-24 09:02:43 +00:00
Chris Mayo
dc1a1b841c gio: Document g_settings_new() missing schema behaviour
Explain what happens, the rationale and reference another
function that may be helpful.
2020-08-24 09:02:43 +00:00
Valentin David
6fc143bba8
gio: Allow no atime from statx
statx does not provide stx_atime when querying a file in a read-only
mounted file system. So call to statx should not expect it to be in
the mask. Otherwise we would fail with ERANGE for querying any file in
a read-only file system.

Fixes #2189.
2020-08-23 16:41:17 +02:00
Sebastian Dröge
24af98e0ee Merge branch 'cancellable-pollfd' into 'master'
gcancellable: Assert that make_pollfd() call succeeds

See merge request GNOME/glib!1623
2020-08-18 10:35:16 +00:00
Sebastian Dröge
009791b614 Merge branch 'dbus-uint-checks' into 'master'
gdbusmessage: Drop redundant uint ≥ 0 checks

See merge request GNOME/glib!1625
2020-08-18 10:25:18 +00:00
Sebastian Dröge
5271b67e37 Merge branch 'dbus-address-null-check' into 'master'
gdbusaddress: Drop an unnecessary NULL check

See merge request GNOME/glib!1624
2020-08-18 10:13:04 +00:00
Philip Withnall
a110ca920a gcancellable: Assert that make_pollfd() call succeeds
The `make_pollfd()` call can’t fail because it only does so if
`cancellable == NULL`, and we’ve already checked that. Assert that’s the
case, to shut Coverity up and to catch behavioural changes in future.

Coverity CID: #1159433
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-08-18 11:08:51 +01:00
Nirbheek Chauhan
0b0b9bfda0 Merge branch 'windows-netreset' into 'master'
gioerror: Map WSAENETRESET on Windows to G_IO_ERROR_CONNECTION_CLOSED

See merge request GNOME/glib!1616
2020-08-18 09:46:36 +00:00
Philip Withnall
7afd4071d6 gdbusmessage: Drop redundant uint ≥ 0 checks
They are always true.

Coverity CID: #1430645, #1430674, #1430884, #1430974
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-08-18 10:39:46 +01:00
Philip Withnall
9664ff15ac gdbusaddress: Drop an unnecessary NULL check
`g_strsplit()` never returns `NULL`, although it can return an empty
strv (i.e. with its first element being `NULL`).

Drop a redundant `NULL` check.

Coverity CID: #1430976
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-08-18 10:36:26 +01:00
Sebastian Dröge
fb6da5677b Merge branch 'wip/pwithnall/coverity' into 'master'
CI support for Coverity Scan

See merge request GNOME/glib!1593
2020-08-17 11:57:24 +00:00
Philip Withnall
a396fa9027 Merge branch 'statx' into 'master'
Add support for Linux statx stx_btime

Closes #1970

See merge request GNOME/glib!1310
2020-08-17 11:49:05 +00:00
Andre Miranda
18aaf33cf1 glocalfileinfo: Support STX_BTIME for G_FILE_ATTRIBUTE_TIME_CREATED
If `statx()` is supported, query it for the file creation time and use
that if returned.

Incorporating some minor code rearrangement by Philip Withnall
<withnall@endlessm.com>.

Fixes: #1970
2020-08-17 12:33:05 +01:00
Andre Miranda
60eefd4de9 glocalfileinfo: Add statx() support
This currently just implements the same functionality as the existing
`stat()`/`fstat()`/`fstatat()`/`lstat()` calls, although where a reduced
field set is requested it may return faster.

Helps: #1970
2020-08-17 12:33:05 +01:00
Alexander Larsson
4cf95e3904 Ensure g_subprocess_communicate_async() never blocks
It turns out that our async write operation implementation is broken
on non-O_NONBLOCK pipes, because the default async write
implementation calls write() after poll() said there were some
space. However, the semantics of pipes is that unless O_NONBLOCK is set
then the write *will* block if the passed in write count is larger than
the available space.

This caused a deadlock in https://gitlab.gnome.org/GNOME/glib/-/issues/2182
due to the loop-back of the app stdout to the parent, but even without such
a deadlock it is a problem that we may block the mainloop at all.

In the particular case of g_subprocess_communicate() we have full
control of the pipes after starting the app, so it is safe to enable
O_NONBLOCK (i.e. we can ensure all the code using the fd after this can handle
non-blocking mode).

This fixes https://gitlab.gnome.org/GNOME/glib/-/issues/2182
2020-08-17 12:57:24 +02:00
Sebastian Dröge
a8acbba46a gioerror: Map WSAENETRESET on Windows to G_IO_ERROR_CONNECTION_CLOSED
This has almost the same semantics as WSAECONNRESET and for all
practical purposes is handled the same. The main difference is about
*who* reset the connection: the peer or something in the network.

For UDP sockets this happens when receiving packets and previously sent
packets returned an ICMP "Time(-to-live) expired" message. This is
similar to WSAECONNRESET, which on UDP sockets happens when receiving
packets and previously sent packets returned an ICMP "Port Unreachable"
message.
2020-08-17 13:14:46 +03:00
Andre Miranda
622806d5cf glocalfileinfo: Add support for optional/required fields in stat bufs
This is a step towards supporting `statx()`, which allows the set of
fields it returns to be specified by the caller. Currently, the existing
`stat()` and `fstat()` calls continue to be made, and there are no
behavioural changes — but the new wrapper functions will be extended in
future.

Helps: #1970
2020-08-14 17:30:11 +01:00
Andre Miranda
8edbfe8bb0 glocalfileinfo: Use accessors to access struct stat members
This will allow the actual struct in use to be changed in future without
code changes everywhere.

Helps: #1970
2020-08-14 17:30:11 +01:00
James Westman
2ec4e05733 docs: glib-compile-resources: json-stripblanks
Document the `json-stripblanks` preprocessing option for .gresource.xml files.
2020-08-13 08:07:51 +00:00
Sebastian Dröge
e4f4a40fb4 Merge branch 'file-delete-docs' into 'master'
gfile: Document TOCTTOU avoidance using g_file_delete()

See merge request GNOME/glib!1613
2020-08-12 10:00:12 +00:00
Philip Withnall
373c54a52c gfile: Document TOCTTOU avoidance using g_file_delete()
Don’t call `g_file_query_exists()` followed by `g_file_delete()`. Just
call `g_file_delete()` and check the error.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-08-12 10:48:28 +01:00