Commit Graph

72 Commits

Author SHA1 Message Date
Maciej S. Szmigiero
8f8ebb1bd0 g_mkstemp: Use O_CLOEXEC for race-free setting of the close-on-exec flag
mkstemp-like family of functions also use g_open () under the hood so
they should pass the O_CLOEXEC flag there for race-free setting of the
close-on-exec flag.
2023-02-22 00:38:13 +01:00
Maciej S. Szmigiero
3f2e18b07c Use O_CLOEXEC in {g_,}open () calls for race-free setting of the close-on-exec flag
The remaining call sites are either Windows-only, between fork () and
exec () or in xdgmime copylib.

Hope I haven't missed any site.
2023-02-21 12:42:55 +00:00
Marco Trevisan (Treviño)
2401e1a090 glocalfileoutputstream: Do not double-close an fd on unlink error
In case we fail unlinking a file we could close again an FD that has
been already just closed. So avoid this by unsetting it when closing.

Coverity CID: #1474462
2022-09-16 15:11:47 +02:00
Philip Withnall
5942cd7984 gio: Add SPDX license headers automatically
Add SPDX license (but not copyright) headers to all files which follow a
certain pattern in their existing non-machine-readable header comment.

This commit was entirely generated using the command:
```
git ls-files gio/*.[ch] | xargs perl -0777 -pi -e 's/\n \*\n \* This library is free software; you can redistribute it and\/or\n \* modify it under the terms of the GNU Lesser General Public/\n \*\n \* SPDX-License-Identifier: LGPL-2.1-or-later\n \*\n \* This library is free software; you can redistribute it and\/or\n \* modify it under the terms of the GNU Lesser General Public/igs'
```

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #1415
2022-05-18 09:18:52 +01:00
Loic Le Page
d0dfc76554 Fix redefinition of local variable and non-initialized variable in gio/glocalfileoutputstream.c 2022-03-09 17:18:03 +01:00
Philip Withnall
b1ebb72522 glocalfileoutputstream: Fix ETag check when replacing through a symlink
Since commit 87e19535fe, the ETag check when writing out a file through
a symlink (following the symlink) has been incorrectly using the ETag
value of the symlink, rather than the target file. This is incorrect
because the ETag should represent the file content, not its metadata or
links to it.

Fix that, and add a unit test.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2417
2021-06-07 12:44:52 +01:00
Philip Withnall
c4b4fecaef glocalfileoutputstream: Tidy up error handling
After the recent reworking of this code it was possible for `g_close()`
to be called on `fd == -1`, which is invalid. It would have reported an
error, were errors not ignored. So it was harmless, but still best to
fix.

Simplify the error handling by combining both error labels and checking
the state of `fd` dynamically.

Coverity CID: #1450834

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-03-16 11:36:27 +00:00
Philip Withnall
ac505e88c4 glocalfileoutputstream: Add a missing O_CLOEXEC flag to replace()
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-03-10 17:55:51 +00:00
Philip Withnall
87e19535fe glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION with symlinks
The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking
the destination file and re-creating it from scratch. That did
previously work, but in the process the code would call `open(O_CREAT)`
on the file. If the file was a dangling symlink, this would create the
destination file (empty). That’s not an intended side-effect, and has
security implications if the symlink is controlled by a lower-privileged
process.

Fix that by not opening the destination file if it’s a symlink, and
adjusting the rest of the code to cope with
 - the fact that `fd == -1` is not an error iff `is_symlink` is true,
 - and that `original_stat` will contain the `lstat()` results for the
   symlink now, rather than the `stat()` results for its target (again,
   iff `is_symlink` is true).

This means that the target of the dangling symlink is no longer created,
which was the bug. The symlink itself continues to be replaced (as
before) with the new file — this is the intended behaviour of
`g_file_replace()`.

The behaviour for non-symlink cases, or cases where the symlink was not
dangling, should be unchanged.

Includes a unit test.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2325
2021-03-10 17:55:51 +00:00
Philip Withnall
a5f1f1e47c glocalfileoutputstream: Factor out a flag check
This clarifies the code a little. It introduces no functional changes.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-03-10 16:05:55 +00:00
Philip Withnall
d523ed4543 glocalfileoutputstream: Fix a typo in a comment
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-03-10 16:02:35 +00:00
Andre Miranda
60eefd4de9 glocalfileinfo: Add statx() support
This currently just implements the same functionality as the existing
`stat()`/`fstat()`/`fstatat()`/`lstat()` calls, although where a reduced
field set is requested it may return faster.

Helps: #1970
2020-08-17 12:33:05 +01:00
Andre Miranda
622806d5cf glocalfileinfo: Add support for optional/required fields in stat bufs
This is a step towards supporting `statx()`, which allows the set of
fields it returns to be specified by the caller. Currently, the existing
`stat()` and `fstat()` calls continue to be made, and there are no
behavioural changes — but the new wrapper functions will be extended in
future.

Helps: #1970
2020-08-14 17:30:11 +01:00
Andre Miranda
8edbfe8bb0 glocalfileinfo: Use accessors to access struct stat members
This will allow the actual struct in use to be changed in future without
code changes everywhere.

Helps: #1970
2020-08-14 17:30:11 +01:00
Philip Withnall
ea2db92034 glocalfileoutputstream: Use g_fsync() for platform-independence
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-07-26 21:38:17 +01:00
Marc-André Lureau
fd61a21ecd Add and use G_SIZEOF_MEMBER() macro
A convenient macro present in the Linux kernel, named FIELD_SIZE() there.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2020-01-21 19:54:55 +04:00
Philip Withnall
5dd5269126 glocalfileoutputstream: Only pass file mode, not type, to chmod()
chmod() technically only accepts file modes, not the file type and mode
as returned by stat(). Filter by `S_IFMT` to avoid sending the file
type (regular file, directory, symbolic link, etc.).

In practice, chmod() ignores anything except the file mode, but we might
as well comply with the specification.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-09-30 14:40:55 +01:00
Sebastian Dröge
20a2c379c4 Clamp number of vectors to IOV_MAX / UIO_MAXIOV for GOutputStream writev() calls in the implementations
More vectors will give an error and we can simply clamp here and
consider it like a short write instead.

In case of GSocketOutputStream this is done here instead of inside
GSocket before calling sendmsg() because we we can't generically handle
short writes when sending messages on a socket, e.g. for datagram
sockets this causes only part of the datagram to be sent and an error
would be more useful in this case than sending corrupted data.

Also reduce the fallback limit to 16 in gsocket.c as that's the minimum
value required by POSIX and add a static assertion that the limit is
never bigger than G_MAXINT as that's the type recvmmsg/sendmmsg take.
2019-05-31 12:51:59 +03:00
Sebastian Dröge
c39264d35b Implement GOutputStream::writev_fn() for GLocalFileOutputStream on UNIX 2019-01-24 16:25:40 +02:00
Руслан Ижбулатов
53bd6a359f W32: Add a stat() implementation for private use
This commit adds new W32-only functions to gstdio.c,
and a new header file, gstdioprivate.h.
These functions are:
g_win32_stat_utf8()
g_win32_lstat_utf8()
g_win32_fstat()
and they fill a private structure, GWin32PrivateStat,
which has all the fields that normal stat has, as well as some
extras.

These functions are then used throughout glib and gio to get better
data about the system. Specifically:
* Full, 64-bit size, guaranteed (g_stat() is forced to use 32-bit st_size)
* Full, 64-bit file identifier (st_ino is 0 when normal stat() is used, and still is)
* W32 File attributes (which stat() doesn't report); in particular, this allows
  symlinks to be correctly identified
* Full, 64-bit time, guaranteed (g_stat() uses 32-bit st_*time on 32-bit Windows)
* Allocated file size (as a W32 replacement for the missing st_blocks)

st_mode remains unchanged (thus, no S_ISLNK), so when these are given back to
glib users (via g_stat(), for example, which is now implemented by calling g_win32_stat_utf8),
this field does not contain anything unexpected.

g_lstat() now calls g_win32_lstat_utf8(), which works on symlinks the way it's supposed to.

Also adds the g_win32_readlink_utf8() function, which behaves like readlink()
(including its inability to return 0-terminated strings and inability to say how large
the output buffer should be; these limitations are purely for compatibility with
existing glib code).

Thus, symlink support should now be much better, although far from being complete.

A new W32-only test in gio/tests/file.c highlights the following features:
* allocated size
* 64-bit time
* unique file IDs

https://bugzilla.gnome.org/show_bug.cgi?id=788180
2017-11-01 12:46:38 +00:00
Philip Withnall
5cddde1fb2 Consistently save errno immediately after the operation setting it
Prevent the situation where errno is set by function A, then function B
is called (which is typically _(), but could be anything else) and it
overwrites errno, then errno is checked by the caller.

errno is a horrific API, and we need to be careful to save its value as
soon as a function call (which might set it) returns. i.e. Follow the
pattern:
  int errsv, ret;
  ret = some_call_which_might_set_errno ();
  errsv = errno;

  if (ret < 0)
    puts (strerror (errsv));

This patch implements that pattern throughout GLib. There might be a few
places in the test code which still use errno directly. They should be
ported as necessary. It doesn’t modify all the call sites like this:
  if (some_call_which_might_set_errno () && errno == ESOMETHING)
since the refactoring involved is probably more harmful than beneficial
there. It does, however, refactor other call sites regardless of whether
they were originally buggy.

https://bugzilla.gnome.org/show_bug.cgi?id=785577
2017-08-03 10:21:13 +01:00
Ting-Wei Lan
45d4b59e3f glocalfileoutputstream: Fix symlink writing on FreeBSD and NetBSD
FreeBSD, DragonflyBSD and NetBSD support O_NOFOLLOW, but they use error
numbers that are different from what POSIX standard specifies. They are
not going to change the behavior, and existing programs on these systems
already take advantage of this difference. To support them, we have to
add a check in GIO to use different error numbers on these systems.

https://bugzilla.gnome.org/show_bug.cgi?id=775593
2017-06-10 20:55:12 +08:00
Sébastien Wilmet
3bf4a720c3 gio/: LGPLv2+ -> LGPLv2.1+
Sub-directories inside gio/ already processed in a previous commit:
- fam/
- gdbus-2.0/ (which contains only codegen/)
- gvdb/
- inotify/
- tests/
- win32/
- xdgmime/

Other sub-directories inside gio/:
- completion/: no license headers
- kqueue/: not LGPL, BSD-style license

https://bugzilla.gnome.org/show_bug.cgi?id=776504
2017-05-29 19:53:34 +02:00
Piotr Drąg
10c490cdfe Use Unicode in translatable strings
See https://developer.gnome.org/hig/stable/typography.html

https://bugzilla.gnome.org/show_bug.cgi?id=772221
2016-10-12 21:30:42 +02:00
Philip Withnall
fadd00c708 glocalfileoutputstream: Drop unnecessary (void) return value casts
g_close() does not have G_GNUC_WARN_UNUSED_RESULT, so these casts are
unnecessary.
2016-06-16 14:45:21 -04:00
Philip Withnall
16d674411f glocalfileoutputstream: Fix an FD leak in an error path
If a backup file is created, opened successfully, then fstat() on it
fails (perhaps due to another process deleting it in the mean time?),
the FD will be leaked.

Coverity issue: #1159485

https://bugzilla.gnome.org/show_bug.cgi?id=730187
2016-06-16 14:39:05 -04:00
Daniel Mustieles
078dbda148 Updated FSF's address 2014-01-31 14:31:55 +01:00
Dan Winship
158dde0507 Replace #ifdef HAVE_UNISTD_H checks with #ifdef G_OS_UNIX
In Windows development environments that have it, <unistd.h> is mostly
just a wrapper around several other native headers (in particular,
<io.h>, which contains read(), close(), etc, and <process.h>, which
contains getpid()). But given that some Windows dev environments don't
have <unistd.h>, everything that uses those functions on Windows
already needed to include the correct Windows header as well, and so
there is never any point to including <unistd.h> on Windows.

Also, remove some <unistd.h> includes (and a few others) that were
unnecessary even on unix.

https://bugzilla.gnome.org/show_bug.cgi?id=710519
2013-11-20 09:25:39 -05:00
Dan Winship
3981cddbf8 Require POSIX.1 (1990) compliance on unix
Assume unix platforms support the original POSIX.1 standard.
Specifically, assume that if G_OS_UNIX, then we have chown(),
getcwd(), getgrgid(), getpwuid(), link(), <grp.h>, <pwd.h>,
<sys/types.h>, <sys/uio.h>, <sys/wait.h>, and <unistd.h>.

Additionally, since all versions of Windows that we care about also
have <sys/types.h>, we can remove HAVE_SYS_TYPES_H checks everywhere.

Also remove one include of <sys/times.h>, and the corresponding
configure check, since the include is not currently needed (and may
always have just been a typo for <sys/time.h>).

https://bugzilla.gnome.org/show_bug.cgi?id=710519
2013-11-20 09:17:42 -05:00
Emmanuele Bassi
54cc43630d Rename the generated private data getter function
As it turns out, we have examples of internal functions called
type_name_get_private() in the wild (especially among older libraries),
so we need to use a name for the per-instance private data getter
function that hopefully won't conflict with anything.
2013-06-24 15:43:04 +01:00
Emmanuele Bassi
32747def4b gio: Use the new private instance data declaration
Use the newly added macros, and remove the explicit calls to
g_type_class_add_private().

https://bugzilla.gnome.org/show_bug.cgi?id=700035
2013-06-24 14:18:01 +01:00
Colin Walters
9f1a0b57cd Ensure g_file_copy() does not temporarily expose private files
Previously, g_file_copy() would (on Unix) create files with the
default mode of 644.  For applications which might at user request
copy arbitrary private files such as ~/.ssh or /etc/shadow, a
world-readable copy would be temporarily exposed.

This patch is suboptimal in that it *only* fixes g_file_copy()
for the case where both source and destination are instances of
GLocalFile on Unix.

The reason for this is that the public GFile APIs for creating files
allow very limited control over the access permissions for the created
file; one can either say a file is "private" or not.  Fixing
this by adding e.g. g_file_create_with_attributes() would make sense,
except this would entail 8 new API calls for all the variants of
_create(), _create_async(), _replace(), _replace_async(),
_create_readwrite(), _create_readwrite_async(), _replace_readwrite(),
_replace_readwrite_async().  That can be done as a separate patch
later.

https://bugzilla.gnome.org/show_bug.cgi?id=699959
2013-06-05 19:00:20 +01:00
Colin Walters
7fc2ab9493 GLocalFileOutputStream: Further deduplicate error code path
Just code cleanup.

https://bugzilla.gnome.org/699959
2013-05-23 23:11:58 +01:00
Colin Walters
5e65cd4e51 GLocalFileOutputStream: Deduplicate stream creation code
Lots of copy/paste of the error handling path, let's deduplicate
so I can sanely patch this code later.

https://bugzilla.gnome.org/699959
2013-05-23 23:10:44 +01:00
Colin Walters
f398bec5bc Add g_close(), use it
There are two benefits to this:

1) We can centralize any operating system specific knowledge of
   close-vs-EINTR handling.  For example, while on Linux we should never
   retry, if someone cared enough later about HP-UX, they could come by
   and change this one spot.
2) For places that do care about the return value and want to provide
   the caller with a GError, this function makes it convenient to do so.

Note that gspawn.c had an incorrect EINTR loop-retry around close().

https://bugzilla.gnome.org/show_bug.cgi?id=682819
2013-01-29 09:46:04 -05:00
Dan Winship
afdb2abb13 gio: Don't leak the temp file when g_file_replace() fails or is cancelled
If the temp file still exists at the end of the close operation,
unlink it.

https://bugzilla.gnome.org/show_bug.cgi?id=629301
2012-12-10 17:04:05 +01:00
Thomas Hindoe Paaboel Andersen
721667399a GFile: add g_file_new_temp
A convenience function that creates a temporary file and returns
a GFile and GFileIOStream for it.

The file is created using g_file_open_tmp.

https://bugzilla.gnome.org/show_bug.cgi?id=657085
2011-12-09 08:58:05 -05:00
Federico Mena Quintero
571185f0f6 bgo#640212 - Replace "error stating file" with friendlier messages
Non-technical users won't know that "stating" refers to stat(2), so we
just use "error when getting information" now.

Signed-off-by: Federico Mena Quintero <federico@gnome.org>
2011-09-08 09:11:56 -05:00
Kean Johnston
8b50e2f547 GLocalFile: Use _fstati64 rather than stat on Win32
We want this to get 64bit timestamps and file lenghts.
2011-04-15 10:15:04 +02:00
Ryan Lortie
5b946e0504 gio/: fully remove gioalias hacks 2010-07-07 19:53:22 -04:00
Tor Lillqvist
efb1a054b0 Fix build with the Microsoft compiler
Correct a few gccisms and C99isms. Ensure the Windows-specific gio
source files are listed in the generated gio VS project file.
2010-06-22 12:22:46 +03:00
David Zeuthen
366b3ffcde Bug 619142 – Build fixes
- Fix various #include issues

 - Change #error to #warning for the EXTERNAL authentication mechanism.
   It is not clear if this should work on Win32 at all.

 - Call close() before unlink() for the SHA1 keyring

 - Change #error to #warning so we don't forget to do
   permission checking of the .dbus-keyrings directory

 - Use Win32 SID for the SHA1 auth mech

 - Apparently we can't use word 'interface' as an identifier

 - Implement a _g_dbus_win32_get_user_sid() function. For now it's
   private. Don't know if it should be public somewhere. Maybe in
   a future GCredentials support for Win32? I don't know.

 - GFileDescriptorBased is not available on Win32. So avoid using
   it in GLocalFile stuff. Now, Win32 still uses GLocalFile + friends
   (which works with file descriptors) so expose a private function
   to get the fd for an OutputStream so things still work.

 - Fixup gio.symbols

 - Fixup tests/gdbus-peer.c so it builds

With this, at least things compile and the gdbus-peer.exe test case
passes. Which is a great start. I've tested this by cross-compiling on
a x86_64 Fedora 13 host using mingw32 and running the code on a 32-bit
Windows 7 box.

https://bugzilla.gnome.org/show_bug.cgi?id=619142

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-05-20 10:53:08 -04:00
Christian Kellner
28f90db1ed GLocalFileOutputStream: Implement GFileDescriptorBased
Also convert GLocalFileIOStream to use the new interface to obtain
the file descriptor.
2010-02-15 13:25:50 +01:00
Benjamin Otte
4114f1214c Bug 594034 - Use g_mkstemp_full() when creating the replacement file
Previous code used g_mkstemp(). But when using
G_FILE_CREATE_REPLACE_DESTINATION, no attempt was made to ensure proper
mode and flags of the created temporary file. The visible issue was that
the file was always created with mode 0600 as opposed to using 0666.
(The invisible issue was that O_RDWR was used instead of O_WRONLY.)
2009-09-04 22:45:57 +02:00
Matthias Clasen
2889f1b8a3 Use the saved errno value
Bug 591995
2009-08-27 23:02:08 -04:00
Christian Persch
1cbdd2495d Preserve errno when using g_set_error with _() and g_strerror() 2009-05-20 13:47:55 +02:00
Alexander Larsson
2597e3adc3 Remove unused variable 2009-05-15 20:58:27 +02:00
Alexander Larsson
14d58d51a3 Local file implementation of GFileIOStream and ops
This implements all the GIOStream file ops for local files.
We use the "fallback to output stream" for all GFileIOStream ops.
Some helpers stuff was added to the local input and output streams
so they could be reused.
2009-05-13 14:42:57 +02:00
Alexander Larsson
a3fe428081 fix attributes argument of query_info methods to be "const char *".
2009-03-17  Alexander Larsson  <alexl@redhat.com>

        * glocalfileinputstream.c:
        * glocalfileoutputstream.c:
	fix attributes argument of query_info methods to
	be "const char *".


svn path=/trunk/; revision=8000
2009-03-17 11:21:37 +00:00
Alexander Larsson
6cff88ba18 Bug 575555 – Use fsync() when replacing files to avoid data loss on
2009-03-16  Alexander Larsson  <alexl@redhat.com>

	Bug 575555 – Use fsync() when replacing files to avoid data loss on crash

        * configure.in:
	Look for fsync().

        * glib/gfileutils.c:
        (write_to_temp_file):
	fsync temp file if destination file exists

2009-03-16  Alexander Larsson  <alexl@redhat.com>

	Bug 575555 – Use fsync() when replacing files to avoid data loss on crash

        * glocalfileoutputstream.c:
        (g_local_file_output_stream_close):
        (_g_local_file_output_stream_replace):
	fsync temp file before closing if replacing target file

	

svn path=/trunk/; revision=7991
2009-03-16 16:03:13 +00:00