std: Properly handle interior NULs in std::process #31056
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @aturon (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
|
I think both issues will manifest on Windows as well, but I made no changes there. The added regression tests will likely cause failures on Windows. |
| // to that point and report an error via a `Result` rather than by | ||
| // panicking. | ||
| #[derive(Debug, Clone)] | ||
| pub enum ValidatedCString { |
There was a problem hiding this comment.
In the case that an invalid string is passed down, we don't necessarily need to store the original data, so perhaps this could just store a flag in Command as to whether something with a nul byte in it has been passed in? That way once we hit spawn we can just check the flag and return an error appropriately.
There was a problem hiding this comment.
I mostly kept it so the Debug impl on std::process::Command would display something. I can change this though.
There was a problem hiding this comment.
Ah that's a good point. The Debug impl would probably be fine to start including something like <string-with-nul> or something like that instead of the actual value, however. It seems relatively complicated to define a type like this just for a Debug implementation that's unlikely to ever be seen.
There was a problem hiding this comment.
Maybe (ab)use Option for this?
pub struct Command {
program: Option<CString>,
args: Vec<Optrion<ValidatedCString>>,
env: Option<HashMap<Option<CString>, Option<ValidatedCString>>>,
cwd: Option<Option<CString>>,
uid: Option<uid_t>,
gid: Option<gid_t>,
session_leader: bool,
saw_nul: bool,
}
The Debug impl could then use unwrap_or("<string-with-nul>").
This is a bit weird for env, as the hash map would lose context of how many vars were nulful. The cwd would be a bit unwieldy with the double Option...
There was a problem hiding this comment.
@alexcrichton any thoughts on how best to handle this?
There was a problem hiding this comment.
Oh I wouldn't change the internal structure of Command much, just add a flag indicating that something with a nul byte was passed in. The Debug implementation only shows the program and its arguments, so if we really want we can store CString::new("<string-with-nul>").unwrap() in those places, but other than that we don't need to track the information elsewhere.
There was a problem hiding this comment.
Ok, so that means dropping this whole ValidatedCString thing, right? Shall I close this and open an new PR skipping that altogether?
There was a problem hiding this comment.
I also don't have a good grasp on what Windows does here. I think my tests on std::process will fail there, but without seeing the failures I'm not sure what to do to fix it.
There was a problem hiding this comment.
Nah keeping this PR is fine (just pushing the changes to it).
I do think that the tests will fail on Windows as well, but it should be pretty straightforward (e.g. checking encode_wide() for zeros) and relatively the same implementation as Unix.
There was a problem hiding this comment.
I've changed the unix version. I'll try to make changes for Windows, but it'll be kind of fumbling in the dark.
brson
added
relnotes
|
I marked this as a regression since it changes behavior, but I'm in favor. |
|
Argh I missed the warnings and didn't realise they were errors in the build. Just pushed something that should pass. There are still a couple of open discussion points though. |
| } | ||
| fn init_env_map(&mut self) { | ||
| if self.env.is_none() { | ||
| self.env = Some(env::vars_os().collect()); | ||
| // Will not add NULs to env: preexisting environment will not contain any. | ||
| self.env = Some(env::vars_os().map(|(k, v)| (k, v)).collect()); |
There was a problem hiding this comment.
I don't think that this needs to change, right?
There was a problem hiding this comment.
erm yeah that's a non-perfect refactor of an intermediate stage I had.... time to apply map id => id...
|
Looks good to me! I think the Windows implementation will just need to be tweaked and this should be good to go. If you want to test things out it and you're on Unix you may be able to use this helper script I have to at least ensure the standard library itself compiles, I suspect this is a situation where "when it compiles it works" :) |
|
Thanks for the script! |
|
Sorry for letting this go for so long. I kept putting off learning about |
| @@ -43,13 +43,25 @@ fn mk_key(s: &OsStr) -> OsString { | |||
| }) | |||
| } | |||
|
|
|||
| fn ensure_no_nuls<T: AsRef<OsStr>>(str: T) -> io::Result<T> { | |||
| let has_nul = { | |||
| let bytes = str.as_ref().as_inner().inner.as_inner(); | |||
There was a problem hiding this comment.
Ah can this actually use the .encode_wide() method? That's what'll be passed down to the OS anyway, and is a little more reliably than looking at the internal bytes.
There was a problem hiding this comment.
The environment block is built up using .extend(), and I wanted to avoid the extra allocation and copy of the keys and values that would be necessary to check the .encode_wide() output. See https://github.com/rust-lang/rust/pull/31056/files#diff-9a0a769432651d9c59644e0a8c7f887eR353
We can avoid the repeated allocation by reusing a buffer for the conversion, but we'd still pay the extra copy cost. I'm happy to do this however you prefer, though.
There was a problem hiding this comment.
Oh I see what you mean. Ignore above!
|
Thanks @kamalmarhubi! Looks good to me modulo one nit and I'd be fine sending to bors after. |
|
Yay! I'm really excited to see what the bors experience is like, so I'll try and keep this moving. :-) |
|
Thanks! Can you squash the commits down into one as well? (sorry forgot to check that last time) |
kamalmarhubi
force-pushed
the
std-process-nul-chars
branch
from
b3d4b4e
to
59d070c
Compare
|
Done, and rebased. |
kamalmarhubi
changed the title
|
@bors: r+ 59d070c0d684926de73fe0400096b63091798de7 |
|
⌛ Testing commit 59d070c with merge 28c6780... |
|
💔 Test failed - auto-win-gnu-64-nopt-t |
This reports an error at the point of calling `Command::spawn()` or one of its equivalents. Fixes rust-lang#30858 Fixes rust-lang#30862
kamalmarhubi
force-pushed
the
std-process-nul-chars
branch
from
59d070c
to
7c64bf1
Compare
|
Fixed test and squashed. Diff: kamalmarhubi/rust@59d070c...7c64bf1 |
|
Urg pushed the wrong thing. |
|
Actually no, I pushed the right thing I just can't get the compare url to display as I'd like. Here's the diff: diff --git a/src/libstd/sys/windows/process.rs b/src/libstd/sys/windows/process.rs
index 758044c..61cf28b 100644
--- a/src/libstd/sys/windows/process.rs
+++ b/src/libstd/sys/windows/process.rs
@@ -419,11 +419,12 @@ mod tests {
#[test]
fn test_make_command_line() {
fn test_wrapper(prog: &str, args: &[&str]) -> String {
- String::from_utf16(
- &make_command_line(OsStr::new(prog),
- &args.iter()
- .map(|a| OsString::from(a))
- .collect::<Vec<OsString>>())).unwrap()
+ let command_line = &make_command_line(OsStr::new(prog),
+ &args.iter()
+ .map(|a| OsString::from(a))
+ .collect::<Vec<OsString>>())
+ .unwrap();
+ String::from_utf16(command_line).unwrap()
}
assert_eq!( |
This reports an error at the point of calling
Command::spawn()or one ofits equivalents.
Fixes #30858
Fixes #30862