2018-11-27 Florian Weimer <fweimer@redhat.com>
+ * support/support.h (support_quote_string): Declare.
+ * support/support_quote_string.c: New file.
+ * support/tst-support_quote_string.c: Likewise.
+ * support/Makefile (libsupport-routines): Add
+ support_quote_string.
+ (tests): Add tst-support_quote_string.
+
+2018-11-27 Florian Weimer <fweimer@redhat.com>
+
[BZ #23927]
CVE-2018-19591
* sysdeps/unix/sysv/linux/if_index.c (__if_nametoindex): Avoid
the result). */
char *support_quote_blob (const void *blob, size_t length);
+/* Quote the contents of the at STR, in such a way that the result
+ string can be included in a C literal (in single/double quotes,
+ without putting the quotes into the result). */
+char *support_quote_string (const char *str);
+
/* Returns non-zero if the file descriptor is a regular file on a file
system which supports holes (that is, seeking and writing does not
allocate storage for the range of zeros). FD must refer to a
--- /dev/null
+/* Quote a string so that it can be used in C literals.
+ Copyright (C) 2018 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <string.h>
+#include <support/support.h>
+
+char *
+support_quote_string (const char *str)
+{
+ return support_quote_blob (str, strlen (str));
+}
--- /dev/null
+/* Test the support_quote_string function.
+ Copyright (C) 2018 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <support/check.h>
+#include <support/support.h>
+#include <string.h>
+#include <stdlib.h>
+
+static int
+do_test (void)
+{
+ char *p = support_quote_string ("");
+ TEST_COMPARE (strlen (p), 0);
+ free (p);
+ p = support_quote_string ("X");
+ TEST_COMPARE (strlen (p), 1);
+ TEST_COMPARE (p[0], 'X');
+ free (p);
+
+ /* Check escaping of backslash-escaped characters, and lack of
+ escaping for other shell meta-characters. */
+ p = support_quote_string ("$()*?`@[]{}~\'\"X");
+ TEST_COMPARE (strcmp (p, "$()*?`@[]{}~\\'\\\"X"), 0);
+ free (p);
+
+ /* Check lack of escaping for letters and digits. */
+#define LETTERS_AND_DIGTS \
+ "abcdefghijklmnopqrstuvwxyz" \
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
+ "0123456789"
+ p = support_quote_string (LETTERS_AND_DIGTS "@");
+ TEST_COMPARE (strcmp (p, LETTERS_AND_DIGTS "@"), 0);
+ free (p);
+
+ /* Check escaping of control characters and other non-printable
+ characters. */
+ p = support_quote_string ("\r\n\t\a\b\f\v\1\177\200\377@");
+ TEST_COMPARE (strcmp (p, "\\r\\n\\t\\a\\b\\f\\v\\001"
+ "\\177\\200\\377@"), 0);
+ free (p);
+
+ return 0;
+}
+
+#include <support/test-driver.c>