2010-04-13 16:30:11 -07:00
|
|
|
// Copyright 2009 The Go Authors. All rights reserved.
|
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
package os
|
|
|
|
|
|
|
|
|
|
import (
|
2019-02-28 20:21:32 +11:00
|
|
|
"errors"
|
2017-02-10 15:17:38 -08:00
|
|
|
"internal/poll"
|
2015-02-26 12:10:11 -08:00
|
|
|
"internal/syscall/windows"
|
2010-04-13 16:30:11 -07:00
|
|
|
"runtime"
|
|
|
|
|
"syscall"
|
2011-11-15 12:48:22 -05:00
|
|
|
"unicode/utf16"
|
2013-01-07 12:48:32 +11:00
|
|
|
"unsafe"
|
2010-04-13 16:30:11 -07:00
|
|
|
)
|
|
|
|
|
|
allow copy of struct containing unexported fields
An experiment: allow structs to be copied even if they
contain unexported fields. This gives packages the
ability to return opaque values in their APIs, like reflect
does for reflect.Value but without the kludgy hacks reflect
resorts to.
In general, we trust programmers not to do silly things
like *x = *y on a package's struct pointers, just as we trust
programmers not to do unicode.Letter = unicode.Digit,
but packages that want a harder guarantee can introduce
an extra level of indirection, like in the changes to os.File
in this CL or by using an interface type.
All in one CL so that it can be rolled back more easily if
we decide this is a bad idea.
Originally discussed in March 2011.
https://groups.google.com/group/golang-dev/t/3f5d30938c7c45ef
R=golang-dev, adg, dvyukov, r, bradfitz, jan.mercl, gri
CC=golang-dev
https://golang.org/cl/5372095
2011-11-15 12:20:59 -05:00
|
|
|
// file is the real representation of *File.
|
|
|
|
|
// The extra level of indirection ensures that no clients of os
|
|
|
|
|
// can overwrite this data, which could cause the finalizer
|
|
|
|
|
// to close the wrong file descriptor.
|
|
|
|
|
type file struct {
|
2017-02-10 15:17:38 -08:00
|
|
|
pfd poll.FD
|
2011-07-01 10:18:07 -04:00
|
|
|
name string
|
2017-02-10 15:17:38 -08:00
|
|
|
dirinfo *dirInfo // nil unless directory being read
|
2011-07-01 10:18:07 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Fd returns the Windows handle referencing the open file.
|
2014-11-06 09:36:51 -05:00
|
|
|
// The handle is valid only until f.Close is called or f is garbage collected.
|
os: calling Fd disables the SetDeadline methods
The full truth seems too complicated to write in this method's doc, so
I'm going with a simple half truth.
The full truth is that Fd returns the descriptor in blocking mode,
because that is historically how it worked, and existing programs
would be surprised if the descriptor is suddenly non-blocking. On Unix
systems whether a file is non-blocking or not is a property of the
underlying file description, not of a particular file descriptor, so
changing the returned descriptor to blocking mode also changes the
existing File to blocking mode. Blocking mode works fine, althoug I/O
operations now take up a thread. SetDeadline and friends rely on the
runtime poller, and the runtime poller only works if the descriptor is
non-blocking. So it's correct that calling Fd disables SetDeadline.
The other half of the truth is that if the program is willing to work
with a non-blocking descriptor, it could call
syscall.SetNonblock(descriptor, true) to change the descriptor, and
the original File, to non-blocking mode. At that point SetDeadline
would start working again. I tried to write that in a way that is
short and comprehensible but failed. Since deadlines mostly work on
pipes, and there isn't much reason to call Fd on a pipe, and few
people use SetDeadline, I decided to punt.
Fixes #22934
Change-Id: I2e49e036f0bcf71f5365193831696f9e4120527c
Reviewed-on: https://go-review.googlesource.com/81636
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-01 16:55:46 -08:00
|
|
|
// On Unix systems this will cause the SetDeadline methods to stop working.
|
2012-02-10 14:16:15 +11:00
|
|
|
func (file *File) Fd() uintptr {
|
2011-07-01 10:18:07 -04:00
|
|
|
if file == nil {
|
2012-02-10 14:16:15 +11:00
|
|
|
return uintptr(syscall.InvalidHandle)
|
2011-07-01 10:18:07 -04:00
|
|
|
}
|
2017-02-10 15:17:38 -08:00
|
|
|
return uintptr(file.pfd.Sysfd)
|
2011-07-01 10:18:07 -04:00
|
|
|
}
|
|
|
|
|
|
2013-01-07 12:48:32 +11:00
|
|
|
// newFile returns a new File with the given file handle and name.
|
|
|
|
|
// Unlike NewFile, it does not check that h is syscall.InvalidHandle.
|
2017-02-10 15:17:38 -08:00
|
|
|
func newFile(h syscall.Handle, name string, kind string) *File {
|
|
|
|
|
if kind == "file" {
|
|
|
|
|
var m uint32
|
|
|
|
|
if syscall.GetConsoleMode(h, &m) == nil {
|
|
|
|
|
kind = "console"
|
|
|
|
|
}
|
2019-03-04 10:07:07 +00:00
|
|
|
if t, err := syscall.GetFileType(h); err == nil && t == syscall.FILE_TYPE_PIPE {
|
|
|
|
|
kind = "pipe"
|
|
|
|
|
}
|
2017-02-10 15:17:38 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f := &File{&file{
|
|
|
|
|
pfd: poll.FD{
|
|
|
|
|
Sysfd: h,
|
|
|
|
|
IsStream: true,
|
|
|
|
|
ZeroReadIsEOF: true,
|
|
|
|
|
},
|
|
|
|
|
name: name,
|
|
|
|
|
}}
|
allow copy of struct containing unexported fields
An experiment: allow structs to be copied even if they
contain unexported fields. This gives packages the
ability to return opaque values in their APIs, like reflect
does for reflect.Value but without the kludgy hacks reflect
resorts to.
In general, we trust programmers not to do silly things
like *x = *y on a package's struct pointers, just as we trust
programmers not to do unicode.Letter = unicode.Digit,
but packages that want a harder guarantee can introduce
an extra level of indirection, like in the changes to os.File
in this CL or by using an interface type.
All in one CL so that it can be rolled back more easily if
we decide this is a bad idea.
Originally discussed in March 2011.
https://groups.google.com/group/golang-dev/t/3f5d30938c7c45ef
R=golang-dev, adg, dvyukov, r, bradfitz, jan.mercl, gri
CC=golang-dev
https://golang.org/cl/5372095
2011-11-15 12:20:59 -05:00
|
|
|
runtime.SetFinalizer(f.file, (*file).close)
|
2017-02-10 15:17:38 -08:00
|
|
|
|
|
|
|
|
// Ignore initialization errors.
|
|
|
|
|
// Assume any problems will show up in later I/O.
|
2017-09-25 18:54:14 +10:00
|
|
|
f.pfd.Init(kind, false)
|
2017-02-10 15:17:38 -08:00
|
|
|
|
2011-07-01 10:18:07 -04:00
|
|
|
return f
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-21 11:19:36 +10:00
|
|
|
// newConsoleFile creates new File that will be used as console.
|
|
|
|
|
func newConsoleFile(h syscall.Handle, name string) *File {
|
2017-02-10 15:17:38 -08:00
|
|
|
return newFile(h, name, "console")
|
2016-09-21 11:19:36 +10:00
|
|
|
}
|
|
|
|
|
|
2017-04-20 11:13:55 +02:00
|
|
|
// NewFile returns a new File with the given file descriptor and
|
|
|
|
|
// name. The returned value will be nil if fd is not a valid file
|
|
|
|
|
// descriptor.
|
2013-01-07 12:48:32 +11:00
|
|
|
func NewFile(fd uintptr, name string) *File {
|
|
|
|
|
h := syscall.Handle(fd)
|
|
|
|
|
if h == syscall.InvalidHandle {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2017-02-10 15:17:38 -08:00
|
|
|
return newFile(h, name, "file")
|
2013-01-07 12:48:32 +11:00
|
|
|
}
|
|
|
|
|
|
2010-04-13 16:30:11 -07:00
|
|
|
// Auxiliary information if the File describes a directory
|
|
|
|
|
type dirInfo struct {
|
2012-06-08 13:54:48 -04:00
|
|
|
data syscall.Win32finddata
|
2011-09-06 09:59:08 +10:00
|
|
|
needdata bool
|
2012-02-27 12:29:33 +11:00
|
|
|
path string
|
2013-01-07 12:48:32 +11:00
|
|
|
isempty bool // set if FindFirstFile returns ERROR_FILE_NOT_FOUND
|
2010-04-13 16:30:11 -07:00
|
|
|
}
|
|
|
|
|
|
2012-07-27 22:21:33 +10:00
|
|
|
func epipecheck(file *File, e error) {
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-25 10:56:11 +11:00
|
|
|
// DevNull is the name of the operating system's ``null device.''
|
|
|
|
|
// On Unix-like systems, it is "/dev/null"; on Windows, "NUL".
|
2010-08-03 13:03:50 -07:00
|
|
|
const DevNull = "NUL"
|
|
|
|
|
|
2012-01-10 20:26:11 -08:00
|
|
|
func (f *file) isdir() bool { return f != nil && f.dirinfo != nil }
|
2010-04-13 16:30:11 -07:00
|
|
|
|
2012-01-19 15:45:18 -08:00
|
|
|
func openFile(name string, flag int, perm FileMode) (file *File, err error) {
|
2016-10-28 13:01:51 -04:00
|
|
|
r, e := syscall.Open(fixLongPath(name), flag|syscall.O_CLOEXEC, syscallMode(perm))
|
2011-11-13 22:44:52 -05:00
|
|
|
if e != nil {
|
2013-01-07 12:48:32 +11:00
|
|
|
return nil, e
|
2010-04-13 16:30:11 -07:00
|
|
|
}
|
2017-02-10 15:17:38 -08:00
|
|
|
return newFile(r, name, "file"), nil
|
2010-04-13 16:30:11 -07:00
|
|
|
}
|
|
|
|
|
|
2011-11-01 21:49:08 -04:00
|
|
|
func openDir(name string) (file *File, err error) {
|
2015-12-30 12:13:21 +11:00
|
|
|
var mask string
|
2016-10-28 13:01:51 -04:00
|
|
|
|
|
|
|
|
path := fixLongPath(name)
|
|
|
|
|
|
|
|
|
|
if len(path) == 2 && path[1] == ':' || (len(path) > 0 && path[len(path)-1] == '\\') { // it is a drive letter, like C:
|
|
|
|
|
mask = path + `*`
|
2015-12-30 12:13:21 +11:00
|
|
|
} else {
|
2016-10-28 13:01:51 -04:00
|
|
|
mask = path + `\*`
|
2015-12-30 12:13:21 +11:00
|
|
|
}
|
|
|
|
|
maskp, e := syscall.UTF16PtrFromString(mask)
|
syscall: return EINVAL when string arguments have NUL characters
Since NUL usually terminates strings in underlying syscalls, allowing
it when converting string arguments is a security risk, especially
when dealing with filenames. For example, a program might reason that
filename like "/root/..\x00/" is a subdirectory or "/root/" and allow
access to it, while underlying syscall will treat "\x00" as an end of
that string and the actual filename will be "/root/..", which might
be unexpected. Returning EINVAL when string arguments have NUL in
them makes sure this attack vector is unusable.
R=golang-dev, r, bradfitz, fullung, rsc, minux.ma
CC=golang-dev
https://golang.org/cl/6458050
2012-08-05 17:24:32 -04:00
|
|
|
if e != nil {
|
2013-01-07 12:48:32 +11:00
|
|
|
return nil, e
|
syscall: return EINVAL when string arguments have NUL characters
Since NUL usually terminates strings in underlying syscalls, allowing
it when converting string arguments is a security risk, especially
when dealing with filenames. For example, a program might reason that
filename like "/root/..\x00/" is a subdirectory or "/root/" and allow
access to it, while underlying syscall will treat "\x00" as an end of
that string and the actual filename will be "/root/..", which might
be unexpected. Returning EINVAL when string arguments have NUL in
them makes sure this attack vector is unusable.
R=golang-dev, r, bradfitz, fullung, rsc, minux.ma
CC=golang-dev
https://golang.org/cl/6458050
2012-08-05 17:24:32 -04:00
|
|
|
}
|
2010-04-13 16:30:11 -07:00
|
|
|
d := new(dirInfo)
|
syscall: return EINVAL when string arguments have NUL characters
Since NUL usually terminates strings in underlying syscalls, allowing
it when converting string arguments is a security risk, especially
when dealing with filenames. For example, a program might reason that
filename like "/root/..\x00/" is a subdirectory or "/root/" and allow
access to it, while underlying syscall will treat "\x00" as an end of
that string and the actual filename will be "/root/..", which might
be unexpected. Returning EINVAL when string arguments have NUL in
them makes sure this attack vector is unusable.
R=golang-dev, r, bradfitz, fullung, rsc, minux.ma
CC=golang-dev
https://golang.org/cl/6458050
2012-08-05 17:24:32 -04:00
|
|
|
r, e := syscall.FindFirstFile(maskp, &d.data)
|
2011-11-13 22:44:52 -05:00
|
|
|
if e != nil {
|
2013-01-07 12:48:32 +11:00
|
|
|
// FindFirstFile returns ERROR_FILE_NOT_FOUND when
|
|
|
|
|
// no matching files can be found. Then, if directory
|
|
|
|
|
// exists, we should proceed.
|
|
|
|
|
if e != syscall.ERROR_FILE_NOT_FOUND {
|
|
|
|
|
return nil, e
|
|
|
|
|
}
|
|
|
|
|
var fa syscall.Win32FileAttributeData
|
2016-10-28 13:01:51 -04:00
|
|
|
pathp, e := syscall.UTF16PtrFromString(path)
|
2013-01-07 12:48:32 +11:00
|
|
|
if e != nil {
|
|
|
|
|
return nil, e
|
|
|
|
|
}
|
2016-10-28 13:01:51 -04:00
|
|
|
e = syscall.GetFileAttributesEx(pathp, syscall.GetFileExInfoStandard, (*byte)(unsafe.Pointer(&fa)))
|
2013-01-07 12:48:32 +11:00
|
|
|
if e != nil {
|
|
|
|
|
return nil, e
|
|
|
|
|
}
|
|
|
|
|
if fa.FileAttributes&syscall.FILE_ATTRIBUTE_DIRECTORY == 0 {
|
|
|
|
|
return nil, e
|
|
|
|
|
}
|
|
|
|
|
d.isempty = true
|
2010-04-13 16:30:11 -07:00
|
|
|
}
|
2016-10-28 13:01:51 -04:00
|
|
|
d.path = path
|
2012-02-27 12:29:33 +11:00
|
|
|
if !isAbs(d.path) {
|
2014-08-19 14:59:56 +10:00
|
|
|
d.path, e = syscall.FullPath(d.path)
|
|
|
|
|
if e != nil {
|
|
|
|
|
return nil, e
|
|
|
|
|
}
|
2012-02-27 12:29:33 +11:00
|
|
|
}
|
2017-02-10 15:17:38 -08:00
|
|
|
f := newFile(r, name, "dir")
|
2010-04-13 16:30:11 -07:00
|
|
|
f.dirinfo = d
|
|
|
|
|
return f, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-11 16:41:37 -08:00
|
|
|
// openFileNolog is the Windows implementation of OpenFile.
|
|
|
|
|
func openFileNolog(name string, flag int, perm FileMode) (*File, error) {
|
2011-11-26 11:01:49 +11:00
|
|
|
if name == "" {
|
|
|
|
|
return nil, &PathError{"open", name, syscall.ENOENT}
|
|
|
|
|
}
|
2014-03-05 12:19:56 +11:00
|
|
|
r, errf := openFile(name, flag, perm)
|
|
|
|
|
if errf == nil {
|
|
|
|
|
return r, nil
|
|
|
|
|
}
|
|
|
|
|
r, errd := openDir(name)
|
|
|
|
|
if errd == nil {
|
2010-10-04 17:31:49 +11:00
|
|
|
if flag&O_WRONLY != 0 || flag&O_RDWR != 0 {
|
|
|
|
|
r.Close()
|
2012-02-17 10:04:29 +11:00
|
|
|
return nil, &PathError{"open", name, syscall.EISDIR}
|
2010-10-04 17:31:49 +11:00
|
|
|
}
|
2010-04-13 16:30:11 -07:00
|
|
|
return r, nil
|
|
|
|
|
}
|
2014-03-05 12:19:56 +11:00
|
|
|
return nil, &PathError{"open", name, errf}
|
2010-04-13 16:30:11 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Close closes the File, rendering it unusable for I/O.
|
2018-07-10 06:47:44 -07:00
|
|
|
// On files that support SetDeadline, any pending I/O operations will
|
|
|
|
|
// be canceled and return immediately with an error.
|
2011-11-01 21:49:08 -04:00
|
|
|
func (file *File) Close() error {
|
2013-08-20 14:45:46 +10:00
|
|
|
if file == nil {
|
2013-08-20 14:33:03 +10:00
|
|
|
return ErrInvalid
|
|
|
|
|
}
|
allow copy of struct containing unexported fields
An experiment: allow structs to be copied even if they
contain unexported fields. This gives packages the
ability to return opaque values in their APIs, like reflect
does for reflect.Value but without the kludgy hacks reflect
resorts to.
In general, we trust programmers not to do silly things
like *x = *y on a package's struct pointers, just as we trust
programmers not to do unicode.Letter = unicode.Digit,
but packages that want a harder guarantee can introduce
an extra level of indirection, like in the changes to os.File
in this CL or by using an interface type.
All in one CL so that it can be rolled back more easily if
we decide this is a bad idea.
Originally discussed in March 2011.
https://groups.google.com/group/golang-dev/t/3f5d30938c7c45ef
R=golang-dev, adg, dvyukov, r, bradfitz, jan.mercl, gri
CC=golang-dev
https://golang.org/cl/5372095
2011-11-15 12:20:59 -05:00
|
|
|
return file.file.close()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (file *file) close() error {
|
2017-04-24 21:49:26 -07:00
|
|
|
if file == nil {
|
2013-01-07 12:48:32 +11:00
|
|
|
return syscall.EINVAL
|
|
|
|
|
}
|
|
|
|
|
if file.isdir() && file.dirinfo.isempty {
|
|
|
|
|
// "special" empty directories
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2011-11-01 21:49:08 -04:00
|
|
|
var err error
|
2017-02-10 15:17:38 -08:00
|
|
|
if e := file.pfd.Close(); e != nil {
|
2017-04-25 17:47:34 -07:00
|
|
|
if e == poll.ErrFileClosing {
|
|
|
|
|
e = ErrClosed
|
|
|
|
|
}
|
2011-11-13 22:44:52 -05:00
|
|
|
err = &PathError{"close", file.name, e}
|
2010-04-13 16:30:11 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// no need for a finalizer anymore
|
|
|
|
|
runtime.SetFinalizer(file, nil)
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2011-04-26 18:09:46 +10:00
|
|
|
// read reads up to len(b) bytes from the File.
|
|
|
|
|
// It returns the number of bytes read and an error, if any.
|
2011-11-13 22:44:52 -05:00
|
|
|
func (f *File) read(b []byte) (n int, err error) {
|
2017-02-10 15:17:38 -08:00
|
|
|
n, err = f.pfd.Read(b)
|
|
|
|
|
runtime.KeepAlive(f)
|
|
|
|
|
return n, err
|
2011-04-26 18:09:46 +10:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// pread reads len(b) bytes from the File starting at byte offset off.
|
|
|
|
|
// It returns the number of bytes read and the error, if any.
|
|
|
|
|
// EOF is signaled by a zero count with err set to 0.
|
2011-11-13 22:44:52 -05:00
|
|
|
func (f *File) pread(b []byte, off int64) (n int, err error) {
|
2017-02-10 15:17:38 -08:00
|
|
|
n, err = f.pfd.Pread(b, off)
|
|
|
|
|
runtime.KeepAlive(f)
|
|
|
|
|
return n, err
|
2012-09-12 12:04:45 +10:00
|
|
|
}
|
|
|
|
|
|
2011-04-26 18:09:46 +10:00
|
|
|
// write writes len(b) bytes to the File.
|
|
|
|
|
// It returns the number of bytes written and an error, if any.
|
2011-11-13 22:44:52 -05:00
|
|
|
func (f *File) write(b []byte) (n int, err error) {
|
2017-02-10 15:17:38 -08:00
|
|
|
n, err = f.pfd.Write(b)
|
|
|
|
|
runtime.KeepAlive(f)
|
|
|
|
|
return n, err
|
2011-04-26 18:09:46 +10:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// pwrite writes len(b) bytes to the File starting at byte offset off.
|
|
|
|
|
// It returns the number of bytes written and an error, if any.
|
2011-11-13 22:44:52 -05:00
|
|
|
func (f *File) pwrite(b []byte, off int64) (n int, err error) {
|
2017-02-10 15:17:38 -08:00
|
|
|
n, err = f.pfd.Pwrite(b, off)
|
|
|
|
|
runtime.KeepAlive(f)
|
|
|
|
|
return n, err
|
2011-04-26 18:09:46 +10:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// seek sets the offset for the next Read or Write on file to offset, interpreted
|
|
|
|
|
// according to whence: 0 means relative to the origin of the file, 1 means
|
|
|
|
|
// relative to the current offset, and 2 means relative to the end.
|
|
|
|
|
// It returns the new offset and an error, if any.
|
2011-11-13 22:44:52 -05:00
|
|
|
func (f *File) seek(offset int64, whence int) (ret int64, err error) {
|
2017-02-10 15:17:38 -08:00
|
|
|
ret, err = f.pfd.Seek(offset, whence)
|
|
|
|
|
runtime.KeepAlive(f)
|
|
|
|
|
return ret, err
|
2011-04-26 18:09:46 +10:00
|
|
|
}
|
|
|
|
|
|
2010-04-26 23:17:14 -07:00
|
|
|
// Truncate changes the size of the named file.
|
|
|
|
|
// If the file is a symbolic link, it changes the size of the link's target.
|
2011-11-01 21:49:08 -04:00
|
|
|
func Truncate(name string, size int64) error {
|
2011-04-04 23:57:08 -07:00
|
|
|
f, e := OpenFile(name, O_WRONLY|O_CREATE, 0666)
|
2010-04-26 23:17:14 -07:00
|
|
|
if e != nil {
|
|
|
|
|
return e
|
|
|
|
|
}
|
|
|
|
|
defer f.Close()
|
|
|
|
|
e1 := f.Truncate(size)
|
|
|
|
|
if e1 != nil {
|
|
|
|
|
return e1
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2011-07-01 10:18:07 -04:00
|
|
|
|
2011-12-20 11:52:20 +11:00
|
|
|
// Remove removes the named file or directory.
|
2012-02-09 16:55:36 +11:00
|
|
|
// If there is an error, it will be of type *PathError.
|
2011-12-20 11:52:20 +11:00
|
|
|
func Remove(name string) error {
|
2016-10-28 13:01:51 -04:00
|
|
|
p, e := syscall.UTF16PtrFromString(fixLongPath(name))
|
syscall: return EINVAL when string arguments have NUL characters
Since NUL usually terminates strings in underlying syscalls, allowing
it when converting string arguments is a security risk, especially
when dealing with filenames. For example, a program might reason that
filename like "/root/..\x00/" is a subdirectory or "/root/" and allow
access to it, while underlying syscall will treat "\x00" as an end of
that string and the actual filename will be "/root/..", which might
be unexpected. Returning EINVAL when string arguments have NUL in
them makes sure this attack vector is unusable.
R=golang-dev, r, bradfitz, fullung, rsc, minux.ma
CC=golang-dev
https://golang.org/cl/6458050
2012-08-05 17:24:32 -04:00
|
|
|
if e != nil {
|
|
|
|
|
return &PathError{"remove", name, e}
|
|
|
|
|
}
|
2011-12-20 11:52:20 +11:00
|
|
|
|
|
|
|
|
// Go file interface forces us to know whether
|
|
|
|
|
// name is a file or directory. Try both.
|
syscall: return EINVAL when string arguments have NUL characters
Since NUL usually terminates strings in underlying syscalls, allowing
it when converting string arguments is a security risk, especially
when dealing with filenames. For example, a program might reason that
filename like "/root/..\x00/" is a subdirectory or "/root/" and allow
access to it, while underlying syscall will treat "\x00" as an end of
that string and the actual filename will be "/root/..", which might
be unexpected. Returning EINVAL when string arguments have NUL in
them makes sure this attack vector is unusable.
R=golang-dev, r, bradfitz, fullung, rsc, minux.ma
CC=golang-dev
https://golang.org/cl/6458050
2012-08-05 17:24:32 -04:00
|
|
|
e = syscall.DeleteFile(p)
|
2011-12-20 11:52:20 +11:00
|
|
|
if e == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
e1 := syscall.RemoveDirectory(p)
|
|
|
|
|
if e1 == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Both failed: figure out which error to return.
|
|
|
|
|
if e1 != e {
|
|
|
|
|
a, e2 := syscall.GetFileAttributes(p)
|
|
|
|
|
if e2 != nil {
|
|
|
|
|
e = e2
|
|
|
|
|
} else {
|
|
|
|
|
if a&syscall.FILE_ATTRIBUTE_DIRECTORY != 0 {
|
|
|
|
|
e = e1
|
2016-04-07 14:24:24 -04:00
|
|
|
} else if a&syscall.FILE_ATTRIBUTE_READONLY != 0 {
|
|
|
|
|
if e1 = syscall.SetFileAttributes(p, a&^syscall.FILE_ATTRIBUTE_READONLY); e1 == nil {
|
|
|
|
|
if e = syscall.DeleteFile(p); e == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
2011-12-20 11:52:20 +11:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return &PathError{"remove", name, e}
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-26 12:10:11 -08:00
|
|
|
func rename(oldname, newname string) error {
|
2016-10-28 13:01:51 -04:00
|
|
|
e := windows.Rename(fixLongPath(oldname), fixLongPath(newname))
|
2015-02-26 12:10:11 -08:00
|
|
|
if e != nil {
|
|
|
|
|
return &LinkError{"rename", oldname, newname, e}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-01 10:18:07 -04:00
|
|
|
// Pipe returns a connected pair of Files; reads from r return bytes written to w.
|
2011-11-01 21:49:08 -04:00
|
|
|
// It returns the files and an error, if any.
|
|
|
|
|
func Pipe() (r *File, w *File, err error) {
|
2011-07-01 10:18:07 -04:00
|
|
|
var p [2]syscall.Handle
|
2017-10-20 12:44:00 +11:00
|
|
|
e := syscall.CreatePipe(&p[0], &p[1], nil, 0)
|
2011-11-13 22:44:52 -05:00
|
|
|
if e != nil {
|
2011-07-01 10:18:07 -04:00
|
|
|
return nil, nil, NewSyscallError("pipe", e)
|
|
|
|
|
}
|
2019-03-04 10:07:07 +00:00
|
|
|
return newFile(p[0], "|0", "pipe"), newFile(p[1], "|1", "pipe"), nil
|
2011-07-01 10:18:07 -04:00
|
|
|
}
|
2011-11-14 14:06:50 -05:00
|
|
|
|
2017-06-14 18:29:49 +00:00
|
|
|
func tempDir() string {
|
2015-02-13 16:12:07 +11:00
|
|
|
n := uint32(syscall.MAX_PATH)
|
|
|
|
|
for {
|
|
|
|
|
b := make([]uint16, n)
|
|
|
|
|
n, _ = syscall.GetTempPath(uint32(len(b)), &b[0])
|
|
|
|
|
if n > uint32(len(b)) {
|
|
|
|
|
continue
|
2011-11-14 14:06:50 -05:00
|
|
|
}
|
2018-12-17 20:39:48 +11:00
|
|
|
if n == 3 && b[1] == ':' && b[2] == '\\' {
|
|
|
|
|
// Do nothing for path, like C:\.
|
|
|
|
|
} else if n > 0 && b[n-1] == '\\' {
|
|
|
|
|
// Otherwise remove terminating \.
|
2015-02-13 16:12:07 +11:00
|
|
|
n--
|
|
|
|
|
}
|
|
|
|
|
return string(utf16.Decode(b[:n]))
|
2011-11-14 14:06:50 -05:00
|
|
|
}
|
|
|
|
|
}
|
2014-07-17 17:02:46 +10:00
|
|
|
|
|
|
|
|
// Link creates newname as a hard link to the oldname file.
|
|
|
|
|
// If there is an error, it will be of type *LinkError.
|
|
|
|
|
func Link(oldname, newname string) error {
|
2016-10-28 13:01:51 -04:00
|
|
|
n, err := syscall.UTF16PtrFromString(fixLongPath(newname))
|
2014-07-17 17:02:46 +10:00
|
|
|
if err != nil {
|
|
|
|
|
return &LinkError{"link", oldname, newname, err}
|
|
|
|
|
}
|
2016-10-28 13:01:51 -04:00
|
|
|
o, err := syscall.UTF16PtrFromString(fixLongPath(oldname))
|
2014-07-17 17:02:46 +10:00
|
|
|
if err != nil {
|
|
|
|
|
return &LinkError{"link", oldname, newname, err}
|
|
|
|
|
}
|
2015-02-27 12:34:25 -05:00
|
|
|
err = syscall.CreateHardLink(n, o, 0)
|
|
|
|
|
if err != nil {
|
2014-07-17 17:02:46 +10:00
|
|
|
return &LinkError{"link", oldname, newname, err}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Symlink creates newname as a symbolic link to oldname.
|
|
|
|
|
// If there is an error, it will be of type *LinkError.
|
|
|
|
|
func Symlink(oldname, newname string) error {
|
|
|
|
|
// '/' does not work in link's content
|
|
|
|
|
oldname = fromSlash(oldname)
|
|
|
|
|
|
2018-10-06 06:10:25 +00:00
|
|
|
// need the exact location of the oldname when it's relative to determine if it's a directory
|
2014-07-17 17:02:46 +10:00
|
|
|
destpath := oldname
|
|
|
|
|
if !isAbs(oldname) {
|
|
|
|
|
destpath = dirname(newname) + `\` + oldname
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-26 18:44:17 +11:00
|
|
|
fi, err := Stat(destpath)
|
2014-07-17 17:02:46 +10:00
|
|
|
isdir := err == nil && fi.IsDir()
|
|
|
|
|
|
2016-10-28 13:01:51 -04:00
|
|
|
n, err := syscall.UTF16PtrFromString(fixLongPath(newname))
|
2014-07-17 17:02:46 +10:00
|
|
|
if err != nil {
|
|
|
|
|
return &LinkError{"symlink", oldname, newname, err}
|
|
|
|
|
}
|
2016-10-28 13:01:51 -04:00
|
|
|
o, err := syscall.UTF16PtrFromString(fixLongPath(oldname))
|
2014-07-17 17:02:46 +10:00
|
|
|
if err != nil {
|
|
|
|
|
return &LinkError{"symlink", oldname, newname, err}
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-18 21:04:49 +00:00
|
|
|
var flags uint32 = windows.SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
|
2014-07-17 17:02:46 +10:00
|
|
|
if isdir {
|
|
|
|
|
flags |= syscall.SYMBOLIC_LINK_FLAG_DIRECTORY
|
|
|
|
|
}
|
|
|
|
|
err = syscall.CreateSymbolicLink(n, o, flags)
|
2018-04-18 21:04:49 +00:00
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
// the unprivileged create flag is unsupported
|
|
|
|
|
// below Windows 10 (1703, v10.0.14972). retry without it.
|
|
|
|
|
flags &^= windows.SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
|
|
|
|
|
|
|
|
|
|
err = syscall.CreateSymbolicLink(n, o, flags)
|
|
|
|
|
}
|
|
|
|
|
|
2014-07-17 17:02:46 +10:00
|
|
|
if err != nil {
|
|
|
|
|
return &LinkError{"symlink", oldname, newname, err}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2019-02-28 20:21:32 +11:00
|
|
|
|
|
|
|
|
// openSymlink calls CreateFile Windows API with FILE_FLAG_OPEN_REPARSE_POINT
|
|
|
|
|
// parameter, so that Windows does not follow symlink, if path is a symlink.
|
|
|
|
|
// openSymlink returns opened file handle.
|
|
|
|
|
func openSymlink(path string) (syscall.Handle, error) {
|
|
|
|
|
p, err := syscall.UTF16PtrFromString(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
attrs := uint32(syscall.FILE_FLAG_BACKUP_SEMANTICS)
|
|
|
|
|
// Use FILE_FLAG_OPEN_REPARSE_POINT, otherwise CreateFile will follow symlink.
|
|
|
|
|
// See https://docs.microsoft.com/en-us/windows/desktop/FileIO/symbolic-link-effects-on-file-systems-functions#createfile-and-createfiletransacted
|
|
|
|
|
attrs |= syscall.FILE_FLAG_OPEN_REPARSE_POINT
|
|
|
|
|
h, err := syscall.CreateFile(p, 0, 0, nil, syscall.OPEN_EXISTING, attrs, 0)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
return h, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// normaliseLinkPath converts absolute paths returned by
|
|
|
|
|
// DeviceIoControl(h, FSCTL_GET_REPARSE_POINT, ...)
|
|
|
|
|
// into paths acceptable by all Windows APIs.
|
|
|
|
|
// For example, it coverts
|
|
|
|
|
// \??\C:\foo\bar into C:\foo\bar
|
|
|
|
|
// \??\UNC\foo\bar into \\foo\bar
|
|
|
|
|
// \??\Volume{abc}\ into C:\
|
|
|
|
|
func normaliseLinkPath(path string) (string, error) {
|
|
|
|
|
if len(path) < 4 || path[:4] != `\??\` {
|
|
|
|
|
// unexpected path, return it as is
|
|
|
|
|
return path, nil
|
|
|
|
|
}
|
|
|
|
|
// we have path that start with \??\
|
|
|
|
|
s := path[4:]
|
|
|
|
|
switch {
|
|
|
|
|
case len(s) >= 2 && s[1] == ':': // \??\C:\foo\bar
|
|
|
|
|
return s, nil
|
|
|
|
|
case len(s) >= 4 && s[:4] == `UNC\`: // \??\UNC\foo\bar
|
|
|
|
|
return `\\` + s[4:], nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// handle paths, like \??\Volume{abc}\...
|
|
|
|
|
|
|
|
|
|
err := windows.LoadGetFinalPathNameByHandle()
|
|
|
|
|
if err != nil {
|
|
|
|
|
// we must be using old version of Windows
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
h, err := openSymlink(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
defer syscall.CloseHandle(h)
|
|
|
|
|
|
|
|
|
|
buf := make([]uint16, 100)
|
|
|
|
|
for {
|
|
|
|
|
n, err := windows.GetFinalPathNameByHandle(h, &buf[0], uint32(len(buf)), windows.VOLUME_NAME_DOS)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
if n < uint32(len(buf)) {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
buf = make([]uint16, n)
|
|
|
|
|
}
|
|
|
|
|
s = syscall.UTF16ToString(buf)
|
|
|
|
|
if len(s) > 4 && s[:4] == `\\?\` {
|
|
|
|
|
s = s[4:]
|
|
|
|
|
if len(s) > 3 && s[:3] == `UNC` {
|
|
|
|
|
// return path like \\server\share\...
|
|
|
|
|
return `\` + s[3:], nil
|
|
|
|
|
}
|
|
|
|
|
return s, nil
|
|
|
|
|
}
|
|
|
|
|
return "", errors.New("GetFinalPathNameByHandle returned unexpected path: " + s)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func readlink(path string) (string, error) {
|
|
|
|
|
h, err := openSymlink(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
defer syscall.CloseHandle(h)
|
|
|
|
|
|
|
|
|
|
rdbbuf := make([]byte, syscall.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)
|
|
|
|
|
var bytesReturned uint32
|
|
|
|
|
err = syscall.DeviceIoControl(h, syscall.FSCTL_GET_REPARSE_POINT, nil, 0, &rdbbuf[0], uint32(len(rdbbuf)), &bytesReturned, nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rdb := (*windows.REPARSE_DATA_BUFFER)(unsafe.Pointer(&rdbbuf[0]))
|
|
|
|
|
switch rdb.ReparseTag {
|
|
|
|
|
case syscall.IO_REPARSE_TAG_SYMLINK:
|
|
|
|
|
rb := (*windows.SymbolicLinkReparseBuffer)(unsafe.Pointer(&rdb.DUMMYUNIONNAME))
|
|
|
|
|
s := rb.Path()
|
|
|
|
|
if rb.Flags&windows.SYMLINK_FLAG_RELATIVE != 0 {
|
|
|
|
|
return s, nil
|
|
|
|
|
}
|
|
|
|
|
return normaliseLinkPath(s)
|
|
|
|
|
case windows.IO_REPARSE_TAG_MOUNT_POINT:
|
|
|
|
|
return normaliseLinkPath((*windows.MountPointReparseBuffer)(unsafe.Pointer(&rdb.DUMMYUNIONNAME)).Path())
|
|
|
|
|
default:
|
|
|
|
|
// the path is not a symlink or junction but another type of reparse
|
|
|
|
|
// point
|
|
|
|
|
return "", syscall.ENOENT
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Readlink returns the destination of the named symbolic link.
|
|
|
|
|
// If there is an error, it will be of type *PathError.
|
|
|
|
|
func Readlink(name string) (string, error) {
|
|
|
|
|
s, err := readlink(fixLongPath(name))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", &PathError{"readlink", name, err}
|
|
|
|
|
}
|
|
|
|
|
return s, nil
|
|
|
|
|
}
|