Commit Graph

20 Commits

Author SHA1 Message Date
Mahmoud Al-Qudsi
589639a87d Replace C++-style \p with Markdown backticks
quick_replace '\\\\p ([a-zA-Z0-9_]+)' '`$1`' src/

Filtered to only lines beginning with //
2024-05-06 14:59:23 -05:00
Johannes Altmanninger
e01fc62d69 Don't leak encoding of invalid codepoints into uvar file
When we read bytes like \xfc that don't produce a Unicode code point,
we encode them in a Unicode private use area.
This encoding should be transparent to the user.

We accidentally add it to uvar files as \uf6fc in this case.  When reading
it back, read_unquoted_escape() will fail at the "fish_reserved_codepoint(c)"
check. This check is to avoid external input being misinterpreted
as one of our in-band signalling characters like ANY_CHAR (for *).

For encoded raw bytes, this check probably doesn't really matter in terms of
security because the only thing we do with these bytes is convert them back
to raw. So we could allow unescaping them at this point, thus supporting
old uvar files.

However that seems like the wrong direction. PUA encoding should never leak.
So let's instead make sure to serialize it as \xfc instead of \f6fc going
forward.

Fixes #10313
2024-04-14 07:59:42 +02:00
Mahmoud Al-Qudsi
0ca199ef98 Change wopen_cloexec() to return File 2024-03-23 01:34:23 -05:00
Mahmoud Al-Qudsi
6f9f9ee400 Use bitflags contains() instead of intersects()
`intersects()` is "any of" while `contains()` is "all of" and while it makes no
difference when testing a single bit, I believe `contains()` is less brittle
for future maintenance and updates as its meaning is clearer.

</pedantic>
2024-03-23 00:24:31 -05:00
Mahmoud Al-Qudsi
6ed4d09c93 Switch more to File/BorrowedFd from OwnedFd/RawFd
More work in prep for having wopen_cloexec() return `File` directly.

This eliminates checking for an invalid fd and makes both ownership and
mutability clear (some more operations that involve changes to the underlying
state of the fd now require `&mut File` instead of just a `RawFd`).

Code that clearly does not use non-blocking IO is ported to use
`Write::write_all()` directly instead of our rusty port of the `write_loop()`
function (which handles EAGAIN/EWOULDBLOCK in addition to EINTR, while
`write_all()` only handles the latter).
2024-03-23 00:01:57 -05:00
Mahmoud Al-Qudsi
decf99f71b
Use File instead of OwnedFd in a few places (#10355)
This is a step towards converting `wopen_cloexec()` to return `File` instead of
`OwnedFd`/`AutocloseFd`.¹

In addition to letting us use native standard library functions instead of
unsafe libc calls, we gain additional semantic safety because `File` operations
that manipulate the state of the fd (e.g. `File::seek()`) require a `&mut`
reference to the `File`, whereas using `RawFd` or `OwnedFd` everywhere leaves us
in a position where it's not clear whether or not other references to the same
fd will manipulate its underlying state.

¹ We actually wouldn't even need `wopen_cloexec()` at all (just a widechar
wrapper) as Rust's native `File::open()`/`File::create()` functionality uses
`FD_CLOEXEC` internally.
2024-03-17 11:20:44 -05:00
Mahmoud Al-Qudsi
3f6b009870 Only update env_universal self.last_read_file on success
I don't think the existing logic is correct, as the comment says, our internal
state is only matched if we *actually* wrote out the file. But if we ran into an
error, it doesn't match, does it?
2024-03-10 09:49:54 +01:00
Bartłomiej Maryńczak
d5cde80447
Use Result for write_to_fd return value (#10308) 2024-03-09 21:29:50 -06:00
Mahmoud Al-Qudsi
e6687dc61f Make open_temporary_file() fallible again
I was under the apparently mistaken impression that `FLOG!(error, ...)`
triggered an abort when I committed 58a6eb6e45.
2024-03-09 21:21:29 -06:00
Mahmoud Al-Qudsi
6d30363090 Simplify control flow in env_universal_common::save() 2024-03-09 15:21:47 -06:00
Mahmoud Al-Qudsi
58a6eb6e45 Convert fish_mkstemp_cloexec() to return an OwnedFd 2024-03-09 15:21:47 -06:00
Mahmoud Al-Qudsi
50ff6b8a34 Remove using statements already imported by preludes 2024-02-28 09:41:51 -06:00
Mahmoud Al-Qudsi
99bd2e71d0 Unify how file mode is specified
The lines of code I commented on in #10254 were meant to serve only as examples
of the changes I was requesting, not the only instances.

Also just use `Mode::from_bits_truncate()` instead of unsafe or unwrapping since
we know the modes are correct.
2024-01-28 18:09:52 -06:00
PolyMeilex
6ef8125c96 Return OwnedFd from open_cloexec 2024-01-27 20:42:13 +01:00
PolyMeilex
2512849ece Use nix OFlag for open_cloexec 2024-01-27 20:42:13 +01:00
PolyMeilex
6915aeb44c Use nix mode for open_cloexec 2024-01-27 20:42:13 +01:00
PolyMeilex
23301e4895 Return Result from wopen_cloexec 2024-01-27 20:42:13 +01:00
ridiculousfish
9747ab19d1 Eliminate UVAR_FILE_SET_MTIME_HACK checks
This was previously limited to Linux predicated on the existence
of certain headers, but Rust just exposes those functions unconditionally. So
remove the check and just perform the mtime hack on Linux and Android.
2024-01-19 09:33:33 -08:00
ridiculousfish
70ed4806b4 Use libc O_EXLOCK instead of our own
Rust libc supports O_EXLOCK on supported platforms (BSD/macOS), use that instead
of re-exposing it.
2024-01-19 09:33:33 -08:00
Johannes Altmanninger
3ae20bdba0 Move fish-rust to project root 2024-01-13 03:58:33 +01:00