1 /* This program is free software; you can redistribute it and/or modify
2 it under the terms of the GNU General Public License as published by
3 the Free Software Foundation; either version 2, or (at your option)
6 This program is distributed in the hope that it will be useful,
7 but WITHOUT ANY WARRANTY; without even the implied warranty of
8 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 GNU General Public License for more details. */
23 int server_active = 0;
25 #if defined (SERVER_SUPPORT) || defined (CLIENT_SUPPORT)
27 # include "log-buffer.h"
28 # include "ms-buffer.h"
29 #endif /* defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT) */
31 #if defined (HAVE_GSSAPI) && defined (SERVER_SUPPORT)
32 # include "canon-host.h"
33 # include "gssapi-client.h"
35 /* This stuff isn't included solely with SERVER_SUPPORT since some of these
36 * functions (encryption & the like) get compiled with or without server
39 * FIXME - They should be in a different file.
41 /* We use Kerberos 5 routines to map the GSSAPI credential to a user
45 static void gserver_authenticate_connection (void);
47 /* Whether we are already wrapping GSSAPI communication. */
48 static int cvs_gssapi_wrapping;
50 #endif /* defined (HAVE_GSSAPI) && defined (SERVER_SUPPORT) */
54 extern char *server_hostname;
56 # if defined (AUTH_SERVER_SUPPORT) || defined (HAVE_KERBEROS) || defined (HAVE_GSSAPI)
57 # include <sys/socket.h>
62 # ifndef LOG_DAEMON /* for ancient syslogs */
65 # endif /* HAVE_SYSLOG_H */
68 # include <netinet/in.h>
70 # ifndef HAVE_KRB_GET_ERR_TEXT
71 # define krb_get_err_text(status) krb_err_txt[status]
74 /* Information we need if we are going to use Kerberos encryption. */
75 static C_Block kblock;
76 static Key_schedule sched;
78 # endif /* HAVE_KERBEROS */
84 # define O_NONBLOCK O_NDELAY
87 /* For initgroups(). */
90 # endif /* HAVE_INITGROUPS */
92 # ifdef AUTH_SERVER_SUPPORT
98 /* The cvs username sent by the client, which might or might not be
99 the same as the system username the server eventually switches to
100 run as. CVS_Username gets set iff password authentication is
102 char *CVS_Username = NULL;
104 /* Used to check that same repos is transmitted in pserver auth and in
105 later CVS protocol. Exported because root.c also uses. */
106 static char *Pserver_Repos = NULL;
108 # endif /* AUTH_SERVER_SUPPORT */
111 # if defined(HAVE_SECURITY_PAM_APPL_H)
112 # include <security/pam_appl.h>
113 # elif defined(HAVE_PAM_PAM_APPL_H)
114 # include <pam/pam_appl.h>
117 static pam_handle_t *pamh = NULL;
119 static char *pam_username;
120 static char *pam_password;
121 # endif /* HAVE_PAM */
125 /* While processing requests, this buffer accumulates data to be sent to
126 the client, and then once we are in do_cvs_command, we use it
127 for all the data to be sent. */
128 static struct buffer *buf_to_net;
130 /* This buffer is used to read input from the client. */
131 static struct buffer *buf_from_net;
135 # ifdef PROXY_SUPPORT
136 /* These are the secondary log buffers so that we can disable them after
137 * creation, when it is determined that they are unneeded, regardless of what
138 * other filters have been prepended to the buffer chain.
140 static struct buffer *proxy_log;
141 static struct buffer *proxy_log_out;
143 /* Set while we are reprocessing a log so that we can avoid sending responses
144 * to some requests twice.
146 static bool reprocessing;
147 # endif /* PROXY_SUPPORT */
151 /* Arguments storage for `Argument' & `Argumentx' requests. */
152 static int argument_count;
153 static char **argument_vector;
154 static int argument_vector_size;
157 * This is where we stash stuff we are going to use. Format string
158 * which expects a single directory within it, starting with a slash.
160 static char *server_temp_dir;
162 /* This is the original value of server_temp_dir, before any possible
163 changes inserted by serve_max_dotdot. */
164 static char *orig_server_temp_dir;
166 /* Nonzero if we should keep the temp directory around after we exit. */
167 static int dont_delete_temp;
169 static void server_write_entries (void);
175 /* Populate all of the directories between BASE_DIR and its relative
176 subdirectory DIR with CVSADM directories. Return 0 for success or
179 create_adm_p (char *base_dir, char *dir)
181 char *dir_where_cvsadm_lives, *dir_to_register, *p, *tmp;
185 if (strcmp (dir, ".") == 0)
186 return 0; /* nothing to do */
188 /* Allocate some space for our directory-munging string. */
189 p = xmalloc (strlen (dir) + 1);
193 dir_where_cvsadm_lives = xmalloc (strlen (base_dir) + strlen (dir) + 100);
194 if (dir_where_cvsadm_lives == NULL)
200 /* Allocate some space for the temporary string in which we will
201 construct filenames. */
202 tmp = xmalloc (strlen (base_dir) + strlen (dir) + 100);
206 free (dir_where_cvsadm_lives);
211 /* We make several passes through this loop. On the first pass,
212 we simply create the CVSADM directory in the deepest directory.
213 For each subsequent pass, we try to remove the last path
214 element from DIR, create the CVSADM directory in the remaining
215 pathname, and register the subdirectory in the newly created
221 strcpy (dir_where_cvsadm_lives, base_dir);
222 strcat (dir_where_cvsadm_lives, "/");
223 strcat (dir_where_cvsadm_lives, p);
224 dir_to_register = NULL;
229 (void) sprintf (tmp, "%s/%s", dir_where_cvsadm_lives, CVSADM);
230 if ((CVS_MKDIR (tmp, 0777) < 0) && (errno != EEXIST))
236 /* Create CVSADM_REP. */
237 (void) sprintf (tmp, "%s/%s", dir_where_cvsadm_lives, CVSADM_REP);
240 /* Use Emptydir as the placeholder until the client sends
241 us the real value. This code is similar to checkout.c
242 (emptydir_name), but the code below returns errors
246 empty = xmalloc (strlen (current_parsed_root->directory)
247 + sizeof (CVSROOTADM)
248 + sizeof (CVSNULLREPOS)
256 /* Create the directory name. */
257 (void) sprintf (empty, "%s/%s/%s", current_parsed_root->directory,
258 CVSROOTADM, CVSNULLREPOS);
260 /* Create the directory if it doesn't exist. */
261 if (! isfile (empty))
264 omask = umask (cvsumask);
265 if (CVS_MKDIR (empty, 0777) < 0)
271 (void) umask (omask);
274 f = CVS_FOPEN (tmp, "w");
281 /* Write the directory name to CVSADM_REP. */
282 if (fprintf (f, "%s\n", empty) < 0)
289 if (fclose (f) == EOF)
296 /* Clean up after ourselves. */
300 /* Create CVSADM_ENT. We open in append mode because we
301 don't want to clobber an existing Entries file. */
302 (void) sprintf (tmp, "%s/%s", dir_where_cvsadm_lives, CVSADM_ENT);
303 f = CVS_FOPEN (tmp, "a");
309 if (fclose (f) == EOF)
315 if (dir_to_register != NULL)
317 /* FIXME: Yes, this results in duplicate entries in the
318 Entries.Log file, but it doesn't currently matter. We
319 might need to change this later on to make sure that we
320 only write one entry. */
322 Subdir_Register (NULL, dir_where_cvsadm_lives, dir_to_register);
328 dir_to_register = strrchr (p, '/');
329 if (dir_to_register == NULL)
332 strcpy (dir_where_cvsadm_lives, base_dir);
337 *dir_to_register = '\0';
339 strcpy (dir_where_cvsadm_lives, base_dir);
340 strcat (dir_where_cvsadm_lives, "/");
341 strcat (dir_where_cvsadm_lives, p);
347 free (dir_where_cvsadm_lives);
355 * Make directory DIR, including all intermediate directories if necessary.
356 * Returns 0 for success or errno code.
362 char *q = xmalloc (strlen (dir) + 1);
371 * Skip over leading slash if present. We won't bother to try to
377 while (*p != '/' && *p != '\0')
381 strncpy (q, dir, p - dir);
383 if (q[p - dir - 1] != '/' && CVS_MKDIR (q, 0777) < 0)
385 int saved_errno = errno;
387 if (saved_errno != EEXIST
388 && ((saved_errno != EACCES && saved_errno != EROFS)
391 retval = saved_errno;
399 if (CVS_MKDIR (dir, 0777) < 0)
412 * Print the error response for error code STATUS. The caller is
413 * reponsible for making sure we get back to the command loop without
414 * any further output occuring.
415 * Must be called only in contexts where it is OK to send output.
418 print_error (int status)
423 buf_output0 (buf_to_net, "error ");
424 msg = strerror (status);
427 sprintf (tmpstr, "unknown error %d", status);
430 buf_output0 (buf_to_net, msg);
431 buf_append_char (buf_to_net, '\n');
433 buf_flush (buf_to_net, 0);
438 static int pending_error;
440 * Malloc'd text for pending error. Each line must start with "E ". The
441 * last line should not end with a newline.
443 static char *pending_error_text;
444 static char *pending_warning_text;
446 /* If an error is pending, print it and return 1. If not, return 0.
447 Also prints pending warnings, but this does not affect the return value.
448 Must be called only in contexts where it is OK to send output. */
450 print_pending_error (void)
452 /* Check this case first since it usually means we are out of memory and
453 * the buffer output routines might try and allocate memory.
455 if (!pending_error_text && pending_error)
457 print_error (pending_error);
462 if (pending_warning_text)
464 buf_output0 (buf_to_net, pending_warning_text);
465 buf_append_char (buf_to_net, '\n');
466 buf_flush (buf_to_net, 0);
468 free (pending_warning_text);
469 pending_warning_text = NULL;
472 if (pending_error_text)
474 buf_output0 (buf_to_net, pending_error_text);
475 buf_append_char (buf_to_net, '\n');
477 print_error (pending_error);
479 buf_output0 (buf_to_net, "error \n");
481 buf_flush (buf_to_net, 0);
484 free (pending_error_text);
485 pending_error_text = NULL;
494 /* Is an error pending? */
495 # define error_pending() (pending_error || pending_error_text)
496 # define warning_pending() (pending_warning_text)
498 /* Allocate SIZE bytes for pending_error_text and return nonzero
499 if we could do it. */
501 alloc_pending_internal (char **dest, size_t size)
503 *dest = malloc (size);
506 pending_error = ENOMEM;
514 /* Allocate SIZE bytes for pending_error_text and return nonzero
515 if we could do it. */
517 alloc_pending (size_t size)
519 if (error_pending ())
520 /* Probably alloc_pending callers will have already checked for
521 this case. But we might as well handle it if they don't, I
524 return alloc_pending_internal (&pending_error_text, size);
529 /* Allocate SIZE bytes for pending_error_text and return nonzero
530 if we could do it. */
532 alloc_pending_warning (size_t size)
534 if (warning_pending ())
535 /* Warnings can be lost here. */
537 return alloc_pending_internal (&pending_warning_text, size);
543 supported_response (char *name)
547 for (rs = responses; rs->name != NULL; ++rs)
548 if (strcmp (rs->name, name) == 0)
549 return rs->status == rs_supported;
550 error (1, 0, "internal error: testing support for unknown response?");
558 * Return true if we need to relay write requests to a primary server
559 * and false otherwise.
563 * - primarily handles :ext: method as this seems most likely to be used in
566 * - :fork: method is handled for testing.
568 * - Could handle pserver too, but would have to store the password
569 * the client sent us.
573 * config->PrimaryServer
574 * The parsed setting from CVSROOT/config, if any, or
576 * current_parsed_root The current repository.
579 * true If this server is configured as a secondary server.
585 assert (current_parsed_root);
588 *** The following is done as a series of if/return combinations an an
592 /* If there is no primary server defined in CVSROOT/config, then we can't
595 if (!config || !config->PrimaryServer) return false;
597 /* The directory must not match for all methods. */
598 if (!isSamePath (config->PrimaryServer->directory,
599 current_parsed_root->directory))
602 /* Only the directory is important for fork. */
603 if (config->PrimaryServer->method == fork_method)
606 /* Must be :ext: method, then. This is enforced when CVSROOT/config is
609 assert (config->PrimaryServer->isremote);
611 if (isThisHost (config->PrimaryServer->hostname))
620 serve_valid_responses (char *arg)
626 # ifdef PROXY_SUPPORT
627 /* Process this in the first pass since the data it gathers can be used
628 * prior to a `Root' request.
630 if (reprocessing) return;
631 # endif /* PROXY_SUPPORT */
638 for (rs = responses; rs->name != NULL; ++rs)
640 if (strcmp (rs->name, p) == 0)
643 if (rs->name == NULL)
645 * It is a response we have never heard of (and thus never
646 * will want to use). So don't worry about it.
650 rs->status = rs_supported;
653 for (rs = responses; rs->name != NULL; ++rs)
655 if (rs->status == rs_essential)
657 buf_output0 (buf_to_net, "E response `");
658 buf_output0 (buf_to_net, rs->name);
659 buf_output0 (buf_to_net, "' not supported by client\nerror \n");
661 /* FIXME: This call to buf_flush could conceivably
662 cause deadlock, as noted in server_cleanup. */
663 buf_flush (buf_to_net, 1);
667 else if (rs->status == rs_optional)
668 rs->status = rs_not_supported;
675 * Process IDs of the subprocess, or negative if that subprocess
678 static pid_t command_pid;
681 outbuf_memory_error (struct buffer *buf)
683 static const char msg[] = "E Fatal server error\n\
684 error ENOMEM Virtual memory exhausted.\n";
686 kill (command_pid, SIGTERM);
689 * We have arranged things so that printing this now either will
690 * be valid, or the "E fatal error" line will get glommed onto the
691 * end of an existing "E" or "M" response.
694 /* If this gives an error, not much we could do. syslog() it? */
695 write (STDOUT_FILENO, msg, sizeof (msg) - 1);
696 # ifdef HAVE_SYSLOG_H
697 syslog (LOG_DAEMON | LOG_ERR, "virtual memory exhausted");
698 # endif /* HAVE_SYSLOG_H */
705 input_memory_error (struct buffer *buf)
707 outbuf_memory_error (buf);
712 # ifdef PROXY_SUPPORT
713 /* This function rewinds the net connection using the write proxy log file.
716 * proxy_log The buffer object containing the write proxy log.
722 rewind_buf_from_net (void)
728 /* Free the arguments since we processed some of them in the first pass.
731 /* argument_vector[0] is a dummy argument, we don't mess with
735 for (cp = argument_vector + 1;
736 cp < argument_vector + argument_count;
743 log = log_buffer_rewind (proxy_log);
745 /* Dispose of any read but unused data in the net buffer since it will
746 * already be in the log.
748 buf_free_data (buf_from_net);
749 buf_from_net = ms_buffer_initialize (outbuf_memory_error, log,
753 # endif /* PROXY_SUPPORT */
762 * This request cannot be ignored by a potential secondary since it is used to
763 * determine if we _are_ a secondary.
766 serve_root (char *arg)
770 TRACE (TRACE_FUNCTION, "serve_root (%s)", arg ? arg : "(null)");
772 /* Don't process this twice or when errors are pending. */
774 # ifdef PROXY_SUPPORT
776 # endif /* PROXY_SUPPORT */
779 if (!ISABSOLUTE (arg))
781 if (alloc_pending (80 + strlen (arg)))
782 sprintf (pending_error_text,
783 "E Root %s must be an absolute pathname", arg);
787 /* Sending "Root" twice is invalid.
789 The other way to handle a duplicate Root requests would be as a
790 request to clear out all state and start over as if it was a
791 new connection. Doing this would cause interoperability
792 headaches, so it should be a different request, if there is
793 any reason why such a feature is needed. */
794 if (current_parsed_root != NULL)
796 if (alloc_pending (80 + strlen (arg)))
797 sprintf (pending_error_text,
798 "E Protocol error: Duplicate Root request, for %s", arg);
802 /* Set original_parsed_root here, not because it can be changed in the
803 * client Redirect sense, but so we don't have to switch in code that
804 * runs in both modes to decide which to print.
806 original_parsed_root = current_parsed_root = local_cvsroot (arg);
808 # ifdef AUTH_SERVER_SUPPORT
809 if (Pserver_Repos != NULL)
811 if (strcmp (Pserver_Repos, current_parsed_root->directory) != 0)
813 if (alloc_pending (80 + strlen (Pserver_Repos)
814 + strlen (current_parsed_root->directory)))
815 /* The explicitness is to aid people who are writing clients.
816 I don't see how this information could help an
818 sprintf (pending_error_text, "\
819 E Protocol error: Root says \"%s\" but pserver says \"%s\"",
820 current_parsed_root->directory, Pserver_Repos);
826 /* For pserver, this will already have happened, and the call will do
827 nothing. But for rsh, we need to do it now. */
828 config = get_root_allow_config (current_parsed_root->directory,
831 # ifdef PROXY_SUPPORT
832 /* At this point we have enough information to determine if we are a
833 * secondary server or not.
835 if (proxy_log && !isProxyServer ())
837 /* Else we are not a secondary server. There is no point in
838 * reprocessing since we handle all the requests we can receive
839 * before `Root' as we receive them. But close the logs.
841 log_buffer_closelog (proxy_log);
842 log_buffer_closelog (proxy_log_out);
845 * Don't need this. We assume it when proxy_log == NULL.
847 * proxy_log_out = NULL;
850 # endif /* PROXY_SUPPORT */
852 /* Now set the TMPDIR environment variable. If it was set in the config
853 * file, we now know it.
855 push_env_temp_dir ();
857 /* OK, now figure out where we stash our temporary files. */
861 /* The code which wants to chdir into server_temp_dir is not set
862 * up to deal with it being a relative path. So give an error
865 if (!ISABSOLUTE (get_cvs_tmp_dir ()))
867 if (alloc_pending (80 + strlen (get_cvs_tmp_dir ())))
868 sprintf (pending_error_text,
869 "E Value of %s for TMPDIR is not absolute",
872 /* FIXME: we would like this error to be persistent, that
873 * is, not cleared by print_pending_error. The current client
874 * will exit as soon as it gets an error, but the protocol spec
875 * does not require a client to do so.
883 server_temp_dir = xmalloc (strlen (get_cvs_tmp_dir ()) + 80);
884 if (!server_temp_dir)
886 /* Strictly speaking, we're not supposed to output anything
887 * now. But we're about to exit(), give it a try.
889 printf ("E Fatal server error, aborting.\n\
890 error ENOMEM Virtual memory exhausted.\n");
894 strcpy (server_temp_dir, get_cvs_tmp_dir ());
896 /* Remove a trailing slash from TMPDIR if present. */
897 p = server_temp_dir + strlen (server_temp_dir) - 1;
901 /* I wanted to use cvs-serv/PID, but then you have to worry about
902 * the permissions on the cvs-serv directory being right. So
905 strcat (server_temp_dir, "/cvs-serv");
907 p = server_temp_dir + strlen (server_temp_dir);
908 sprintf (p, "%ld", (long) getpid ());
910 orig_server_temp_dir = server_temp_dir;
912 /* Create the temporary directory, and set the mode to
913 * 700, to discourage random people from tampering with
916 while ((status = mkdir_p (server_temp_dir)) == EEXIST)
918 static const char suffix[] = "abcdefghijklmnopqrstuvwxyz";
920 if (i >= sizeof suffix - 1) break;
921 if (i == 0) p = server_temp_dir + strlen (server_temp_dir);
927 if (alloc_pending (80 + strlen (server_temp_dir)))
928 sprintf (pending_error_text,
929 "E can't create temporary directory %s",
931 pending_error = status;
934 else if (chmod (server_temp_dir, S_IRWXU) < 0)
936 int save_errno = errno;
937 if (alloc_pending (80 + strlen (server_temp_dir)))
938 sprintf (pending_error_text,
939 "E cannot change permissions on temporary directory %s",
941 pending_error = save_errno;
944 else if (CVS_CHDIR (server_temp_dir) < 0)
946 int save_errno = errno;
947 if (alloc_pending (80 + strlen (server_temp_dir)))
948 sprintf (pending_error_text,
949 "E cannot change to temporary directory %s",
951 pending_error = save_errno;
956 /* Now that we have a config, verify our compression level. Since
957 * most clients do not send Gzip-stream requests until after the root
958 * request, wait until the first request following Root to verify that
959 * compression is being used when level 0 is not allowed.
965 if (gzip_level < config->MinCompressionLevel)
967 gzip_level = config->MinCompressionLevel;
971 if (gzip_level > config->MaxCompressionLevel)
973 gzip_level = config->MaxCompressionLevel;
978 && alloc_pending_warning (120 + strlen (program_name)))
979 sprintf (pending_warning_text,
980 "E %s server: Forcing compression level %d (allowed: %d <= z <= %d).",
981 program_name, gzip_level, config->MinCompressionLevel,
982 config->MaxCompressionLevel);
985 path = xmalloc (strlen (current_parsed_root->directory)
986 + sizeof (CVSROOTADM)
990 pending_error = ENOMEM;
993 (void) sprintf (path, "%s/%s", current_parsed_root->directory, CVSROOTADM);
994 if (!isaccessible (path, R_OK | X_OK))
996 int save_errno = errno;
997 if (alloc_pending (80 + strlen (path)))
998 sprintf (pending_error_text, "E Cannot access %s", path);
999 pending_error = save_errno;
1003 setenv (CVSROOT_ENV, current_parsed_root->directory, 1);
1008 static int max_dotdot_limit = 0;
1010 /* Is this pathname OK to recurse into when we are running as the server?
1011 If not, call error() with a fatal error. */
1013 server_pathname_check (char *path)
1015 TRACE (TRACE_FUNCTION, "server_pathname_check (%s)",
1016 path ? path : "(null)");
1018 /* An absolute pathname is almost surely a path on the *client* machine,
1019 and is unlikely to do us any good here. It also is probably capable
1020 of being a security hole in the anonymous readonly case. */
1021 if (ISABSOLUTE (path))
1022 /* Giving an error is actually kind of a cop-out, in the sense
1023 that it would be nice for "cvs co -d /foo/bar/baz" to work.
1024 A quick fix in the server would be requiring Max-dotdot of
1025 at least one if pathnames are absolute, and then putting
1026 /abs/foo/bar/baz in the temp dir beside the /d/d/d stuff.
1027 A cleaner fix in the server might be to decouple the
1028 pathnames we pass back to the client from pathnames in our
1029 temp directory (this would also probably remove the need
1030 for Max-dotdot). A fix in the client would have the client
1031 turn it into "cd /foo/bar; cvs co -d baz" (more or less).
1032 This probably has some problems with pathnames which appear
1035 "absolute pathnames invalid for server (specified `%s')",
1037 if (pathname_levels (path) > max_dotdot_limit)
1039 /* Similar to the ISABSOLUTE case in security implications. */
1040 error (0, 0, "protocol error: `%s' contains more leading ..", path);
1041 error (1, 0, "than the %d which Max-dotdot specified",
1048 /* Is file or directory REPOS an absolute pathname within the
1049 current_parsed_root->directory? If yes, return 0. If no, set pending_error
1052 outside_root (char *repos)
1054 size_t repos_len = strlen (repos);
1055 size_t root_len = strlen (current_parsed_root->directory);
1057 /* ISABSOLUTE (repos) should always be true, but
1058 this is a good security precaution regardless. -DRP
1060 if (!ISABSOLUTE (repos))
1062 if (alloc_pending (repos_len + 80))
1063 sprintf (pending_error_text, "\
1064 E protocol error: %s is not absolute", repos);
1068 if (repos_len < root_len
1069 || strncmp (current_parsed_root->directory, repos, root_len) != 0)
1072 if (alloc_pending (strlen (current_parsed_root->directory)
1075 sprintf (pending_error_text, "\
1076 E protocol error: directory '%s' not within root '%s'",
1077 repos, current_parsed_root->directory);
1080 if (repos_len > root_len)
1082 if (repos[root_len] != '/')
1084 if (pathname_levels (repos + root_len + 1) > 0)
1092 /* Is file or directory FILE outside the current directory (that is, does
1093 it contain '/')? If no, return 0. If yes, set pending_error
1096 outside_dir (char *file)
1098 if (strchr (file, '/') != NULL)
1100 if (alloc_pending (strlen (file)
1102 sprintf (pending_error_text, "\
1103 E protocol error: directory '%s' not within current directory",
1113 * Add as many directories to the temp directory as the client tells us it
1114 * will use "..", so we never try to access something outside the temp
1115 * directory via "..".
1118 serve_max_dotdot (char *arg)
1120 int lim = atoi (arg);
1124 #ifdef PROXY_SUPPORT
1125 if (proxy_log) return;
1126 #endif /* PROXY_SUPPORT */
1128 if (lim < 0 || lim > 10000)
1130 p = xmalloc (strlen (server_temp_dir) + 2 * lim + 10);
1133 pending_error = ENOMEM;
1136 strcpy (p, server_temp_dir);
1137 for (i = 0; i < lim; ++i)
1139 if (server_temp_dir != orig_server_temp_dir)
1140 free (server_temp_dir);
1141 server_temp_dir = p;
1142 max_dotdot_limit = lim;
1147 static char *gDirname;
1148 static char *gupdate_dir;
1151 dirswitch (char *dir, char *repos)
1157 TRACE (TRACE_FUNCTION, "dirswitch (%s, %s)", dir ? dir : "(null)",
1158 repos ? repos : "(null)");
1160 server_write_entries ();
1162 if (error_pending()) return;
1164 /* Check for bad directory name.
1166 FIXME: could/should unify these checks with server_pathname_check
1167 except they need to report errors differently. */
1168 if (ISABSOLUTE (dir))
1170 if (alloc_pending (80 + strlen (dir)))
1171 sprintf ( pending_error_text,
1172 "E absolute pathnames invalid for server (specified `%s')",
1176 if (pathname_levels (dir) > max_dotdot_limit)
1178 if (alloc_pending (80 + strlen (dir)))
1179 sprintf (pending_error_text,
1180 "E protocol error: `%s' has too many ..", dir);
1184 dir_len = strlen (dir);
1186 /* Check for a trailing '/'. This is not ISSLASH because \ in the
1187 protocol is an ordinary character, not a directory separator (of
1188 course, it is perhaps unwise to use it in directory names, but that
1189 is another issue). */
1191 && dir[dir_len - 1] == '/')
1193 if (alloc_pending (80 + dir_len))
1194 sprintf (pending_error_text,
1195 "E protocol error: invalid directory syntax in %s", dir);
1199 if (gDirname != NULL)
1201 if (gupdate_dir != NULL)
1204 if (!strcmp (dir, "."))
1205 gupdate_dir = xstrdup ("");
1207 gupdate_dir = xstrdup (dir);
1209 gDirname = xmalloc (strlen (server_temp_dir) + dir_len + 40);
1210 if (gDirname == NULL)
1212 pending_error = ENOMEM;
1216 strcpy (gDirname, server_temp_dir);
1217 strcat (gDirname, "/");
1218 strcat (gDirname, dir);
1220 status = mkdir_p (gDirname);
1222 && status != EEXIST)
1224 if (alloc_pending (80 + strlen (gDirname)))
1225 sprintf (pending_error_text, "E cannot mkdir %s", gDirname);
1226 pending_error = status;
1230 /* We need to create adm directories in all path elements because
1231 we want the server to descend them, even if the client hasn't
1232 sent the appropriate "Argument xxx" command to match the
1233 already-sent "Directory xxx" command. See recurse.c
1234 (start_recursion) for a big discussion of this. */
1236 status = create_adm_p (server_temp_dir, dir);
1239 if (alloc_pending (80 + strlen (gDirname)))
1240 sprintf (pending_error_text, "E cannot create_adm_p %s", gDirname);
1241 pending_error = status;
1245 if ( CVS_CHDIR (gDirname) < 0)
1247 int save_errno = errno;
1248 if (alloc_pending (80 + strlen (gDirname)))
1249 sprintf (pending_error_text, "E cannot change to %s", gDirname);
1250 pending_error = save_errno;
1254 * This is pretty much like calling Create_Admin, but Create_Admin doesn't
1255 * report errors in the right way for us.
1257 if ((CVS_MKDIR (CVSADM, 0777) < 0) && (errno != EEXIST))
1259 int save_errno = errno;
1260 if (alloc_pending (80 + strlen (gDirname) + strlen (CVSADM)))
1261 sprintf (pending_error_text,
1262 "E cannot mkdir %s/%s", gDirname, CVSADM);
1263 pending_error = save_errno;
1267 /* The following will overwrite the contents of CVSADM_REP. This
1268 is the correct behavior -- mkdir_p may have written a
1269 placeholder value to this file and we need to insert the
1272 f = CVS_FOPEN (CVSADM_REP, "w");
1275 int save_errno = errno;
1276 if (alloc_pending (80 + strlen (gDirname) + strlen (CVSADM_REP)))
1277 sprintf (pending_error_text,
1278 "E cannot open %s/%s", gDirname, CVSADM_REP);
1279 pending_error = save_errno;
1282 if (fprintf (f, "%s", repos) < 0)
1284 int save_errno = errno;
1285 if (alloc_pending (80 + strlen (gDirname) + strlen (CVSADM_REP)))
1286 sprintf (pending_error_text,
1287 "E error writing %s/%s", gDirname, CVSADM_REP);
1288 pending_error = save_errno;
1292 /* Non-remote CVS handles a module representing the entire tree
1293 (e.g., an entry like ``world -a .'') by putting /. at the end
1294 of the Repository file, so we do the same. */
1295 if (strcmp (dir, ".") == 0
1296 && current_parsed_root != NULL
1297 && current_parsed_root->directory != NULL
1298 && strcmp (current_parsed_root->directory, repos) == 0)
1300 if (fprintf (f, "/.") < 0)
1302 int save_errno = errno;
1303 if (alloc_pending (80 + strlen (gDirname) + strlen (CVSADM_REP)))
1304 sprintf (pending_error_text,
1305 "E error writing %s/%s", gDirname, CVSADM_REP);
1306 pending_error = save_errno;
1311 if (fprintf (f, "\n") < 0)
1313 int save_errno = errno;
1314 if (alloc_pending (80 + strlen (gDirname) + strlen (CVSADM_REP)))
1315 sprintf (pending_error_text,
1316 "E error writing %s/%s", gDirname, CVSADM_REP);
1317 pending_error = save_errno;
1321 if (fclose (f) == EOF)
1323 int save_errno = errno;
1324 if (alloc_pending (80 + strlen (gDirname) + strlen (CVSADM_REP)))
1325 sprintf (pending_error_text,
1326 "E error closing %s/%s", gDirname, CVSADM_REP);
1327 pending_error = save_errno;
1330 /* We open in append mode because we don't want to clobber an
1331 existing Entries file. */
1332 f = CVS_FOPEN (CVSADM_ENT, "a");
1335 int save_errno = errno;
1336 if (alloc_pending (80 + strlen (CVSADM_ENT)))
1337 sprintf (pending_error_text, "E cannot open %s", CVSADM_ENT);
1338 pending_error = save_errno;
1341 if (fclose (f) == EOF)
1343 int save_errno = errno;
1344 if (alloc_pending (80 + strlen (CVSADM_ENT)))
1345 sprintf (pending_error_text, "E cannot close %s", CVSADM_ENT);
1346 pending_error = save_errno;
1354 serve_repository (char *arg)
1356 # ifdef PROXY_SUPPORT
1357 assert (!proxy_log);
1358 # endif /* PROXY_SUPPORT */
1360 if (alloc_pending (80))
1361 strcpy (pending_error_text,
1362 "E Repository request is obsolete; aborted");
1369 serve_directory (char *arg)
1374 TRACE (TRACE_FUNCTION, "serve_directory (%s)", arg ? arg : "(null)");
1377 /* The data needs to be read into the secondary log regardless, but
1378 * processing of anything other than errors is skipped until later.
1380 status = buf_read_line (buf_from_net, &repos, NULL);
1383 if (!ISABSOLUTE (repos))
1387 * FIXME: This is kinda hacky - we should probably only ever store
1388 * and pass SHORT_REPOS (perhaps with the occassional exception
1389 * for optimizations, but many, many functions end up
1390 * deconstructing REPOS to gain SHORT_REPOS anyhow) - the
1391 * CVSROOT portion of REPOS is redundant with
1392 * current_parsed_root->directory - but since this is the way
1393 * things have always been done, changing this will likely involve
1398 short_repos = repos;
1399 repos = Xasprintf ("%s/%s",
1400 current_parsed_root->directory, short_repos);
1404 repos = xstrdup (primary_root_translate (repos));
1407 # ifdef PROXY_SUPPORT
1409 # endif /* PROXY_SUPPORT */
1410 !outside_root (repos))
1411 dirswitch (arg, repos);
1414 else if (status == -2)
1416 pending_error = ENOMEM;
1418 else if (status != 0)
1420 pending_error_text = xmalloc (80 + strlen (arg));
1421 if (pending_error_text == NULL)
1423 pending_error = ENOMEM;
1425 else if (status == -1)
1427 sprintf (pending_error_text,
1428 "E end of file reading mode for %s", arg);
1432 sprintf (pending_error_text,
1433 "E error reading mode for %s", arg);
1434 pending_error = status;
1442 serve_static_directory (char *arg)
1446 if (error_pending ()
1447 # ifdef PROXY_SUPPORT
1449 # endif /* PROXY_SUPPORT */
1452 f = CVS_FOPEN (CVSADM_ENTSTAT, "w+");
1455 int save_errno = errno;
1456 if (alloc_pending (80 + strlen (CVSADM_ENTSTAT)))
1457 sprintf (pending_error_text, "E cannot open %s", CVSADM_ENTSTAT);
1458 pending_error = save_errno;
1461 if (fclose (f) == EOF)
1463 int save_errno = errno;
1464 if (alloc_pending (80 + strlen (CVSADM_ENTSTAT)))
1465 sprintf (pending_error_text, "E cannot close %s", CVSADM_ENTSTAT);
1466 pending_error = save_errno;
1474 serve_sticky (char *arg)
1478 if (error_pending ()
1479 # ifdef PROXY_SUPPORT
1481 # endif /* PROXY_SUPPORT */
1484 f = CVS_FOPEN (CVSADM_TAG, "w+");
1487 int save_errno = errno;
1488 if (alloc_pending (80 + strlen (CVSADM_TAG)))
1489 sprintf (pending_error_text, "E cannot open %s", CVSADM_TAG);
1490 pending_error = save_errno;
1493 if (fprintf (f, "%s\n", arg) < 0)
1495 int save_errno = errno;
1496 if (alloc_pending (80 + strlen (CVSADM_TAG)))
1497 sprintf (pending_error_text, "E cannot write to %s", CVSADM_TAG);
1498 pending_error = save_errno;
1501 if (fclose (f) == EOF)
1503 int save_errno = errno;
1504 if (alloc_pending (80 + strlen (CVSADM_TAG)))
1505 sprintf (pending_error_text, "E cannot close %s", CVSADM_TAG);
1506 pending_error = save_errno;
1514 * Read SIZE bytes from buf_from_net, write them to FILE.
1516 * Currently this isn't really used for receiving parts of a file --
1517 * the file is still sent over in one chunk. But if/when we get
1518 * spiffy in-process gzip support working, perhaps the compressed
1519 * pieces could be sent over as they're ready, if the network is fast
1520 * enough. Or something.
1523 receive_partial_file (size_t size, int file)
1531 status = buf_read_data (buf_from_net, size, &data, &nread);
1535 pending_error = ENOMEM;
1538 pending_error_text = xmalloc (80);
1539 if (pending_error_text == NULL)
1540 pending_error = ENOMEM;
1541 else if (status == -1)
1543 sprintf (pending_error_text,
1544 "E premature end of file from client");
1549 sprintf (pending_error_text,
1550 "E error reading from client");
1551 pending_error = status;
1563 nwrote = write (file, data, nread);
1566 int save_errno = errno;
1567 if (alloc_pending (40))
1568 strcpy (pending_error_text, "E unable to write");
1569 pending_error = save_errno;
1571 /* Read and discard the file data. */
1578 status = buf_read_data (buf_from_net, size, &data, &nread);
1594 /* Receive SIZE bytes, write to filename FILE. */
1596 receive_file (size_t size, char *file, int gzipped)
1601 /* Write the file. */
1602 fd = CVS_OPEN (arg, O_WRONLY | O_CREAT | O_TRUNC, 0600);
1605 int save_errno = errno;
1606 if (alloc_pending (40 + strlen (arg)))
1607 sprintf (pending_error_text, "E cannot open %s", arg);
1608 pending_error = save_errno;
1614 /* Using gunzip_and_write isn't really a high-performance
1615 approach, because it keeps the whole thing in memory
1616 (contiguous memory, worse yet). But it seems easier to
1617 code than the alternative (and less vulnerable to subtle
1618 bugs). Given that this feature is mainly for
1619 compatibility, that is the better tradeoff. */
1621 size_t toread = size;
1625 filebuf = xmalloc (size);
1627 /* If NULL, we still want to read the data and discard it. */
1635 status = buf_read_data (buf_from_net, toread, &data, &nread);
1639 pending_error = ENOMEM;
1642 pending_error_text = xmalloc (80);
1643 if (pending_error_text == NULL)
1644 pending_error = ENOMEM;
1645 else if (status == -1)
1647 sprintf (pending_error_text,
1648 "E premature end of file from client");
1653 sprintf (pending_error_text,
1654 "E error reading from client");
1655 pending_error = status;
1663 if (filebuf != NULL)
1665 memcpy (p, data, nread);
1669 if (filebuf == NULL)
1671 pending_error = ENOMEM;
1675 if (gunzip_and_write (fd, file, (unsigned char *) filebuf, size))
1677 if (alloc_pending (80))
1678 sprintf (pending_error_text,
1679 "E aborting due to compression error");
1684 receive_partial_file (size, fd);
1686 if (pending_error_text)
1688 char *p = xrealloc (pending_error_text,
1689 strlen (pending_error_text) + strlen (arg) + 30);
1692 pending_error_text = p;
1693 sprintf (p + strlen (p), ", file %s", arg);
1695 /* else original string is supposed to be unchanged */
1699 if (close (fd) < 0 && !error_pending ())
1701 int save_errno = errno;
1702 if (alloc_pending (40 + strlen (arg)))
1703 sprintf (pending_error_text, "E cannot close %s", arg);
1704 pending_error = save_errno;
1711 /* Kopt for the next file sent in Modified or Is-modified. */
1714 /* Timestamp (Checkin-time) for next file sent in Modified or
1716 static int checkin_time_valid;
1717 static time_t checkin_time;
1722 * Used to keep track of Entry requests.
1725 struct an_entry *next;
1729 static struct an_entry *entries;
1732 serve_is_modified (char *arg)
1738 /* Have we found this file in "entries" yet. */
1741 if (error_pending ()
1742 # ifdef PROXY_SUPPORT
1744 # endif /* PROXY_SUPPORT */
1747 if (outside_dir (arg))
1750 /* Rewrite entries file to have `M' in timestamp field. */
1752 for (p = entries; p != NULL; p = p->next)
1754 name = p->entry + 1;
1755 cp = strchr (name, '/');
1757 && strlen (arg) == cp - name
1758 && strncmp (arg, name, cp - name) == 0)
1760 if (!(timefield = strchr (cp + 1, '/')) || *++timefield == '\0')
1762 /* We didn't find the record separator or it is followed by
1763 * the end of the string, so just exit.
1765 if (alloc_pending (80))
1766 sprintf (pending_error_text,
1767 "E Malformed Entry encountered.");
1770 /* If the time field is not currently empty, then one of
1771 * serve_modified, serve_is_modified, & serve_unchanged were
1772 * already called for this file. We would like to ignore the
1773 * reinvocation silently or, better yet, exit with an error
1774 * message, but we just avoid the copy-forward and overwrite the
1775 * value from the last invocation instead. See the comment below
1778 if (*timefield == '/')
1780 /* Copy forward one character. Space was allocated for this
1781 * already in serve_entry(). */
1782 cp = timefield + strlen (timefield);
1784 while (cp > timefield)
1790 /* *timefield == '/'; */
1792 /* If *TIMEFIELD wasn't '/' and wasn't '+', we assume that it was
1793 * because of multiple calls to Is-modified & Unchanged by the
1794 * client and just overwrite the value from the last call.
1795 * Technically, we should probably either ignore calls after the
1796 * first or send the client an error, since the client/server
1797 * protocol specification specifies that only one call to either
1798 * Is-Modified or Unchanged is allowed, but broken versions of
1799 * CVSNT (at least 2.0.34 - 2.0.41, reported fixed in 2.0.41a) and
1800 * the WinCVS & TortoiseCVS clients which depend on those broken
1801 * versions of CVSNT (WinCVS 1.3 & at least one TortoiseCVS
1802 * release) rely on this behavior.
1804 if (*timefield != '+')
1809 if (alloc_pending (strlen (name) + 80))
1810 sprintf (pending_error_text,
1811 "E protocol error: both Kopt and Entry for %s",
1823 /* We got Is-modified but no Entry. Add a dummy entry.
1824 The "D" timestamp is what makes it a dummy. */
1825 p = xmalloc (sizeof (struct an_entry));
1828 pending_error = ENOMEM;
1831 p->entry = xmalloc (strlen (arg) + 80);
1832 if (p->entry == NULL)
1834 pending_error = ENOMEM;
1838 strcpy (p->entry, "/");
1839 strcat (p->entry, arg);
1840 strcat (p->entry, "//D/");
1843 strcat (p->entry, kopt);
1847 strcat (p->entry, "/");
1856 serve_modified (char *arg)
1867 * This used to return immediately if error_pending () was true.
1868 * However, that fails, because it causes each line of the file to
1869 * be echoed back to the client as an unrecognized command. The
1870 * client isn't reading from the socket, so eventually both
1871 * processes block trying to write to the other. Now, we try to
1872 * read the file if we can.
1875 status = buf_read_line (buf_from_net, &mode_text, NULL);
1879 pending_error = ENOMEM;
1882 pending_error_text = xmalloc (80 + strlen (arg));
1883 if (pending_error_text == NULL)
1884 pending_error = ENOMEM;
1888 sprintf (pending_error_text,
1889 "E end of file reading mode for %s", arg);
1892 sprintf (pending_error_text,
1893 "E error reading mode for %s", arg);
1894 pending_error = status;
1901 status = buf_read_line (buf_from_net, &size_text, NULL);
1905 pending_error = ENOMEM;
1908 pending_error_text = xmalloc (80 + strlen (arg));
1909 if (pending_error_text == NULL)
1910 pending_error = ENOMEM;
1914 sprintf (pending_error_text,
1915 "E end of file reading size for %s", arg);
1918 sprintf (pending_error_text,
1919 "E error reading size for %s", arg);
1920 pending_error = status;
1927 if (size_text[0] == 'z')
1930 read_size = atoi (size_text + 1);
1933 read_size = atoi (size_text);
1936 if (read_size < 0 && alloc_pending (80))
1938 sprintf (pending_error_text,
1939 "E client sent invalid (negative) file size");
1945 if (error_pending ())
1947 /* Now that we know the size, read and discard the file data. */
1954 status = buf_read_data (buf_from_net, size, &data, &nread);
1964 # ifdef PROXY_SUPPORT
1966 # endif /* PROXY_SUPPORT */
1974 # ifdef PROXY_SUPPORT
1975 proxy_log ? DEVNULL :
1976 # endif /* PROXY_SUPPORT */
1979 if (error_pending ())
1985 # ifdef PROXY_SUPPORT
1986 /* We've read all the data that needed to be read if we're still logging
1987 * for a secondary. Return.
1989 if (proxy_log) return;
1990 # endif /* PROXY_SUPPORT */
1992 if (checkin_time_valid)
1996 memset (&t, 0, sizeof (t));
1997 t.modtime = t.actime = checkin_time;
1998 if (utime (arg, &t) < 0)
2000 int save_errno = errno;
2001 if (alloc_pending (80 + strlen (arg)))
2002 sprintf (pending_error_text, "E cannot utime %s", arg);
2003 pending_error = save_errno;
2007 checkin_time_valid = 0;
2011 int status = change_mode (arg, mode_text, 0);
2015 if (alloc_pending (40 + strlen (arg)))
2016 sprintf (pending_error_text,
2017 "E cannot change mode for %s", arg);
2018 pending_error = status;
2023 /* Make sure that the Entries indicate the right kopt. We probably
2024 could do this even in the non-kopt case and, I think, save a stat()
2025 call in time_stamp_server. But for conservatism I'm leaving the
2026 non-kopt case alone. */
2028 serve_is_modified (arg);
2034 serve_enable_unchanged (char *arg)
2036 # ifdef PROXY_SUPPORT
2037 /* Might as well skip this since this function does nothing anyhow. If
2038 * it did do anything and could generate errors, then the line below would
2039 * be necessary since this can be processed before a `Root' request.
2041 * if (reprocessing) return;
2043 # endif /* PROXY_SUPPORT */
2049 serve_unchanged (char *arg)
2056 if (error_pending ()
2057 # ifdef PROXY_SUPPORT
2059 # endif /* PROXY_SUPPORT */
2062 if (outside_dir (arg))
2065 /* Rewrite entries file to have `=' in timestamp field. */
2066 for (p = entries; p != NULL; p = p->next)
2068 name = p->entry + 1;
2069 cp = strchr (name, '/');
2071 && strlen (arg) == cp - name
2072 && strncmp (arg, name, cp - name) == 0)
2074 if (!(timefield = strchr (cp + 1, '/')) || *++timefield == '\0')
2076 /* We didn't find the record separator or it is followed by
2077 * the end of the string, so just exit.
2079 if (alloc_pending (80))
2080 sprintf (pending_error_text,
2081 "E Malformed Entry encountered.");
2084 /* If the time field is not currently empty, then one of
2085 * serve_modified, serve_is_modified, & serve_unchanged were
2086 * already called for this file. We would like to ignore the
2087 * reinvocation silently or, better yet, exit with an error
2088 * message, but we just avoid the copy-forward and overwrite the
2089 * value from the last invocation instead. See the comment below
2092 if (*timefield == '/')
2094 /* Copy forward one character. Space was allocated for this
2095 * already in serve_entry(). */
2096 cp = timefield + strlen (timefield);
2098 while (cp > timefield)
2104 /* *timefield == '/'; */
2106 if (*timefield != '+')
2108 /* '+' is a conflict marker and we don't want to mess with it
2109 * until Version_TS catches it.
2111 if (timefield[1] != '/')
2113 /* Obliterate anything else in TIMEFIELD. This is again to
2114 * support the broken CVSNT clients mentioned below, in
2115 * conjunction with strict timestamp string boundry
2116 * checking in time_stamp_server() from vers_ts.c &
2117 * file_has_conflict() from subr.c, since the broken
2118 * clients used to send malformed timestamp fields in the
2119 * Entry request that they then depended on the subsequent
2120 * Unchanged request to overwrite.
2122 char *d = timefield + 1;
2123 if ((cp = strchr (d, '/')))
2132 /* If *TIMEFIELD wasn't '/', we assume that it was because of
2133 * multiple calls to Is-modified & Unchanged by the client and
2134 * just overwrite the value from the last call. Technically,
2135 * we should probably either ignore calls after the first or
2136 * send the client an error, since the client/server protocol
2137 * specification specifies that only one call to either
2138 * Is-Modified or Unchanged is allowed, but broken versions of
2139 * CVSNT (at least 2.0.34 - 2.0.41, reported fixed in 2.0.41a)
2140 * and the WinCVS & TortoiseCVS clients which depend on those
2141 * broken versions of CVSNT (WinCVS 1.3 & at least one
2142 * TortoiseCVS release) rely on this behavior.
2154 serve_entry (char *arg)
2161 # ifdef PROXY_SUPPORT
2163 # endif /* PROXY_SUPPORT */
2166 /* Verify that the entry is well-formed. This can avoid problems later.
2167 * At the moment we only check that the Entry contains five slashes in
2168 * approximately the correct locations since some of the code makes
2169 * assumptions about this.
2172 if (*cp == 'D') cp++;
2175 if (!cp || *cp != '/')
2177 if (alloc_pending (80))
2178 sprintf (pending_error_text,
2179 "E protocol error: Malformed Entry");
2182 cp = strchr (cp + 1, '/');
2185 p = xmalloc (sizeof (struct an_entry));
2188 pending_error = ENOMEM;
2191 /* Leave space for serve_unchanged to write '=' if it wants. */
2192 cp = xmalloc (strlen (arg) + 2);
2196 pending_error = ENOMEM;
2208 serve_kopt (char *arg)
2210 if (error_pending ()
2211 # ifdef PROXY_SUPPORT
2213 # endif /* PROXY_SUPPORT */
2219 if (alloc_pending (80 + strlen (arg)))
2220 sprintf (pending_error_text,
2221 "E protocol error: duplicate Kopt request: %s", arg);
2225 /* Do some sanity checks. In particular, that it is not too long.
2226 This lets the rest of the code not worry so much about buffer
2227 overrun attacks. Probably should call RCS_check_kflag here,
2228 but that would mean changing RCS_check_kflag to handle errors
2229 other than via exit(), fprintf(), and such. */
2230 if (strlen (arg) > 10)
2232 if (alloc_pending (80 + strlen (arg)))
2233 sprintf (pending_error_text,
2234 "E protocol error: invalid Kopt request: %s", arg);
2238 kopt = xmalloc (strlen (arg) + 1);
2241 pending_error = ENOMEM;
2250 serve_checkin_time (char *arg)
2254 if (error_pending ()
2255 # ifdef PROXY_SUPPORT
2257 # endif /* PROXY_SUPPORT */
2261 if (checkin_time_valid)
2263 if (alloc_pending (80 + strlen (arg)))
2264 sprintf (pending_error_text,
2265 "E protocol error: duplicate Checkin-time request: %s",
2270 if (!get_date (&t, arg, NULL))
2272 if (alloc_pending (80 + strlen (arg)))
2273 sprintf (pending_error_text, "E cannot parse date %s", arg);
2277 /* Truncate any nanoseconds returned by get_date(). */
2278 checkin_time = t.tv_sec;
2279 checkin_time_valid = 1;
2285 server_write_entries (void)
2291 if (entries == NULL)
2295 /* Note that we free all the entries regardless of errors. */
2296 if (!error_pending ())
2298 /* We open in append mode because we don't want to clobber an
2299 existing Entries file. If we are checking out a module
2300 which explicitly lists more than one file in a particular
2301 directory, then we will wind up calling
2302 server_write_entries for each such file. */
2303 f = CVS_FOPEN (CVSADM_ENT, "a");
2306 int save_errno = errno;
2307 if (alloc_pending (80 + strlen (CVSADM_ENT)))
2308 sprintf (pending_error_text, "E cannot open %s", CVSADM_ENT);
2309 pending_error = save_errno;
2312 for (p = entries; p != NULL;)
2314 if (!error_pending ())
2316 if (fprintf (f, "%s\n", p->entry) < 0)
2318 int save_errno = errno;
2319 if (alloc_pending (80 + strlen(CVSADM_ENT)))
2320 sprintf (pending_error_text,
2321 "E cannot write to %s", CVSADM_ENT);
2322 pending_error = save_errno;
2331 if (f != NULL && fclose (f) == EOF && !error_pending ())
2333 int save_errno = errno;
2334 if (alloc_pending (80 + strlen (CVSADM_ENT)))
2335 sprintf (pending_error_text, "E cannot close %s", CVSADM_ENT);
2336 pending_error = save_errno;
2342 # ifdef PROXY_SUPPORT
2344 * callback proc to run a script when admin finishes.
2347 prepost_proxy_proc (const char *repository, const char *filter, void *closure)
2350 bool *pre = closure;
2352 /* %c = cvs_cmd_name
2356 TRACE (TRACE_FUNCTION, "prepost_proxy_proc (%s, %s, %s)", repository,
2357 filter, *pre ? "pre" : "post");
2360 * Cast any NULL arguments as appropriate pointers as this is an
2361 * stdarg function and we need to be certain the caller gets what
2364 cmdline = format_cmdline (
2365 # ifdef SUPPORT_OLD_INFO_FMT_STRINGS
2367 # endif /* SUPPORT_OLD_INFO_FMT_STRINGS */
2369 "c", "s", cvs_cmd_name,
2370 "R", "s", referrer ? referrer->original : "NONE",
2372 "r", "s", current_parsed_root->directory,
2373 "P", "s", config->PrimaryServer->original,
2376 if (!cmdline || !strlen (cmdline))
2378 if (cmdline) free (cmdline);
2380 error (0, 0, "preadmin proc resolved to the empty string!");
2382 error (0, 0, "postadmin proc resolved to the empty string!");
2386 run_setup (cmdline);
2390 /* FIXME - read the comment in verifymsg_proc() about why we use abs()
2391 * below() and shouldn't.
2393 return abs (run_exec (RUN_TTY, RUN_TTY, RUN_TTY,
2394 RUN_NORMAL | RUN_SIGIGNORE));
2399 /* Become a secondary write proxy to a master server.
2401 * This function opens the connection to the primary, dumps the secondary log
2402 * to the primary, then reads data from any available connection and writes it
2405 * buf_from_net -> buf_to_primary
2406 * buf_from_primary -> buf_to_net
2408 * When all "from" connections have sent EOF and all data has been sent to
2409 * "to" connections, this function closes the "to" pipes and returns.
2414 struct buffer *buf_to_primary;
2415 struct buffer *buf_from_primary;
2417 /* Close the client log and open it for read. */
2418 struct buffer *buf_clientlog = log_buffer_rewind (proxy_log_out);
2419 int status, to_primary_fd, from_primary_fd, to_net_fd, from_net_fd;
2421 /* Call presecondary script. */
2425 size_t thispass, got;
2429 Parse_Info (CVSROOTADM_PREPROXY, current_parsed_root->directory,
2430 prepost_proxy_proc, PIOPT_ALL, &pre);
2432 /* Open connection to primary server. */
2433 open_connection_to_server (config->PrimaryServer, &buf_to_primary,
2435 setup_logfiles ("CVS_SECONDARY_LOG", &buf_to_primary, &buf_from_primary);
2436 if ((status = set_nonblock (buf_from_primary)))
2437 error (1, status, "failed to set nonblocking io from primary");
2438 if ((status = set_nonblock (buf_from_net)))
2439 error (1, status, "failed to set nonblocking io from client");
2440 if ((status = set_nonblock (buf_to_primary)))
2441 error (1, status, "failed to set nonblocking io to primary");
2442 if ((status = set_nonblock (buf_to_net)))
2443 error (1, status, "failed to set nonblocking io to client");
2445 to_primary_fd = buf_get_fd (buf_to_primary);
2446 from_primary_fd = buf_get_fd (buf_from_primary);
2447 to_net_fd = buf_get_fd (buf_to_net);
2448 assert (to_primary_fd >= 0 && from_primary_fd >= 0 && to_net_fd >= 0);
2450 /* Close the client log and open it for read. */
2451 rewind_buf_from_net ();
2453 while (from_primary_fd >= 0 || to_primary_fd >= 0)
2455 fd_set readfds, writefds;
2456 int status, numfds = -1;
2457 struct timeval *timeout_ptr;
2458 struct timeval timeout;
2462 FD_ZERO (&writefds);
2464 /* The fd for a multi-source buffer can change with any read. */
2465 from_net_fd = buf_from_net ? buf_get_fd (buf_from_net) : -1;
2467 if ((buf_from_net && !buf_empty_p (buf_from_net))
2468 || (buf_from_primary && !buf_empty_p (buf_from_primary)))
2470 /* There is data pending so don't block if we don't find any new
2474 timeout.tv_usec = 0;
2475 timeout_ptr = &timeout;
2478 /* block indefinately */
2481 /* Set writefds if data is pending. */
2482 if (to_net_fd >= 0 && !buf_empty_p (buf_to_net))
2484 FD_SET (to_net_fd, &writefds);
2485 numfds = MAX (numfds, to_net_fd);
2487 if (to_primary_fd >= 0 && !buf_empty_p (buf_to_primary))
2489 FD_SET (to_primary_fd, &writefds);
2490 numfds = MAX (numfds, to_primary_fd);
2493 /* Set readfds if descriptors are still open. */
2494 if (from_net_fd >= 0)
2496 FD_SET (from_net_fd, &readfds);
2497 numfds = MAX (numfds, from_net_fd);
2499 if (from_primary_fd >= 0)
2501 FD_SET (from_primary_fd, &readfds);
2502 numfds = MAX (numfds, from_primary_fd);
2505 /* NUMFDS needs to be the highest descriptor + 1 according to the
2511 /* This used to select on exceptions too, but as far
2512 as I know there was never any reason to do that and
2513 SCO doesn't let you select on exceptions on pipes. */
2514 numfds = select (numfds, &readfds, &writefds,
2516 if (numfds < 0 && errno != EINTR)
2518 /* Sending an error to the client, possibly in the middle of a
2519 * separate protocol message, will likely not mean much to the
2520 * client, but it's better than nothing, I guess.
2522 buf_output0 (buf_to_net, "E select failed\n");
2523 print_error (errno);
2524 exit (EXIT_FAILURE);
2526 } while (numfds < 0);
2531 FD_ZERO (&writefds);
2534 if (to_net_fd >= 0 && FD_ISSET (to_net_fd, &writefds))
2536 /* What should we do with errors? syslog() them? */
2537 buf_send_output (buf_to_net);
2538 buf_flush (buf_to_net, false);
2542 if (from_net_fd >= 0 && (FD_ISSET (from_net_fd, &readfds)))
2543 status = buf_input_data (buf_from_net, NULL);
2545 if (buf_from_net && !buf_empty_p (buf_from_net))
2548 buf_append_buffer (buf_to_primary, buf_from_net);
2550 /* (Sys?)log this? */;
2554 if (status == -1 /* EOF */)
2557 /* Need only to shut this down and set to NULL, really, in
2558 * crit sec, to ensure no double-dispose and to make sure
2559 * network pipes are closed as properly as possible, but I
2560 * don't see much optimization potential in saving values and
2561 * postponing the free.
2563 buf_shutdown (buf_from_net);
2564 buf_free (buf_from_net);
2565 buf_from_net = NULL;
2566 /* So buf_to_primary will be closed at the end of this loop. */
2570 else if (status > 0 /* ERRNO */)
2572 buf_output0 (buf_to_net,
2573 "E buf_input_data failed reading from client\n");
2574 print_error (status);
2575 exit (EXIT_FAILURE);
2578 if (to_primary_fd >= 0 && FD_ISSET (to_primary_fd, &writefds))
2580 /* What should we do with errors? syslog() them? */
2581 buf_send_output (buf_to_primary);
2582 buf_flush (buf_to_primary, false);
2586 if (from_primary_fd >= 0 && FD_ISSET (from_primary_fd, &readfds))
2587 status = buf_input_data (buf_from_primary, &toread);
2589 /* Avoid resending data from the server which we already sent to the
2590 * client. Otherwise clients get really confused.
2593 && buf_from_primary && !buf_empty_p (buf_from_primary))
2595 /* Dispose of data we already sent to the client. */
2596 while (buf_clientlog && toread > 0)
2598 s = buf_read_data (buf_clientlog, toread, &data, &got);
2600 error (1, ENOMEM, "Failed to read data.");
2603 buf_shutdown (buf_clientlog);
2604 buf_clientlog = NULL;
2607 error (1, s, "Error reading writeproxy log.");
2611 while (thispass > 0)
2613 /* No need to check for errors here since we know we
2614 * won't read more than buf_input read into
2615 * BUF_FROM_PRIMARY (see how TOREAD is set above).
2617 buf_read_data (buf_from_primary, thispass, &newdata,
2619 /* Verify that we are throwing away what we think we
2622 * It is valid to assume that the secondary and primary
2623 * are closely enough in sync that this portion of the
2624 * communication will be in sync beacuse if they were
2625 * not, then the secondary might provide a
2626 * valid-request string to the client which contained a
2627 * request that the primary didn't support. If the
2628 * client later used the request, the primary server
2629 * would exit anyhow.
2632 * An alternative approach might be to make sure that
2633 * the secondary provides the same string as the
2634 * primary regardless, for purposes like pointing a
2635 * secondary at an unwitting primary, in which case it
2636 * might be useful to have some way to override the
2637 * valid-requests string on a secondary, but it seems
2638 * much easier to simply sync the versions, at the
2641 if (memcmp (data, newdata, got))
2642 error (1, 0, "Secondary out of sync with primary!");
2651 if (buf_from_primary && !buf_empty_p (buf_from_primary))
2654 buf_append_buffer (buf_to_net, buf_from_primary);
2656 /* (Sys?)log this? */;
2660 if (status == -1 /* EOF */)
2662 buf_shutdown (buf_from_primary);
2663 buf_from_primary = NULL;
2664 from_primary_fd = -1;
2666 else if (status > 0 /* ERRNO */)
2668 buf_output0 (buf_to_net,
2669 "E buf_input_data failed reading from primary\n");
2670 print_error (status);
2671 exit (EXIT_FAILURE);
2674 /* If our "source pipe" is closed and all data has been sent, avoid
2675 * selecting it for writability, but don't actually close the buffer in
2676 * case other routines want to use it later. The buffer will be closed
2677 * in server_cleanup ().
2679 if (from_primary_fd < 0
2680 && buf_to_net && buf_empty_p (buf_to_net))
2684 && (/* Assume that there is no further reason to keep the buffer to
2685 * the primary open if we can no longer read its responses.
2687 (from_primary_fd < 0 && buf_to_primary)
2688 /* Also close buf_to_primary when it becomes impossible to find
2689 * more data to send to it. We don't close buf_from_primary
2690 * yet since there may be data pending or the primary may react
2691 * to the EOF on its input pipe.
2693 || (from_net_fd < 0 && buf_empty_p (buf_to_primary))))
2695 buf_shutdown (buf_to_primary);
2696 buf_free (buf_to_primary);
2697 buf_to_primary = NULL;
2699 /* Setting the fd < 0 with from_primary_fd already < 0 will cause
2700 * an escape from this while loop.
2706 /* Call postsecondary script. */
2708 Parse_Info (CVSROOTADM_POSTPROXY, current_parsed_root->directory,
2709 prepost_proxy_proc, PIOPT_ALL, &pre);
2711 # endif /* PROXY_SUPPORT */
2715 struct notify_note {
2716 /* Directory in which this notification happens. xmalloc'd*/
2725 /* The following three all in one xmalloc'd block, pointed to by TYPE.
2726 Each '\0' terminated. */
2733 struct notify_note *next;
2736 static struct notify_note *notify_list;
2737 /* Used while building list, to point to the last node that already exists. */
2738 static struct notify_note *last_node;
2741 serve_notify (char *arg)
2743 struct notify_note *new = NULL;
2747 if (error_pending ()) return;
2749 if (isProxyServer())
2751 # ifdef PROXY_SUPPORT
2754 # endif /* PROXY_SUPPORT */
2755 if (alloc_pending (160) + strlen (program_name))
2756 sprintf (pending_error_text,
2757 "E This CVS server does not support disconnected `%s edit'. For now, remove all `%s' files in your workspace and try your command again.",
2758 program_name, CVSADM_NOTIFY);
2760 # ifdef PROXY_SUPPORT
2764 /* This is effectively a write command, so run it on the primary. */
2766 exit (EXIT_SUCCESS);
2768 # endif /* PROXY_SUPPORT */
2771 if (outside_dir (arg))
2774 if (gDirname == NULL)
2777 new = xmalloc (sizeof (struct notify_note));
2780 pending_error = ENOMEM;
2783 new->dir = xmalloc (strlen (gDirname) + 1);
2784 new->update_dir = xmalloc (strlen (gupdate_dir) + 1);
2785 new->filename = xmalloc (strlen (arg) + 1);
2786 if (new->dir == NULL || new->update_dir == NULL || new->filename == NULL)
2788 pending_error = ENOMEM;
2789 if (new->dir != NULL)
2794 strcpy (new->dir, gDirname);
2795 strcpy (new->update_dir, gupdate_dir);
2796 strcpy (new->filename, arg);
2798 status = buf_read_line (buf_from_net, &data, NULL);
2802 pending_error = ENOMEM;
2805 pending_error_text = xmalloc (80 + strlen (arg));
2806 if (pending_error_text == NULL)
2807 pending_error = ENOMEM;
2811 sprintf (pending_error_text,
2812 "E end of file reading notification for %s", arg);
2815 sprintf (pending_error_text,
2816 "E error reading notification for %s", arg);
2817 pending_error = status;
2821 free (new->filename);
2832 if (strchr (data, '+'))
2836 if (data[1] != '\t')
2841 cp = strchr (cp, '\t');
2845 cp = strchr (cp, '\t');
2849 cp = strchr (cp, '\t');
2854 /* If there is another tab, ignore everything after it,
2855 for future expansion. */
2856 cp = strchr (cp, '\t');
2862 if (last_node == NULL)
2865 last_node->next = new;
2871 if (alloc_pending (80))
2872 strcpy (pending_error_text,
2873 "E Protocol error; misformed Notify request");
2878 free (new->filename);
2879 free (new->update_dir);
2889 serve_hostname (char *arg)
2892 hostname = xstrdup (arg);
2899 serve_localdir (char *arg)
2901 if (CurDir) free (CurDir);
2902 CurDir = xstrdup (arg);
2907 /* Process all the Notify requests that we have stored up. Returns 0
2908 if successful, if not prints error message (via error()) and
2909 returns negative value. */
2911 server_notify (void)
2913 struct notify_note *p;
2916 TRACE (TRACE_FUNCTION, "server_notify()");
2918 while (notify_list != NULL)
2920 if (CVS_CHDIR (notify_list->dir) < 0)
2922 error (0, errno, "cannot change to %s", notify_list->dir);
2925 repos = Name_Repository (NULL, NULL);
2927 lock_dir_for_write (repos);
2929 fileattr_startdir (repos);
2931 notify_do (*notify_list->type, notify_list->filename,
2932 notify_list->update_dir, getcaller(), notify_list->val,
2933 notify_list->watches, repos);
2935 buf_output0 (buf_to_net, "Notified ");
2937 char *dir = notify_list->dir + strlen (server_temp_dir) + 1;
2939 buf_append_char (buf_to_net, '.');
2941 buf_output0 (buf_to_net, dir);
2942 buf_append_char (buf_to_net, '/');
2943 buf_append_char (buf_to_net, '\n');
2945 buf_output0 (buf_to_net, repos);
2946 buf_append_char (buf_to_net, '/');
2947 buf_output0 (buf_to_net, notify_list->filename);
2948 buf_append_char (buf_to_net, '\n');
2951 p = notify_list->next;
2952 free (notify_list->filename);
2953 free (notify_list->dir);
2954 free (notify_list->type);
2966 /* The code used to call fflush (stdout) here, but that is no
2967 longer necessary. The data is now buffered in buf_to_net,
2968 which will be flushed by the caller, do_cvs_command. */
2975 /* This request is processed in all passes since requests which must
2976 * sometimes be processed before it is known whether we are running as a
2977 * secondary or not, for instance the `expand-modules' request, sometimes use
2981 serve_argument (char *arg)
2985 if (error_pending()) return;
2987 if (argument_count >= 10000)
2989 if (alloc_pending (80))
2990 sprintf (pending_error_text,
2991 "E Protocol error: too many arguments");
2995 if (argument_vector_size <= argument_count)
2997 argument_vector_size *= 2;
2998 argument_vector = xnrealloc (argument_vector,
2999 argument_vector_size, sizeof (char *));
3000 if (argument_vector == NULL)
3002 pending_error = ENOMEM;
3006 p = xmalloc (strlen (arg) + 1);
3009 pending_error = ENOMEM;
3013 argument_vector[argument_count++] = p;
3018 /* For secondary servers, this is handled in all passes, as is the `Argument'
3019 * request, and for the same reasons.
3022 serve_argumentx (char *arg)
3026 if (error_pending()) return;
3028 if (argument_count <= 1)
3030 if (alloc_pending (80))
3031 sprintf (pending_error_text,
3032 "E Protocol error: called argumentx without prior call to argument");
3036 p = argument_vector[argument_count - 1];
3037 p = xrealloc (p, strlen (p) + 1 + strlen (arg) + 1);
3040 pending_error = ENOMEM;
3045 argument_vector[argument_count - 1] = p;
3051 serve_global_option (char *arg)
3053 # ifdef PROXY_SUPPORT
3054 /* This can generate error messages and termination before `Root' requests,
3055 * so it must be dealt with in the first pass.
3057 if (reprocessing) return;
3058 # endif /* PROXY_SUPPORT */
3060 if (arg[0] != '-' || arg[1] == '\0' || arg[2] != '\0')
3063 if (alloc_pending (strlen (arg) + 80))
3064 sprintf (pending_error_text,
3065 "E Protocol error: bad global option %s",
3072 error(0, 0, "WARNING: global `-l' option ignored.");
3097 /* This needs to be processed before Root requests, so we allow it to be
3098 * be processed before knowing whether we are running as a secondary server
3099 * to allow `noop' and `Root' requests to generate errors as before.
3102 serve_set (char *arg)
3104 # ifdef PROXY_SUPPORT
3105 if (reprocessing) return;
3106 # endif /* PROXY_SUPPORT */
3108 /* FIXME: This sends errors immediately (I think); they should be
3109 put into pending_error. */
3115 # ifdef HAVE_KERBEROS
3118 serve_kerberos_encrypt( char *arg )
3120 # ifdef PROXY_SUPPORT
3121 assert (!proxy_log);
3122 # endif /* PROXY_SUPPORT */
3124 /* All future communication with the client will be encrypted. */
3126 buf_to_net = krb_encrypt_buffer_initialize (buf_to_net, 0, sched,
3128 buf_to_net->memory_error);
3129 buf_from_net = krb_encrypt_buffer_initialize (buf_from_net, 1, sched,
3131 buf_from_net->memory_error);
3134 # endif /* HAVE_KERBEROS */
3139 serve_gssapi_encrypt( char *arg )
3141 # ifdef PROXY_SUPPORT
3142 assert (!proxy_log);
3143 # endif /* PROXY_SUPPORT */
3145 if (cvs_gssapi_wrapping)
3147 /* We're already using a gssapi_wrap buffer for stream
3148 authentication. Flush everything we've output so far, and
3149 turn on encryption for future data. On the input side, we
3150 should only have unwrapped as far as the Gssapi-encrypt
3151 command, so future unwrapping will become encrypted. */
3152 buf_flush (buf_to_net, 1);
3153 cvs_gssapi_encrypt = 1;
3157 /* All future communication with the client will be encrypted. */
3159 cvs_gssapi_encrypt = 1;
3161 buf_to_net = cvs_gssapi_wrap_buffer_initialize (buf_to_net, 0,
3163 buf_to_net->memory_error);
3164 buf_from_net = cvs_gssapi_wrap_buffer_initialize (buf_from_net, 1,
3166 buf_from_net->memory_error);
3168 cvs_gssapi_wrapping = 1;
3171 # endif /* HAVE_GSSAPI */
3173 # endif /* ENCRYPTION */
3178 serve_gssapi_authenticate (char *arg)
3180 # ifdef PROXY_SUPPORT
3181 assert (!proxy_log);
3182 # endif /* PROXY_SUPPORT */
3184 if (cvs_gssapi_wrapping)
3186 /* We're already using a gssapi_wrap buffer for encryption.
3187 That includes authentication, so we don't have to do
3188 anything further. */
3192 buf_to_net = cvs_gssapi_wrap_buffer_initialize (buf_to_net, 0,
3194 buf_to_net->memory_error);
3195 buf_from_net = cvs_gssapi_wrap_buffer_initialize (buf_from_net, 1,
3197 buf_from_net->memory_error);
3199 cvs_gssapi_wrapping = 1;
3202 # endif /* HAVE_GSSAPI */
3206 # ifdef SERVER_FLOWCONTROL
3207 /* The maximum we'll queue to the remote client before blocking. */
3208 # ifndef SERVER_HI_WATER
3209 # define SERVER_HI_WATER (2 * 1024 * 1024)
3210 # endif /* SERVER_HI_WATER */
3211 /* When the buffer drops to this, we restart the child */
3212 # ifndef SERVER_LO_WATER
3213 # define SERVER_LO_WATER (1 * 1024 * 1024)
3214 # endif /* SERVER_LO_WATER */
3215 # endif /* SERVER_FLOWCONTROL */
3220 serve_questionable (char *arg)
3224 # ifdef PROXY_SUPPORT
3225 if (proxy_log) return;
3226 # endif /* PROXY_SUPPORT */
3228 if (error_pending ()) return;
3232 /* Pick up ignores from CVSROOTADM_IGNORE, $HOME/.cvsignore on server,
3233 and CVSIGNORE on server. */
3238 if (gDirname == NULL)
3240 if (alloc_pending (80))
3241 sprintf (pending_error_text,
3242 "E Protocol error: `Directory' missing");
3246 if (outside_dir (arg))
3249 if (!ign_name (arg))
3253 buf_output (buf_to_net, "M ? ", 4);
3254 update_dir = gDirname + strlen (server_temp_dir) + 1;
3255 if (!(update_dir[0] == '.' && update_dir[1] == '\0'))
3257 buf_output0 (buf_to_net, update_dir);
3258 buf_output (buf_to_net, "/", 1);
3260 buf_output0 (buf_to_net, arg);
3261 buf_output (buf_to_net, "\n", 1);
3267 static struct buffer *protocol = NULL;
3269 /* This is the output which we are saving up to send to the server, in the
3270 child process. We will push it through, via the `protocol' buffer, when
3271 we have a complete line. */
3272 static struct buffer *saved_output;
3274 /* Likewise, but stuff which will go to stderr. */
3275 static struct buffer *saved_outerr;
3280 protocol_memory_error (struct buffer *buf)
3282 error (1, ENOMEM, "Virtual memory exhausted");
3287 /* If command is valid, return 1.
3288 * Else if command is invalid and croak_on_invalid is set, then die.
3289 * Else just return 0 to indicate that command is invalid.
3292 check_command_valid_p (char *cmd_name)
3294 /* Right now, only pserver notices invalid commands -- namely,
3295 * write attempts by a read-only user. Therefore, if CVS_Username
3296 * is not set, this just returns 1, because CVS_Username unset
3297 * means pserver is not active.
3299 # ifdef AUTH_SERVER_SUPPORT
3300 if (CVS_Username == NULL)
3303 if (lookup_command_attribute (cmd_name) & CVS_CMD_MODIFIES_REPOSITORY)
3305 /* This command has the potential to modify the repository, so
3306 * we check if the user have permission to do that.
3308 * (Only relevant for remote users -- local users can do
3309 * whatever normal Unix file permissions allow them to do.)
3311 * The decision method:
3313 * If $CVSROOT/CVSADMROOT_READERS exists and user is listed
3314 * in it, then read-only access for user.
3316 * Or if $CVSROOT/CVSADMROOT_WRITERS exists and user NOT
3317 * listed in it, then also read-only access for user.
3319 * Else read-write access for user.
3322 char *linebuf = NULL;
3324 size_t linebuf_len = 0;
3331 flen = strlen (current_parsed_root->directory)
3332 + strlen (CVSROOTADM)
3333 + strlen (CVSROOTADM_READERS)
3336 fname = xmalloc (flen);
3337 (void) sprintf (fname, "%s/%s/%s", current_parsed_root->directory,
3338 CVSROOTADM, CVSROOTADM_READERS);
3340 fp = fopen (fname, "r");
3344 if (!existence_error (errno))
3346 /* Need to deny access, so that attackers can't fool
3347 us with some sort of denial of service attack. */
3348 error (0, errno, "cannot open %s", fname);
3353 else /* successfully opened readers file */
3355 while ((num_red = getline (&linebuf, &linebuf_len, fp)) >= 0)
3357 /* Hmmm, is it worth importing my own readline
3358 library into CVS? It takes care of chopping
3359 leading and trailing whitespace, "#" comments, and
3360 newlines automatically when so requested. Would
3361 save some code here... -kff */
3363 /* Chop newline by hand, for strcmp()'s sake. */
3364 if (num_red > 0 && linebuf[num_red - 1] == '\n')
3365 linebuf[num_red - 1] = '\0';
3367 if (strcmp (linebuf, CVS_Username) == 0)
3368 goto handle_invalid;
3370 if (num_red < 0 && !feof (fp))
3371 error (0, errno, "cannot read %s", fname);
3373 /* If not listed specifically as a reader, then this user
3374 has write access by default unless writers are also
3375 specified in a file . */
3376 if (fclose (fp) < 0)
3377 error (0, errno, "cannot close %s", fname);
3381 /* Now check the writers file. */
3383 flen = strlen (current_parsed_root->directory)
3384 + strlen (CVSROOTADM)
3385 + strlen (CVSROOTADM_WRITERS)
3388 fname = xmalloc (flen);
3389 (void) sprintf (fname, "%s/%s/%s", current_parsed_root->directory,
3390 CVSROOTADM, CVSROOTADM_WRITERS);
3392 fp = fopen (fname, "r");
3398 if (existence_error (errno))
3400 /* Writers file does not exist, so everyone is a writer,
3407 /* Need to deny access, so that attackers can't fool
3408 us with some sort of denial of service attack. */
3409 error (0, errno, "cannot read %s", fname);
3416 while ((num_red = getline (&linebuf, &linebuf_len, fp)) >= 0)
3418 /* Chop newline by hand, for strcmp()'s sake. */
3419 if (num_red > 0 && linebuf[num_red - 1] == '\n')
3420 linebuf[num_red - 1] = '\0';
3422 if (strcmp (linebuf, CVS_Username) == 0)
3428 if (num_red < 0 && !feof (fp))
3429 error (0, errno, "cannot read %s", fname);
3433 if (fclose (fp) < 0)
3434 error (0, errno, "cannot close %s", fname);
3440 else /* writers file exists, but this user not listed in it */
3443 if (fclose (fp) < 0)
3444 error (0, errno, "cannot close %s", fname);
3451 # endif /* AUTH_SERVER_SUPPORT */
3453 /* If ever reach end of this function, command must be valid. */
3459 /* Execute COMMAND in a subprocess with the approriate funky things done. */
3461 static struct fd_set_wrapper { fd_set fds; } command_fds_to_drain;
3462 # ifdef SUNOS_KLUDGE
3463 static int max_command_fd;
3466 # ifdef SERVER_FLOWCONTROL
3467 static int flowcontrol_pipe[2];
3468 # endif /* SERVER_FLOWCONTROL */
3473 * Set buffer FD to non-blocking I/O. Returns 0 for success or errno
3477 set_nonblock_fd (int fd)
3479 # if defined (F_GETFL) && defined (O_NONBLOCK) && defined (F_SETFL)
3482 flags = fcntl (fd, F_GETFL, 0);
3485 if (fcntl (fd, F_SETFL, flags | O_NONBLOCK) < 0)
3487 # endif /* F_GETFL && O_NONBLOCK && F_SETFL */
3494 do_cvs_command (char *cmd_name, int (*command) (int, char **))
3497 * The following file descriptors are set to -1 if that file is not
3501 /* Data on these pipes is a series of '\n'-terminated lines. */
3506 * Data on this pipe is a series of counted (see buf_send_counted)
3507 * packets. Each packet must be processed atomically (i.e. not
3508 * interleaved with data from stdout_pipe or stderr_pipe).
3510 int protocol_pipe[2];
3512 int dev_null_fd = -1;
3516 TRACE (TRACE_FUNCTION, "do_cvs_command (%s)", cmd_name);
3518 /* Write proxy logging is always terminated when a command is received.
3519 * Therefore, we wish to avoid reprocessing the command since that would
3520 * cause endless recursion.
3522 if (isProxyServer())
3524 # ifdef PROXY_SUPPORT
3526 /* This must be the second time we've reached this point.
3527 * Done reprocessing.
3529 reprocessing = false;
3532 if (lookup_command_attribute (cmd_name)
3533 & CVS_CMD_MODIFIES_REPOSITORY)
3536 exit (EXIT_SUCCESS);
3538 else if (/* serve_co may have called this already and missing logs
3539 * should have generated an error in serve_root().
3543 /* Set up the log for reprocessing. */
3544 rewind_buf_from_net ();
3545 /* And return to the main loop in server(), where we will now
3546 * find the logged secondary data and reread it.
3551 # else /* !PROXY_SUPPORT */
3552 if (lookup_command_attribute (cmd_name)
3553 & CVS_CMD_MODIFIES_REPOSITORY
3554 && alloc_pending (120))
3555 sprintf (pending_error_text,
3556 "E You need a CVS client that supports the `Redirect' response for write requests to this server.");
3558 # endif /* PROXY_SUPPORT */
3562 stdout_pipe[0] = -1;
3563 stdout_pipe[1] = -1;
3564 stderr_pipe[0] = -1;
3565 stderr_pipe[1] = -1;
3566 protocol_pipe[0] = -1;
3567 protocol_pipe[1] = -1;
3569 server_write_entries ();
3571 if (print_pending_error ())
3572 goto free_args_and_return;
3574 /* Global `cvs_cmd_name' is probably "server" right now -- only
3575 serve_export() sets it to anything else. So we will use local
3576 parameter `cmd_name' to determine if this command is valid for
3578 if (!check_command_valid_p (cmd_name))
3580 buf_output0 (buf_to_net, "E ");
3581 buf_output0 (buf_to_net, program_name);
3582 buf_output0 (buf_to_net, " [server aborted]: \"");
3583 buf_output0 (buf_to_net, cmd_name);
3584 buf_output0 (buf_to_net,
3585 "\" requires write access to the repository\n\
3587 goto free_args_and_return;
3589 cvs_cmd_name = cmd_name;
3591 (void) server_notify ();
3594 * We use a child process which actually does the operation. This
3595 * is so we can intercept its standard output. Even if all of CVS
3596 * were written to go to some special routine instead of writing
3597 * to stdout or stderr, we would still need to do the same thing
3598 * for the RCS commands.
3601 if (pipe (stdout_pipe) < 0)
3603 buf_output0 (buf_to_net, "E pipe failed\n");
3604 print_error (errno);
3607 if (pipe (stderr_pipe) < 0)
3609 buf_output0 (buf_to_net, "E pipe failed\n");
3610 print_error (errno);
3613 if (pipe (protocol_pipe) < 0)
3615 buf_output0 (buf_to_net, "E pipe failed\n");
3616 print_error (errno);
3619 # ifdef SERVER_FLOWCONTROL
3620 if (pipe (flowcontrol_pipe) < 0)
3622 buf_output0 (buf_to_net, "E pipe failed\n");
3623 print_error (errno);
3626 set_nonblock_fd (flowcontrol_pipe[0]);
3627 set_nonblock_fd (flowcontrol_pipe[1]);
3628 # endif /* SERVER_FLOWCONTROL */
3630 dev_null_fd = CVS_OPEN (DEVNULL, O_RDONLY);
3631 if (dev_null_fd < 0)
3633 buf_output0 (buf_to_net, "E open /dev/null failed\n");
3634 print_error (errno);
3638 /* We shouldn't have any partial lines from cvs_output and
3639 cvs_outerr, but we handle them here in case there is a bug. */
3640 /* FIXME: appending a newline, rather than using "MT" as we
3641 do in the child process, is probably not really a very good
3642 way to "handle" them. */
3643 if (! buf_empty_p (saved_output))
3645 buf_append_char (saved_output, '\n');
3646 buf_copy_lines (buf_to_net, saved_output, 'M');
3648 if (! buf_empty_p (saved_outerr))
3650 buf_append_char (saved_outerr, '\n');
3651 buf_copy_lines (buf_to_net, saved_outerr, 'E');
3654 /* Flush out any pending data. */
3655 buf_flush (buf_to_net, 1);
3657 /* Don't use vfork; we're not going to exec(). */
3658 command_pid = fork ();
3659 if (command_pid < 0)
3661 buf_output0 (buf_to_net, "E fork failed\n");
3662 print_error (errno);
3665 if (command_pid == 0)
3669 /* Since we're in the child, and the parent is going to take
3670 care of packaging up our error messages, we can clear this
3672 error_use_protocol = 0;
3674 protocol = fd_buffer_initialize (protocol_pipe[1], 0, NULL, false,
3675 protocol_memory_error);
3677 /* At this point we should no longer be using buf_to_net and
3678 buf_from_net. Instead, everything should go through
3680 if (buf_to_net != NULL)
3682 buf_free (buf_to_net);
3685 if (buf_from_net != NULL)
3687 buf_free (buf_from_net);
3688 buf_from_net = NULL;
3691 /* These were originally set up to use outbuf_memory_error.
3692 Since we're now in the child, we should use the simpler
3693 protocol_memory_error function. */
3694 saved_output->memory_error = protocol_memory_error;
3695 saved_outerr->memory_error = protocol_memory_error;
3697 if (dup2 (dev_null_fd, STDIN_FILENO) < 0)
3698 error (1, errno, "can't set up pipes");
3699 if (dup2 (stdout_pipe[1], STDOUT_FILENO) < 0)
3700 error (1, errno, "can't set up pipes");
3701 if (dup2 (stderr_pipe[1], STDERR_FILENO) < 0)
3702 error (1, errno, "can't set up pipes");
3703 close (dev_null_fd);
3704 close (stdout_pipe[0]);
3705 close (stdout_pipe[1]);
3706 close (stderr_pipe[0]);
3707 close (stderr_pipe[1]);
3708 close (protocol_pipe[0]);
3709 close_on_exec (protocol_pipe[1]);
3710 # ifdef SERVER_FLOWCONTROL
3711 close_on_exec (flowcontrol_pipe[0]);
3712 close (flowcontrol_pipe[1]);
3713 # endif /* SERVER_FLOWCONTROL */
3716 * Set this in .bashrc if you want to give yourself time to attach
3717 * to the subprocess with a debugger.
3719 if (getenv ("CVS_SERVER_SLEEP"))
3721 int secs = atoi (getenv ("CVS_SERVER_SLEEP"));
3722 TRACE (TRACE_DATA, "Sleeping CVS_SERVER_SLEEP (%d) seconds", secs);
3726 TRACE (TRACE_DATA, "CVS_SERVER_SLEEP not set.");
3728 exitstatus = (*command) (argument_count, argument_vector);
3730 /* Output any partial lines. If the client doesn't support
3731 "MT", we go ahead and just tack on a newline since the
3732 protocol doesn't support anything better. */
3733 if (! buf_empty_p (saved_output))
3735 buf_output0 (protocol, supported_response ("MT") ? "MT text " : "M ");
3736 buf_append_buffer (protocol, saved_output);
3737 buf_output (protocol, "\n", 1);
3738 buf_send_counted (protocol);
3740 /* For now we just discard partial lines on stderr. I suspect
3741 that CVS can't write such lines unless there is a bug. */
3743 buf_free (protocol);
3745 /* Close the pipes explicitly in order to send an EOF to the parent,
3746 * then wait for the parent to close the flow control pipe. This
3747 * avoids a race condition where a child which dumped more than the
3748 * high water mark into the pipes could complete its job and exit,
3749 * leaving the parent process to attempt to write a stop byte to the
3750 * closed flow control pipe, which earned the parent a SIGPIPE, which
3751 * it normally only expects on the network pipe and that causes it to
3752 * exit with an error message, rather than the SIGCHILD that it knows
3753 * how to handle correctly.
3755 /* Let exit() close STDIN - it's from /dev/null anyhow. */
3758 close (protocol_pipe[1]);
3759 # ifdef SERVER_FLOWCONTROL
3763 while ((status = read (flowcontrol_pipe[0], &junk, 1)) > 0
3764 || (status == -1 && errno == EAGAIN));
3766 /* FIXME: No point in printing an error message with error(),
3767 * as STDERR is already closed, but perhaps this could be syslogged?
3774 /* OK, sit around getting all the input from the child. */
3776 struct buffer *stdoutbuf;
3777 struct buffer *stderrbuf;
3778 struct buffer *protocol_inbuf;
3779 /* Number of file descriptors to check in select (). */
3781 int count_needed = 1;
3782 # ifdef SERVER_FLOWCONTROL
3783 int have_flowcontrolled = 0;
3784 # endif /* SERVER_FLOWCONTROL */
3786 FD_ZERO (&command_fds_to_drain.fds);
3787 num_to_check = stdout_pipe[0];
3788 FD_SET (stdout_pipe[0], &command_fds_to_drain.fds);
3789 num_to_check = MAX (num_to_check, stderr_pipe[0]);
3790 FD_SET (stderr_pipe[0], &command_fds_to_drain.fds);
3791 num_to_check = MAX (num_to_check, protocol_pipe[0]);
3792 FD_SET (protocol_pipe[0], &command_fds_to_drain.fds);
3793 num_to_check = MAX (num_to_check, STDOUT_FILENO);
3794 # ifdef SUNOS_KLUDGE
3795 max_command_fd = num_to_check;
3798 * File descriptors are numbered from 0, so num_to_check needs to
3799 * be one larger than the largest descriptor.
3802 if (num_to_check > FD_SETSIZE)
3804 buf_output0 (buf_to_net,
3805 "E internal error: FD_SETSIZE not big enough.\n\
3810 stdoutbuf = fd_buffer_initialize (stdout_pipe[0], 0, NULL, true,
3811 input_memory_error);
3813 stderrbuf = fd_buffer_initialize (stderr_pipe[0], 0, NULL, true,
3814 input_memory_error);
3816 protocol_inbuf = fd_buffer_initialize (protocol_pipe[0], 0, NULL, true,
3817 input_memory_error);
3819 set_nonblock (buf_to_net);
3820 set_nonblock (stdoutbuf);
3821 set_nonblock (stderrbuf);
3822 set_nonblock (protocol_inbuf);
3824 if (close (stdout_pipe[1]) < 0)
3826 buf_output0 (buf_to_net, "E close failed\n");
3827 print_error (errno);
3830 stdout_pipe[1] = -1;
3832 if (close (stderr_pipe[1]) < 0)
3834 buf_output0 (buf_to_net, "E close failed\n");
3835 print_error (errno);
3838 stderr_pipe[1] = -1;
3840 if (close (protocol_pipe[1]) < 0)
3842 buf_output0 (buf_to_net, "E close failed\n");
3843 print_error (errno);
3846 protocol_pipe[1] = -1;
3848 # ifdef SERVER_FLOWCONTROL
3849 if (close (flowcontrol_pipe[0]) < 0)
3851 buf_output0 (buf_to_net, "E close failed\n");
3852 print_error (errno);
3855 flowcontrol_pipe[0] = -1;
3856 # endif /* SERVER_FLOWCONTROL */
3858 if (close (dev_null_fd) < 0)
3860 buf_output0 (buf_to_net, "E close failed\n");
3861 print_error (errno);
3866 while (stdout_pipe[0] >= 0
3867 || stderr_pipe[0] >= 0
3868 || protocol_pipe[0] >= 0
3869 || count_needed <= 0)
3874 struct timeval *timeout_ptr;
3875 struct timeval timeout;
3876 # ifdef SERVER_FLOWCONTROL
3880 * See if we are swamping the remote client and filling our VM.
3881 * Tell child to hold off if we do.
3883 bufmemsize = buf_count_mem (buf_to_net);
3884 if (!have_flowcontrolled && (bufmemsize > SERVER_HI_WATER))
3886 if (write(flowcontrol_pipe[1], "S", 1) == 1)
3887 have_flowcontrolled = 1;
3889 else if (have_flowcontrolled && (bufmemsize < SERVER_LO_WATER))
3891 if (write(flowcontrol_pipe[1], "G", 1) == 1)
3892 have_flowcontrolled = 0;
3894 # endif /* SERVER_FLOWCONTROL */
3897 FD_ZERO (&writefds);
3899 if (count_needed <= 0)
3901 /* there is data pending which was read from the protocol pipe
3902 * so don't block if we don't find any data
3905 timeout.tv_usec = 0;
3906 timeout_ptr = &timeout;
3910 /* block indefinately */
3914 if (! buf_empty_p (buf_to_net))
3915 FD_SET (STDOUT_FILENO, &writefds);
3917 if (stdout_pipe[0] >= 0)
3919 FD_SET (stdout_pipe[0], &readfds);
3921 if (stderr_pipe[0] >= 0)
3923 FD_SET (stderr_pipe[0], &readfds);
3925 if (protocol_pipe[0] >= 0)
3927 FD_SET (protocol_pipe[0], &readfds);
3930 /* This process of selecting on the three pipes means that
3931 we might not get output in the same order in which it
3932 was written, thus producing the well-known
3933 "out-of-order" bug. If the child process uses
3934 cvs_output and cvs_outerr, it will send everything on
3935 the protocol_pipe and avoid this problem, so the
3936 solution is to use cvs_output and cvs_outerr in the
3939 /* This used to select on exceptions too, but as far
3940 as I know there was never any reason to do that and
3941 SCO doesn't let you select on exceptions on pipes. */
3942 numfds = select (num_to_check, &readfds, &writefds,
3947 buf_output0 (buf_to_net, "E select failed\n");
3948 print_error (errno);
3951 } while (numfds < 0);
3956 FD_ZERO (&writefds);
3959 if (FD_ISSET (STDOUT_FILENO, &writefds))
3961 /* What should we do with errors? syslog() them? */
3962 buf_send_output (buf_to_net);
3965 if (protocol_pipe[0] >= 0
3966 && (FD_ISSET (protocol_pipe[0], &readfds)))
3971 status = buf_input_data (protocol_inbuf, &count_read);
3975 close (protocol_pipe[0]);
3976 protocol_pipe[0] = -1;
3978 else if (status > 0)
3980 buf_output0 (buf_to_net, "E buf_input_data failed\n");
3981 print_error (status);
3986 * We only call buf_copy_counted if we have read
3987 * enough bytes to make it worthwhile. This saves us
3988 * from continually recounting the amount of data we
3991 count_needed -= count_read;
3993 /* this is still part of the protocol pipe procedure, but it is
3994 * outside the above conditional so that unprocessed data can be
3995 * left in the buffer and stderr/stdout can be read when a flush
3996 * signal is received and control can return here without passing
3997 * through the select code and maybe blocking
3999 while (count_needed <= 0)
4003 count_needed = buf_copy_counted (buf_to_net,
4007 /* What should we do with errors? syslog() them? */
4008 buf_send_output (buf_to_net);
4010 /* If SPECIAL got set to <0, it means that the child
4011 * wants us to flush the pipe & maybe stderr or stdout.
4013 * After that we break to read stderr & stdout again before
4014 * going back to the protocol pipe
4016 * Upon breaking, count_needed = 0, so the next pass will only
4017 * perform a non-blocking select before returning here to finish
4018 * processing data we already read from the protocol buffer
4027 /* If the client supports the 'F' command, we send it. */
4028 if (supported_response ("F"))
4030 buf_append_char (buf_to_net, 'F');
4031 buf_append_char (buf_to_net, '\n');
4038 if (stdout_pipe[0] >= 0
4039 && (FD_ISSET (stdout_pipe[0], &readfds)))
4043 status = buf_input_data (stdoutbuf, NULL);
4045 buf_copy_lines (buf_to_net, stdoutbuf, 'M');
4049 close (stdout_pipe[0]);
4050 stdout_pipe[0] = -1;
4052 else if (status > 0)
4054 buf_output0 (buf_to_net, "E buf_input_data failed\n");
4055 print_error (status);
4059 /* What should we do with errors? syslog() them? */
4060 buf_send_output (buf_to_net);
4063 if (stderr_pipe[0] >= 0
4064 && (FD_ISSET (stderr_pipe[0], &readfds)))
4068 status = buf_input_data (stderrbuf, NULL);
4070 buf_copy_lines (buf_to_net, stderrbuf, 'E');
4074 close (stderr_pipe[0]);
4075 stderr_pipe[0] = -1;
4077 else if (status > 0)
4079 buf_output0 (buf_to_net, "E buf_input_data failed\n");
4080 print_error (status);
4084 /* What should we do with errors? syslog() them? */
4085 buf_send_output (buf_to_net);
4090 * OK, we've gotten EOF on all the pipes. If there is
4091 * anything left on stdoutbuf or stderrbuf (this could only
4092 * happen if there was no trailing newline), send it over.
4094 if (! buf_empty_p (stdoutbuf))
4096 buf_append_char (stdoutbuf, '\n');
4097 buf_copy_lines (buf_to_net, stdoutbuf, 'M');
4099 if (! buf_empty_p (stderrbuf))
4101 buf_append_char (stderrbuf, '\n');
4102 buf_copy_lines (buf_to_net, stderrbuf, 'E');
4104 if (! buf_empty_p (protocol_inbuf))
4105 buf_output0 (buf_to_net,
4106 "E Protocol error: uncounted data discarded\n");
4108 # ifdef SERVER_FLOWCONTROL
4109 close (flowcontrol_pipe[1]);
4110 flowcontrol_pipe[1] = -1;
4111 # endif /* SERVER_FLOWCONTROL */
4115 while (command_pid > 0)
4119 waited_pid = waitpid (command_pid, &status, 0);
4123 * Intentionally ignoring EINTR. Other errors
4129 if (WIFEXITED (status))
4130 errs += WEXITSTATUS (status);
4133 int sig = WTERMSIG (status);
4136 * This is really evil, because signals might be numbered
4137 * differently on the two systems. We should be using
4138 * signal names (either of the "Terminated" or the "SIGTERM"
4139 * variety). But cvs doesn't currently use libiberty...we
4140 * could roll our own.... FIXME.
4142 buf_output0 (buf_to_net, "E Terminated with fatal signal ");
4143 sprintf (buf, "%d\n", sig);
4144 buf_output0 (buf_to_net, buf);
4146 /* Test for a core dump. */
4147 if (WCOREDUMP (status))
4149 buf_output0 (buf_to_net, "E Core dumped; preserving ");
4150 buf_output0 (buf_to_net, orig_server_temp_dir);
4151 buf_output0 (buf_to_net, " on server.\n\
4152 E CVS locks may need cleaning up.\n");
4153 dont_delete_temp = 1;
4157 if (waited_pid == command_pid)
4162 * OK, we've waited for the child. By now all CVS locks are free
4163 * and it's OK to block on the network.
4165 set_block (buf_to_net);
4166 buf_flush (buf_to_net, 1);
4167 buf_shutdown (protocol_inbuf);
4168 buf_free (protocol_inbuf);
4169 protocol_inbuf = NULL;
4170 buf_shutdown (stderrbuf);
4171 buf_free (stderrbuf);
4173 buf_shutdown (stdoutbuf);
4174 buf_free (stdoutbuf);
4179 /* We will have printed an error message already. */
4180 buf_output0 (buf_to_net, "error \n");
4182 buf_output0 (buf_to_net, "ok\n");
4183 goto free_args_and_return;
4186 if (command_pid > 0)
4187 kill (command_pid, SIGTERM);
4189 while (command_pid > 0)
4192 waited_pid = waitpid (command_pid, NULL, 0);
4193 if (waited_pid < 0 && errno == EINTR)
4195 if (waited_pid == command_pid)
4199 close (dev_null_fd);
4200 close (protocol_pipe[0]);
4201 close (protocol_pipe[1]);
4202 close (stderr_pipe[0]);
4203 close (stderr_pipe[1]);
4204 close (stdout_pipe[0]);
4205 close (stdout_pipe[1]);
4206 # ifdef SERVER_FLOWCONTROL
4207 close (flowcontrol_pipe[0]);
4208 close (flowcontrol_pipe[1]);
4209 # endif /* SERVER_FLOWCONTROL */
4211 free_args_and_return:
4212 /* Now free the arguments. */
4214 /* argument_vector[0] is a dummy argument, we don't mess with it. */
4216 for (cp = argument_vector + 1;
4217 cp < argument_vector + argument_count;
4224 /* Flush out any data not yet sent. */
4225 set_block (buf_to_net);
4226 buf_flush (buf_to_net, 1);
4233 # ifdef SERVER_FLOWCONTROL
4235 * Called by the child at convenient points in the server's execution for
4236 * the server child to block.. ie: when it has no locks active.
4239 server_pause_check(void)
4244 while (read (flowcontrol_pipe[0], buf, 1) == 1)
4246 if (*buf == 'S') /* Stop */
4248 else if (*buf == 'G') /* Go */
4254 int numfds, numtocheck;
4258 FD_SET (flowcontrol_pipe[0], &fds);
4259 numtocheck = flowcontrol_pipe[0] + 1;
4262 numfds = select (numtocheck, &fds, NULL, NULL, NULL);
4266 buf_output0 (buf_to_net, "E select failed\n");
4267 print_error (errno);
4270 } while (numfds < 0);
4272 if (FD_ISSET (flowcontrol_pipe[0], &fds))
4276 while ((got = read (flowcontrol_pipe[0], buf, 1)) == 1)
4278 if (*buf == 'S') /* Stop */
4280 else if (*buf == 'G') /* Go */
4286 /* This assumes that we are using BSD or POSIX nonblocking
4287 I/O. System V nonblocking I/O returns zero if there is
4290 error (1, 0, "flow control EOF");
4291 if (got < 0 && ! blocking_error (errno))
4293 error (1, errno, "flow control read failed");
4298 # endif /* SERVER_FLOWCONTROL */
4302 /* This variable commented in server.h. */
4303 char *server_dir = NULL;
4308 output_dir (const char *update_dir, const char *repository)
4310 /* Set up SHORT_REPOS. */
4311 const char *short_repos = Short_Repository (repository);
4313 /* Send the update_dir/repos. */
4314 if (server_dir != NULL)
4316 buf_output0 (protocol, server_dir);
4317 buf_output0 (protocol, "/");
4319 if (update_dir[0] == '\0')
4320 buf_output0 (protocol, ".");
4322 buf_output0 (protocol, update_dir);
4323 buf_output0 (protocol, "/\n");
4324 if (short_repos[0] == '\0')
4325 buf_output0 (protocol, ".");
4327 buf_output0 (protocol, short_repos);
4328 buf_output0 (protocol, "/");
4334 * Entries line that we are squirreling away to send to the client when
4337 static char *entries_line;
4340 * File which has been Scratch_File'd, we are squirreling away that fact
4341 * to inform the client when we are ready.
4343 static char *scratched_file;
4346 * The scratched_file will need to be removed as well as having its entry
4349 static int kill_scratched_file;
4354 server_register (const char *name, const char *version, const char *timestamp,
4355 const char *options, const char *tag, const char *date,
4356 const char *conflict)
4360 if (options == NULL)
4363 TRACE (TRACE_FUNCTION, "server_register(%s, %s, %s, %s, %s, %s, %s)",
4364 name, version, timestamp ? timestamp : "", options,
4365 tag ? tag : "", date ? date : "",
4366 conflict ? conflict : "");
4368 if (entries_line != NULL)
4371 * If CVS decides to Register it more than once (which happens
4372 * on "cvs update foo/foo.c" where foo and foo.c are already
4373 * checked out), use the last of the entries lines Register'd.
4375 free (entries_line);
4379 * I have reports of Scratch_Entry and Register both happening, in
4380 * two different cases. Using the last one which happens is almost
4381 * surely correct; I haven't tracked down why they both happen (or
4382 * even verified that they are for the same file).
4384 if (scratched_file != NULL)
4386 free (scratched_file);
4387 scratched_file = NULL;
4390 len = (strlen (name) + strlen (version) + strlen (options) + 80);
4392 len += strlen (tag);
4394 len += strlen (date);
4396 entries_line = xmalloc (len);
4397 sprintf (entries_line, "/%s/%s/", name, version);
4398 if (conflict != NULL)
4400 strcat (entries_line, "+=");
4402 strcat (entries_line, "/");
4403 strcat (entries_line, options);
4404 strcat (entries_line, "/");
4407 strcat (entries_line, "T");
4408 strcat (entries_line, tag);
4410 else if (date != NULL)
4412 strcat (entries_line, "D");
4413 strcat (entries_line, date);
4420 server_scratch (const char *fname)
4423 * I have reports of Scratch_Entry and Register both happening, in
4424 * two different cases. Using the last one which happens is almost
4425 * surely correct; I haven't tracked down why they both happen (or
4426 * even verified that they are for the same file).
4428 * Don't know if this is what whoever wrote the above comment was
4429 * talking about, but this can happen in the case where a join
4430 * removes a file - the call to Register puts the '-vers' into the
4431 * Entries file after the file is removed
4433 if (entries_line != NULL)
4435 free (entries_line);
4436 entries_line = NULL;
4439 if (scratched_file != NULL)
4441 buf_output0 (protocol,
4442 "E CVS server internal error: duplicate Scratch_Entry\n");
4443 buf_send_counted (protocol);
4446 scratched_file = xstrdup (fname);
4447 kill_scratched_file = 1;
4453 server_scratch_entry_only (void)
4455 kill_scratched_file = 0;
4460 /* Print a new entries line, from a previous server_register. */
4462 new_entries_line (void)
4466 buf_output0 (protocol, entries_line);
4467 buf_output (protocol, "\n", 1);
4470 /* Return the error message as the Entries line. */
4471 buf_output0 (protocol,
4472 "CVS server internal error: Register missing\n");
4473 free (entries_line);
4474 entries_line = NULL;
4480 serve_ci (char *arg)
4482 do_cvs_command ("commit", commit);
4488 checked_in_response (const char *file, const char *update_dir,
4489 const char *repository)
4491 if (supported_response ("Mode"))
4496 if (stat (file, &sb) < 0)
4498 /* Not clear to me why the file would fail to exist, but it
4499 was happening somewhere in the testsuite. */
4500 if (!existence_error (errno))
4501 error (0, errno, "cannot stat %s", file);
4505 buf_output0 (protocol, "Mode ");
4506 mode_string = mode_to_string (sb.st_mode);
4507 buf_output0 (protocol, mode_string);
4508 buf_output0 (protocol, "\n");
4513 buf_output0 (protocol, "Checked-in ");
4514 output_dir (update_dir, repository);
4515 buf_output0 (protocol, file);
4516 buf_output (protocol, "\n", 1);
4517 new_entries_line ();
4523 server_checked_in (const char *file, const char *update_dir,
4524 const char *repository)
4528 if (scratched_file != NULL && entries_line == NULL)
4531 * This happens if we are now doing a "cvs remove" after a previous
4532 * "cvs add" (without a "cvs ci" in between).
4534 buf_output0 (protocol, "Remove-entry ");
4535 output_dir (update_dir, repository);
4536 buf_output0 (protocol, file);
4537 buf_output (protocol, "\n", 1);
4538 free (scratched_file);
4539 scratched_file = NULL;
4543 checked_in_response (file, update_dir, repository);
4545 buf_send_counted (protocol);
4551 server_update_entries (const char *file, const char *update_dir,
4552 const char *repository,
4553 enum server_updated_arg4 updated)
4557 if (updated == SERVER_UPDATED)
4558 checked_in_response (file, update_dir, repository);
4561 if (!supported_response ("New-entry"))
4563 buf_output0 (protocol, "New-entry ");
4564 output_dir (update_dir, repository);
4565 buf_output0 (protocol, file);
4566 buf_output (protocol, "\n", 1);
4567 new_entries_line ();
4570 buf_send_counted (protocol);
4576 serve_update (char *arg)
4578 do_cvs_command ("update", update);
4584 serve_diff (char *arg)
4586 do_cvs_command ("diff", diff);
4592 serve_log (char *arg)
4594 do_cvs_command ("log", cvslog);
4600 serve_rlog (char *arg)
4602 do_cvs_command ("rlog", cvslog);
4608 serve_ls (char *arg)
4610 do_cvs_command ("ls", ls);
4616 serve_rls (char *arg)
4618 do_cvs_command ("rls", ls);
4624 serve_add (char *arg)
4626 do_cvs_command ("add", add);
4632 serve_remove (char *arg)
4634 do_cvs_command ("remove", cvsremove);
4640 serve_status (char *arg)
4642 do_cvs_command ("status", cvsstatus);
4648 serve_rdiff (char *arg)
4650 do_cvs_command ("rdiff", patch);
4656 serve_tag (char *arg)
4658 do_cvs_command ("tag", cvstag);
4664 serve_rtag (char *arg)
4666 do_cvs_command ("rtag", cvstag);
4672 serve_import (char *arg)
4674 do_cvs_command ("import", import);
4680 serve_admin (char *arg)
4682 do_cvs_command ("admin", admin);
4688 serve_history (char *arg)
4690 do_cvs_command ("history", history);
4696 serve_release (char *arg)
4698 do_cvs_command ("release", release);
4704 serve_watch_on (char *arg)
4706 do_cvs_command ("watch", watch_on);
4712 serve_watch_off (char *arg)
4714 do_cvs_command ("watch", watch_off);
4720 serve_watch_add (char *arg)
4722 do_cvs_command ("watch", watch_add);
4728 serve_watch_remove (char *arg)
4730 do_cvs_command ("watch", watch_remove);
4736 serve_watchers (char *arg)
4738 do_cvs_command ("watchers", watchers);
4744 serve_editors (char *arg)
4746 do_cvs_command ("editors", editors);
4752 serve_edit (char *arg)
4754 do_cvs_command ("edit", edit);
4759 # ifdef PROXY_SUPPORT
4760 /* We need to handle some of this before reprocessing since it is defined to
4761 * send a response and print errors before a Root request is received.
4763 # endif /* PROXY_SUPPORT */
4765 serve_noop (char *arg)
4767 /* Errors could be encountered in the first or second passes, so always
4768 * send them to the client.
4770 bool pe = print_pending_error();
4772 # ifdef PROXY_SUPPORT
4773 /* The portions below need not be handled until reprocessing anyhow since
4774 * there should be no entries or notifications prior to that. */
4776 # endif /* PROXY_SUPPORT */
4778 server_write_entries ();
4780 (void) server_notify ();
4784 # ifdef PROXY_SUPPORT
4785 /* "ok" only goes across in the first pass. */
4787 # endif /* PROXY_SUPPORT */
4789 buf_output0 (buf_to_net, "ok\n");
4790 buf_flush (buf_to_net, 1);
4796 serve_version (char *arg)
4798 do_cvs_command ("version", version);
4804 serve_init (char *arg)
4806 cvsroot_t *saved_parsed_root;
4808 if (!ISABSOLUTE (arg))
4810 if (alloc_pending (80 + strlen (arg)))
4811 sprintf (pending_error_text,
4812 "E init %s must be an absolute pathname", arg);
4814 # ifdef AUTH_SERVER_SUPPORT
4815 else if (Pserver_Repos != NULL)
4817 if (strcmp (Pserver_Repos, arg) != 0)
4819 if (alloc_pending (80 + strlen (Pserver_Repos) + strlen (arg)))
4820 /* The explicitness is to aid people who are writing clients.
4821 I don't see how this information could help an
4823 sprintf (pending_error_text, "\
4824 E Protocol error: init says \"%s\" but pserver says \"%s\"",
4825 arg, Pserver_Repos);
4830 if (print_pending_error ())
4833 saved_parsed_root = current_parsed_root;
4834 current_parsed_root = local_cvsroot (arg);
4836 do_cvs_command ("init", init);
4838 /* Do not free CURRENT_PARSED_ROOT since it is still in the cache. */
4839 current_parsed_root = saved_parsed_root;
4845 serve_annotate (char *arg)
4847 do_cvs_command ("annotate", annotate);
4853 serve_rannotate (char *arg)
4855 do_cvs_command ("rannotate", annotate);
4861 serve_co (char *arg)
4863 if (print_pending_error ())
4866 # ifdef PROXY_SUPPORT
4867 /* If we are not a secondary server, the write proxy log will already have
4870 if (isProxyServer ())
4873 reprocessing = false;
4874 else if (/* The proxy log may be closed if the client sent a
4875 * `Command-prep' request.
4879 /* Set up the log for reprocessing. */
4880 rewind_buf_from_net ();
4881 /* And return to the main loop in server(), where we will now find
4882 * the logged secondary data and reread it.
4887 # endif /* PROXY_SUPPORT */
4889 /* Compensate for server_export()'s setting of cvs_cmd_name.
4891 * [It probably doesn't matter if do_cvs_command() gets "export"
4892 * or "checkout", but we ought to be accurate where possible.]
4894 do_cvs_command (!strcmp (cvs_cmd_name, "export") ? "export" : "checkout",
4901 serve_export (char *arg)
4903 /* Tell checkout() to behave like export not checkout. */
4904 cvs_cmd_name = "export";
4911 server_copy_file (const char *file, const char *update_dir,
4912 const char *repository, const char *newfile)
4914 /* At least for now, our practice is to have the server enforce
4915 noexec for the repository and the client enforce it for the
4916 working directory. This might want more thought, and/or
4917 documentation in cvsclient.texi (other responses do it
4920 if (!supported_response ("Copy-file"))
4922 buf_output0 (protocol, "Copy-file ");
4923 output_dir (update_dir, repository);
4924 buf_output0 (protocol, file);
4925 buf_output0 (protocol, "\n");
4926 buf_output0 (protocol, newfile);
4927 buf_output0 (protocol, "\n");
4932 /* See server.h for description. */
4934 server_modtime (struct file_info *finfo, Vers_TS *vers_ts)
4936 char date[MAXDATELEN];
4937 char outdate[MAXDATELEN];
4939 assert (vers_ts->vn_rcs != NULL);
4941 if (!supported_response ("Mod-time"))
4944 if (RCS_getrevtime (finfo->rcs, vers_ts->vn_rcs, date, 0) == (time_t) -1)
4945 /* FIXME? should we be printing some kind of warning? For one
4946 thing I'm not 100% sure whether this happens in non-error
4949 date_to_internet (outdate, date);
4950 buf_output0 (protocol, "Mod-time ");
4951 buf_output0 (protocol, outdate);
4952 buf_output0 (protocol, "\n");
4957 /* See server.h for description. */
4960 struct file_info *finfo,
4962 enum server_updated_arg4 updated,
4964 unsigned char *checksum,
4965 struct buffer *filebuf)
4969 /* Hmm, maybe if we did the same thing for entries_file, we
4970 could get rid of the kludges in server_register and
4971 server_scratch which refrain from warning if both
4972 Scratch_Entry and Register get called. Maybe. */
4975 free (scratched_file);
4976 scratched_file = NULL;
4978 buf_send_counted (protocol);
4982 if (entries_line != NULL && scratched_file == NULL)
4985 struct buffer_data *list, *last;
4989 /* The contents of the file will be in one of filebuf,
4990 list/last, or here. */
4991 unsigned char *file;
4992 size_t file_allocated;
4995 if (filebuf != NULL)
4997 size = buf_length (filebuf);
4998 if (mode == (mode_t) -1)
5000 CVS server internal error: no mode in server_updated");
5006 if (stat (finfo->file, &sb) < 0)
5008 if (existence_error (errno))
5010 /* If we have a sticky tag for a branch on which
5011 the file is dead, and cvs update the directory,
5012 it gets a T_CHECKOUT but no file. So in this
5013 case just forget the whole thing. */
5014 free (entries_line);
5015 entries_line = NULL;
5018 error (1, errno, "reading %s", finfo->fullname);
5021 if (mode == (mode_t) -1)
5023 /* FIXME: When we check out files the umask of the
5024 server (set in .bashrc if rsh is in use) affects
5025 what mode we send, and it shouldn't. */
5030 if (checksum != NULL)
5032 static int checksum_supported = -1;
5034 if (checksum_supported == -1)
5036 checksum_supported = supported_response ("Checksum");
5039 if (checksum_supported)
5044 buf_output0 (protocol, "Checksum ");
5045 for (i = 0; i < 16; i++)
5047 sprintf (buf, "%02x", (unsigned int) checksum[i]);
5048 buf_output0 (protocol, buf);
5050 buf_append_char (protocol, '\n');
5054 if (updated == SERVER_UPDATED)
5059 if (!(supported_response ("Created")
5060 && supported_response ("Update-existing")))
5061 buf_output0 (protocol, "Updated ");
5064 assert (vers != NULL);
5065 if (vers->ts_user == NULL)
5066 buf_output0 (protocol, "Created ");
5068 buf_output0 (protocol, "Update-existing ");
5071 /* Now munge the entries to say that the file is unmodified,
5072 in case we end up processing it again (e.g. modules3-6
5073 in the testsuite). */
5074 node = findnode_fn (finfo->entries, finfo->file);
5075 entnode = node->data;
5076 free (entnode->timestamp);
5077 entnode->timestamp = xstrdup ("=");
5079 else if (updated == SERVER_MERGED)
5080 buf_output0 (protocol, "Merged ");
5081 else if (updated == SERVER_PATCHED)
5082 buf_output0 (protocol, "Patched ");
5083 else if (updated == SERVER_RCS_DIFF)
5084 buf_output0 (protocol, "Rcs-diff ");
5087 output_dir (finfo->update_dir, finfo->repository);
5088 buf_output0 (protocol, finfo->file);
5089 buf_output (protocol, "\n", 1);
5091 new_entries_line ();
5096 mode_string = mode_to_string (mode);
5097 buf_output0 (protocol, mode_string);
5098 buf_output0 (protocol, "\n");
5110 /* Throughout this section we use binary mode to read the
5111 file we are sending. The client handles any line ending
5112 translation if necessary. */
5116 * For really tiny files, the gzip process startup
5117 * time will outweigh the compression savings. This
5118 * might be computable somehow; using 100 here is just
5119 * a first approximation.
5123 /* Basing this routine on read_and_gzip is not a
5124 high-performance approach. But it seems easier
5125 to code than the alternative (and less
5126 vulnerable to subtle bugs). Given that this feature
5127 is mainly for compatibility, that is the better
5132 /* Callers must avoid passing us a buffer if
5133 file_gzip_level is set. We could handle this case,
5134 but it's not worth it since this case never arises
5135 with a current client and server. */
5136 if (filebuf != NULL)
5138 CVS server internal error: unhandled case in server_updated");
5140 fd = CVS_OPEN (finfo->file, O_RDONLY | OPEN_BINARY, 0);
5142 error (1, errno, "reading %s", finfo->fullname);
5143 if (read_and_gzip (fd, finfo->fullname, &file,
5144 &file_allocated, &file_used,
5146 error (1, 0, "aborting due to compression error");
5149 error (1, errno, "reading %s", finfo->fullname);
5150 /* Prepending length with "z" is flag for using gzip here. */
5151 buf_output0 (protocol, "z");
5153 else if (filebuf == NULL)
5157 f = CVS_FOPEN (finfo->file, "rb");
5159 error (1, errno, "reading %s", finfo->fullname);
5160 status = buf_read_file (f, size, &list, &last);
5162 (*protocol->memory_error) (protocol);
5163 else if (status != 0)
5164 error (1, ferror (f) ? errno : 0, "reading %s",
5166 if (fclose (f) == EOF)
5167 error (1, errno, "reading %s", finfo->fullname);
5171 sprintf (size_text, "%lu\n", size);
5172 buf_output0 (protocol, size_text);
5176 buf_output (protocol, (char *) file, file_used);
5180 else if (filebuf == NULL)
5181 buf_append_data (protocol, list, last);
5183 buf_append_buffer (protocol, filebuf);
5184 /* Note we only send a newline here if the file ended with one. */
5187 * Avoid using up too much disk space for temporary files.
5188 * A file which does not exist indicates that the file is up-to-date,
5189 * which is now the case. If this is SERVER_MERGED, the file is
5190 * not up-to-date, and we indicate that by leaving the file there.
5191 * I'm thinking of cases like "cvs update foo/foo.c foo".
5193 if ((updated == SERVER_UPDATED
5194 || updated == SERVER_PATCHED
5195 || updated == SERVER_RCS_DIFF)
5197 /* But if we are joining, we'll need the file when we call
5201 if (CVS_UNLINK (finfo->file) < 0)
5202 error (0, errno, "cannot remove temp file for %s",
5206 else if (scratched_file != NULL && entries_line == NULL)
5208 if (strcmp (scratched_file, finfo->file) != 0)
5210 "CVS server internal error: `%s' vs. `%s' scratched",
5213 free (scratched_file);
5214 scratched_file = NULL;
5216 if (kill_scratched_file)
5217 buf_output0 (protocol, "Removed ");
5219 buf_output0 (protocol, "Remove-entry ");
5220 output_dir (finfo->update_dir, finfo->repository);
5221 buf_output0 (protocol, finfo->file);
5222 buf_output (protocol, "\n", 1);
5223 /* keep the vers structure up to date in case we do a join
5224 * - if there isn't a file, it can't very well have a version number,
5227 * we do it here on the assumption that since we just told the client
5228 * to remove the file/entry, it will, and we want to remember that.
5229 * If it fails, that's the client's problem, not ours
5231 if (vers && vers->vn_user != NULL)
5233 free (vers->vn_user);
5234 vers->vn_user = NULL;
5236 if (vers && vers->ts_user != NULL)
5238 free (vers->ts_user);
5239 vers->ts_user = NULL;
5242 else if (scratched_file == NULL && entries_line == NULL)
5245 * This can happen with death support if we were processing
5246 * a dead file in a checkout.
5251 "CVS server internal error: Register *and* Scratch_Entry.\n");
5252 buf_send_counted (protocol);
5258 /* Return whether we should send patches in RCS format. */
5260 server_use_rcs_diff (void)
5262 return supported_response ("Rcs-diff");
5268 server_set_entstat (const char *update_dir, const char *repository)
5270 static int set_static_supported = -1;
5271 if (set_static_supported == -1)
5272 set_static_supported = supported_response ("Set-static-directory");
5273 if (!set_static_supported) return;
5275 buf_output0 (protocol, "Set-static-directory ");
5276 output_dir (update_dir, repository);
5277 buf_output0 (protocol, "\n");
5278 buf_send_counted (protocol);
5284 server_clear_entstat (const char *update_dir, const char *repository)
5286 static int clear_static_supported = -1;
5287 if (clear_static_supported == -1)
5288 clear_static_supported = supported_response ("Clear-static-directory");
5289 if (!clear_static_supported) return;
5294 buf_output0 (protocol, "Clear-static-directory ");
5295 output_dir (update_dir, repository);
5296 buf_output0 (protocol, "\n");
5297 buf_send_counted (protocol);
5303 server_set_sticky (const char *update_dir, const char *repository,
5304 const char *tag, const char *date, int nonbranch)
5306 static int set_sticky_supported = -1;
5308 assert (update_dir != NULL);
5310 if (set_sticky_supported == -1)
5311 set_sticky_supported = supported_response ("Set-sticky");
5312 if (!set_sticky_supported) return;
5317 if (tag == NULL && date == NULL)
5319 buf_output0 (protocol, "Clear-sticky ");
5320 output_dir (update_dir, repository);
5321 buf_output0 (protocol, "\n");
5325 buf_output0 (protocol, "Set-sticky ");
5326 output_dir (update_dir, repository);
5327 buf_output0 (protocol, "\n");
5331 buf_output0 (protocol, "N");
5333 buf_output0 (protocol, "T");
5334 buf_output0 (protocol, tag);
5338 buf_output0 (protocol, "D");
5339 buf_output0 (protocol, date);
5341 buf_output0 (protocol, "\n");
5343 buf_send_counted (protocol);
5349 server_edit_file (struct file_info *finfo)
5351 buf_output (protocol, "Edit-file ", 10);
5352 output_dir (finfo->update_dir, finfo->repository);
5353 buf_output0 (protocol, finfo->file);
5354 buf_output (protocol, "\n", 1);
5355 buf_send_counted (protocol);
5360 struct template_proc_data
5362 const char *update_dir;
5363 const char *repository;
5367 template_proc (const char *repository, const char *template, void *closure)
5373 struct template_proc_data *data = (struct template_proc_data *)closure;
5375 if (!supported_response ("Template"))
5376 /* Might want to warn the user that the rcsinfo feature won't work. */
5378 buf_output0 (protocol, "Template ");
5379 output_dir (data->update_dir, data->repository);
5380 buf_output0 (protocol, "\n");
5382 fp = CVS_FOPEN (template, "rb");
5385 error (0, errno, "Couldn't open rcsinfo template file %s", template);
5388 if (fstat (fileno (fp), &sb) < 0)
5390 error (0, errno, "cannot stat rcsinfo template file %s", template);
5393 sprintf (buf, "%ld\n", (long) sb.st_size);
5394 buf_output0 (protocol, buf);
5397 n = fread (buf, 1, sizeof buf, fp);
5398 buf_output (protocol, buf, n);
5401 error (0, errno, "cannot read rcsinfo template file %s", template);
5406 buf_send_counted (protocol);
5407 if (fclose (fp) < 0)
5408 error (0, errno, "cannot close rcsinfo template file %s", template);
5415 server_clear_template (const char *update_dir, const char *repository)
5417 assert (update_dir != NULL);
5422 if (!supported_response ("Clear-template") &&
5423 !supported_response ("Template"))
5424 /* Might want to warn the user that the rcsinfo feature won't work. */
5427 if (supported_response ("Clear-template"))
5429 buf_output0 (protocol, "Clear-template ");
5430 output_dir (update_dir, repository);
5431 buf_output0 (protocol, "\n");
5432 buf_send_counted (protocol);
5436 buf_output0 (protocol, "Template ");
5437 output_dir (update_dir, repository);
5438 buf_output0 (protocol, "\n");
5439 buf_output0 (protocol, "0\n");
5440 buf_send_counted (protocol);
5447 server_template (const char *update_dir, const char *repository)
5449 struct template_proc_data data;
5450 data.update_dir = update_dir;
5451 data.repository = repository;
5452 (void) Parse_Info (CVSROOTADM_RCSINFO, repository, template_proc,
5459 serve_gzip_contents (char *arg)
5462 bool forced = false;
5464 # ifdef PROXY_SUPPORT
5465 assert (!proxy_log);
5466 # endif /* PROXY_SUPPORT */
5472 if (config && level < config->MinCompressionLevel)
5474 level = config->MinCompressionLevel;
5477 if (config && level > config->MaxCompressionLevel)
5479 level = config->MaxCompressionLevel;
5483 if (forced && !quiet
5484 && alloc_pending_warning (120 + strlen (program_name)))
5485 sprintf (pending_warning_text,
5486 "E %s server: Forcing compression level %d (allowed: %d <= z <= %d).",
5487 program_name, level, config->MinCompressionLevel,
5488 config->MaxCompressionLevel);
5490 gzip_level = file_gzip_level = level;
5496 serve_gzip_stream (char *arg)
5499 bool forced = false;
5503 if (config && level < config->MinCompressionLevel)
5505 level = config->MinCompressionLevel;
5508 if (config && level > config->MaxCompressionLevel)
5510 level = config->MaxCompressionLevel;
5514 if (forced && !quiet
5515 && alloc_pending_warning (120 + strlen (program_name)))
5516 sprintf (pending_warning_text,
5517 "E %s server: Forcing compression level %d (allowed: %d <= z <= %d).",
5518 program_name, level, config->MinCompressionLevel,
5519 config->MaxCompressionLevel);
5523 /* All further communication with the client will be compressed.
5525 * The deflate buffers need to be initialized even for compression level
5526 * 0, or the client will no longer be able to understand us. At
5527 * compression level 0, the correct compression headers will be created and
5528 * sent, but data will thereafter simply be copied to the network buffers.
5531 /* This needs to be processed in both passes so that we may continue to
5532 * understand client requests on both the socket and from the log.
5534 buf_from_net = compress_buffer_initialize (buf_from_net, 1,
5536 buf_from_net->memory_error);
5538 /* This needs to be skipped in subsequent passes to avoid compressing data
5539 * to the client twice.
5541 # ifdef PROXY_SUPPORT
5542 if (reprocessing) return;
5543 # endif /* PROXY_SUPPORT */
5544 buf_to_net = compress_buffer_initialize (buf_to_net, 0, level,
5545 buf_to_net->memory_error);
5550 /* Tell the client about RCS options set in CVSROOT/cvswrappers. */
5552 serve_wrapper_sendme_rcs_options (char *arg)
5554 /* Actually, this is kind of sdrawkcab-ssa: the client wants
5555 * verbatim lines from a cvswrappers file, but the server has
5556 * already parsed the cvswrappers file into the wrap_list struct.
5557 * Therefore, the server loops over wrap_list, unparsing each
5558 * entry before sending it.
5560 char *wrapper_line = NULL;
5562 # ifdef PROXY_SUPPORT
5563 if (reprocessing) return;
5564 # endif /* PROXY_SUPPORT */
5568 for (wrap_unparse_rcs_options (&wrapper_line, 1);
5570 wrap_unparse_rcs_options (&wrapper_line, 0))
5572 buf_output0 (buf_to_net, "Wrapper-rcsOption ");
5573 buf_output0 (buf_to_net, wrapper_line);
5574 buf_output0 (buf_to_net, "\012");;
5575 free (wrapper_line);
5578 buf_output0 (buf_to_net, "ok\012");
5580 /* The client is waiting for us, so we better send the data now. */
5581 buf_flush (buf_to_net, 1);
5587 serve_ignore (char *arg)
5590 * Just ignore this command. This is used to support the
5591 * update-patches command, which is not a real command, but a signal
5592 * to the client that update will accept the -u argument.
5594 # ifdef PROXY_SUPPORT
5595 assert (!proxy_log);
5596 # endif /* PROXY_SUPPORT */
5602 expand_proc (int argc, char **argv, char *where, char *mwhere, char *mfile, int shorten, int local_specified, char *omodule, char *msg)
5605 char *dir = argv[0];
5607 /* If mwhere has been specified, the thing we're expanding is a
5608 module -- just return its name so the client will ask for the
5609 right thing later. If it is an alias or a real directory,
5610 mwhere will not be set, so send out the appropriate
5615 buf_output0 (buf_to_net, "Module-expansion ");
5616 if (server_dir != NULL)
5618 buf_output0 (buf_to_net, server_dir);
5619 buf_output0 (buf_to_net, "/");
5621 buf_output0 (buf_to_net, mwhere);
5624 buf_append_char (buf_to_net, '/');
5625 buf_output0 (buf_to_net, mfile);
5627 buf_append_char (buf_to_net, '\n');
5631 /* We may not need to do this anymore -- check the definition
5632 of aliases before removing */
5635 buf_output0 (buf_to_net, "Module-expansion ");
5636 if (server_dir != NULL)
5638 buf_output0 (buf_to_net, server_dir);
5639 buf_output0 (buf_to_net, "/");
5641 buf_output0 (buf_to_net, dir);
5642 buf_append_char (buf_to_net, '\n');
5646 for (i = 1; i < argc; ++i)
5648 buf_output0 (buf_to_net, "Module-expansion ");
5649 if (server_dir != NULL)
5651 buf_output0 (buf_to_net, server_dir);
5652 buf_output0 (buf_to_net, "/");
5654 buf_output0 (buf_to_net, dir);
5655 buf_append_char (buf_to_net, '/');
5656 buf_output0 (buf_to_net, argv[i]);
5657 buf_append_char (buf_to_net, '\n');
5667 serve_expand_modules (char *arg)
5673 # ifdef PROXY_SUPPORT
5674 /* This needs to be processed in the first pass since the client expects a
5675 * response but we may not yet know if we are a secondary.
5677 * On the second pass, we still must make sure to ignore the arguments.
5680 # endif /* PROXY_SUPPORT */
5684 db = open_module ();
5685 for (i = 1; i < argument_count; i++)
5686 err += do_module (db, argument_vector[i],
5687 CHECKOUT, "Updating", expand_proc,
5688 NULL, 0, 0, 0, 0, NULL);
5693 /* argument_vector[0] is a dummy argument, we don't mess with it. */
5695 for (cp = argument_vector + 1;
5696 cp < argument_vector + argument_count;
5703 # ifdef PROXY_SUPPORT
5705 # endif /* PROXY_SUPPORT */
5708 /* We will have printed an error message already. */
5709 buf_output0 (buf_to_net, "error \n");
5711 buf_output0 (buf_to_net, "ok\n");
5713 /* The client is waiting for the module expansions, so we must
5714 send the output now. */
5715 buf_flush (buf_to_net, 1);
5721 /* Decide if we should redirect the client to another server.
5724 * config->PrimaryServer The server to redirect write requests to, if
5728 * The `Root' request has already been processed.
5734 serve_command_prep (char *arg)
5736 bool redirect_supported;
5737 # ifdef PROXY_SUPPORT
5739 # endif /* PROXY_SUPPORT */
5741 if (print_pending_error ()) return;
5743 redirect_supported = supported_response ("Redirect");
5744 if (redirect_supported
5745 && lookup_command_attribute (arg) & CVS_CMD_MODIFIES_REPOSITORY
5746 /* I call isProxyServer() last because it can probably be the slowest
5747 * call due to the call to gethostbyname().
5749 && isProxyServer ())
5751 /* Before sending a redirect, send a "Referrer" line to the client,
5752 * if possible, to give admins more control over canonicalizing roots
5753 * sent from the client.
5755 if (supported_response ("Referrer"))
5757 /* assume :ext:, since that is all we currently support for
5758 * proxies and redirection.
5760 char *referrer = Xasprintf (":ext:%s@%s%s", getcaller(),
5762 current_parsed_root->directory);
5764 buf_output0 (buf_to_net, "Referrer ");
5765 buf_output0 (buf_to_net, referrer);
5766 buf_output0 (buf_to_net, "\n");
5771 /* Send `Redirect' to redirect client requests to the primary. */
5772 buf_output0 (buf_to_net, "Redirect ");
5773 buf_output0 (buf_to_net, config->PrimaryServer->original);
5774 buf_output0 (buf_to_net, "\n");
5775 buf_flush (buf_to_net, 1);
5776 # ifdef PROXY_SUPPORT
5778 # endif /* PROXY_SUPPORT */
5782 /* Send `ok' so the client can proceed. */
5783 buf_output0 (buf_to_net, "ok\n");
5784 buf_flush (buf_to_net, 1);
5785 # ifdef PROXY_SUPPORT
5786 if (lookup_command_attribute (arg) & CVS_CMD_MODIFIES_REPOSITORY
5787 && isProxyServer ())
5788 /* Don't ditch the log for write commands on a proxy server. We
5789 * we got here because the `Redirect' response was not supported.
5794 # endif /* PROXY_SUPPORT */
5796 # ifdef PROXY_SUPPORT
5797 if (proxy_log && ditch_log)
5799 /* If the client supported the redirect response, then they will always
5800 * be redirected if they are preparing for a write request. It is
5801 * therefore safe to close the proxy logs.
5803 * If the client is broken and ignores the redirect, this will be
5804 * detected later, in rewind_buf_from_net().
5806 * Since a `Command-prep' response is only acceptable immediately
5807 * following the `Root' request according to the specification, there
5808 * is no need to rewind the log and reprocess.
5810 log_buffer_closelog (proxy_log);
5811 log_buffer_closelog (proxy_log_out);
5814 # endif /* PROXY_SUPPORT */
5819 /* Save a referrer, potentially for passing to hook scripts later.
5822 * referrer Where we save the parsed referrer.
5825 * The `Root' request has already been processed.
5826 * There is no need to dispose of REFERRER if it is set. It's memory is
5827 * tracked by parse_root().
5833 serve_referrer (char *arg)
5835 if (error_pending ()) return;
5837 referrer = parse_cvsroot (arg);
5840 && alloc_pending (80 + strlen (arg)))
5841 sprintf (pending_error_text,
5842 "E Protocol error: Invalid Referrer: `%s'",
5848 static void serve_valid_requests (char *arg);
5850 #endif /* SERVER_SUPPORT */
5852 * Comment to move position of the following #if line which works
5853 * around an apparent bug in Microsoft Visual C++ 6.0 compiler.
5855 #if defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT)
5857 * Parts of this table are shared with the client code,
5858 * but the client doesn't need to know about the handler
5862 struct request requests[] =
5864 #ifdef SERVER_SUPPORT
5865 #define REQ_LINE(n, f, s) {n, f, s}
5867 #define REQ_LINE(n, f, s) {n, s}
5870 REQ_LINE("Root", serve_root, RQ_ESSENTIAL | RQ_ROOTLESS),
5871 REQ_LINE("Valid-responses", serve_valid_responses,
5872 RQ_ESSENTIAL | RQ_ROOTLESS),
5873 REQ_LINE("valid-requests", serve_valid_requests,
5874 RQ_ESSENTIAL | RQ_ROOTLESS),
5875 REQ_LINE("Command-prep", serve_command_prep, 0),
5876 REQ_LINE("Referrer", serve_referrer, 0),
5877 REQ_LINE("Repository", serve_repository, 0),
5878 REQ_LINE("Directory", serve_directory, RQ_ESSENTIAL),
5879 REQ_LINE("Relative-directory", serve_directory, 0),
5880 REQ_LINE("Max-dotdot", serve_max_dotdot, 0),
5881 REQ_LINE("Static-directory", serve_static_directory, 0),
5882 REQ_LINE("Sticky", serve_sticky, 0),
5883 REQ_LINE("Entry", serve_entry, RQ_ESSENTIAL),
5884 REQ_LINE("Kopt", serve_kopt, 0),
5885 REQ_LINE("Checkin-time", serve_checkin_time, 0),
5886 REQ_LINE("Modified", serve_modified, RQ_ESSENTIAL),
5887 REQ_LINE("Is-modified", serve_is_modified, 0),
5889 /* The client must send this request to interoperate with CVS 1.5
5890 through 1.9 servers. The server must support it (although it can
5891 be and is a noop) to interoperate with CVS 1.5 to 1.9 clients. */
5892 REQ_LINE("UseUnchanged", serve_enable_unchanged, RQ_ENABLEME | RQ_ROOTLESS),
5894 REQ_LINE("Unchanged", serve_unchanged, RQ_ESSENTIAL),
5895 REQ_LINE("Notify", serve_notify, 0),
5896 REQ_LINE("Hostname", serve_hostname, 0),
5897 REQ_LINE("LocalDir", serve_localdir, 0),
5898 REQ_LINE("Questionable", serve_questionable, 0),
5899 REQ_LINE("Argument", serve_argument, RQ_ESSENTIAL),
5900 REQ_LINE("Argumentx", serve_argumentx, RQ_ESSENTIAL),
5901 REQ_LINE("Global_option", serve_global_option, RQ_ROOTLESS),
5902 /* This is rootless, even though the client/server spec does not specify
5903 * such, to allow error messages to be understood by the client when they are
5906 REQ_LINE("Gzip-stream", serve_gzip_stream, RQ_ROOTLESS),
5907 REQ_LINE("wrapper-sendme-rcsOptions",
5908 serve_wrapper_sendme_rcs_options,
5910 REQ_LINE("Set", serve_set, RQ_ROOTLESS),
5912 /* These are rootless despite what the client/server spec says for the same
5913 * reasons as Gzip-stream.
5915 # ifdef HAVE_KERBEROS
5916 REQ_LINE("Kerberos-encrypt", serve_kerberos_encrypt, RQ_ROOTLESS),
5919 REQ_LINE("Gssapi-encrypt", serve_gssapi_encrypt, RQ_ROOTLESS),
5923 REQ_LINE("Gssapi-authenticate", serve_gssapi_authenticate, RQ_ROOTLESS),
5925 REQ_LINE("expand-modules", serve_expand_modules, 0),
5926 REQ_LINE("ci", serve_ci, RQ_ESSENTIAL),
5927 REQ_LINE("co", serve_co, RQ_ESSENTIAL),
5928 REQ_LINE("update", serve_update, RQ_ESSENTIAL),
5929 REQ_LINE("diff", serve_diff, 0),
5930 REQ_LINE("log", serve_log, 0),
5931 REQ_LINE("rlog", serve_rlog, 0),
5932 REQ_LINE("list", serve_ls, 0),
5933 REQ_LINE("rlist", serve_rls, 0),
5934 /* This allows us to avoid sending `-q' as a command argument to `cvs ls',
5935 * or more accurately, allows us to send `-q' to backwards CVSNT servers.
5937 REQ_LINE("global-list-quiet", serve_noop, RQ_ROOTLESS),
5938 /* Deprecated synonym for rlist, for compatibility with CVSNT. */
5939 REQ_LINE("ls", serve_rls, 0),
5940 REQ_LINE("add", serve_add, 0),
5941 REQ_LINE("remove", serve_remove, 0),
5942 REQ_LINE("update-patches", serve_ignore, 0),
5943 REQ_LINE("gzip-file-contents", serve_gzip_contents, RQ_ROOTLESS),
5944 REQ_LINE("status", serve_status, 0),
5945 REQ_LINE("rdiff", serve_rdiff, 0),
5946 REQ_LINE("tag", serve_tag, 0),
5947 REQ_LINE("rtag", serve_rtag, 0),
5948 REQ_LINE("import", serve_import, 0),
5949 REQ_LINE("admin", serve_admin, 0),
5950 REQ_LINE("export", serve_export, 0),
5951 REQ_LINE("history", serve_history, 0),
5952 REQ_LINE("release", serve_release, 0),
5953 REQ_LINE("watch-on", serve_watch_on, 0),
5954 REQ_LINE("watch-off", serve_watch_off, 0),
5955 REQ_LINE("watch-add", serve_watch_add, 0),
5956 REQ_LINE("watch-remove", serve_watch_remove, 0),
5957 REQ_LINE("watchers", serve_watchers, 0),
5958 REQ_LINE("editors", serve_editors, 0),
5959 REQ_LINE("edit", serve_edit, 0),
5960 REQ_LINE("init", serve_init, RQ_ROOTLESS),
5961 REQ_LINE("annotate", serve_annotate, 0),
5962 REQ_LINE("rannotate", serve_rannotate, 0),
5963 REQ_LINE("noop", serve_noop, RQ_ROOTLESS),
5964 REQ_LINE("version", serve_version, RQ_ROOTLESS),
5965 REQ_LINE(NULL, NULL, 0)
5969 #endif /* SERVER_SUPPORT or CLIENT_SUPPORT */
5973 #ifdef SERVER_SUPPORT
5975 * This server request is not ignored by the secondary.
5978 serve_valid_requests (char *arg)
5982 /* Since this is processed in the first pass, don't reprocess it in the
5985 * We still print errors since new errors could have been generated in the
5988 if (print_pending_error ()
5989 #ifdef PROXY_SUPPORT
5991 #endif /* PROXY_SUPPORT */
5995 buf_output0 (buf_to_net, "Valid-requests");
5996 for (rq = requests; rq->name != NULL; rq++)
5998 if (rq->func != NULL)
6000 buf_append_char (buf_to_net, ' ');
6001 buf_output0 (buf_to_net, rq->name);
6005 if (config && config->MinCompressionLevel
6006 && supported_response ("Force-gzip"))
6008 buf_output0 (buf_to_net, "\n");
6009 buf_output0 (buf_to_net, "Force-gzip");
6012 buf_output0 (buf_to_net, "\nok\n");
6014 /* The client is waiting for the list of valid requests, so we
6015 must send the output now. */
6016 buf_flush (buf_to_net, 1);
6023 * Delete temporary files. SIG is the signal making this happen, or
6024 * 0 if not called as a result of a signal.
6026 static int command_pid_is_dead;
6027 static void wait_sig (int sig)
6030 pid_t r = wait (&status);
6031 if (r == command_pid)
6032 command_pid_is_dead++;
6034 #endif /* SUNOS_KLUDGE */
6039 * This function cleans up after the server. Specifically, it:
6042 * <li>Sets BUF_TO_NET to blocking and fluxhes it.</li>
6043 * <li>With SUNOS_KLUDGE enabled:
6045 * <li>Terminates the command process.</li>
6046 * <li>Waits on the command process, draining output as necessary.</li>
6049 * <li>Removes the temporary directory.</li>
6050 * <li>Flush and shutdown the buffers.</li>
6051 * <li>Set ERROR_USE_PROTOCOL and SERVER_ACTIVE to false.</li>
6055 * This function needs to be reentrant since a call to exit() can cause a
6056 * call to this function, which can then be interrupted by a signal, which
6057 * can cause a second call to this function.
6060 * buf_from_net The input buffer which brings data from the
6062 * buf_to_net The output buffer which moves data to the CVS
6064 * error_use_protocol Set when the server parent process is active.
6065 * Cleared for the server child processes.
6066 * dont_delete_temp Set when a core dump of a child process is
6067 * detected so that the core and related data may
6069 * noexec Whether we are supposed to change the disk.
6070 * orig_server_temp_dir The temporary directory we created within
6071 * Tmpdir for our duplicate of the client
6078 * Problems encountered during the cleanup, for instance low memory or
6079 * problems deleting the temp files and directories, can cause the error
6080 * function to be called, which might call exit. If exit gets called in this
6081 * manner. this routine will not complete, but the other exit handlers
6082 * registered via atexit() will still run.
6088 server_cleanup (void)
6090 TRACE (TRACE_FUNCTION, "server_cleanup()");
6092 assert (server_active);
6094 /* FIXME: Do not perform buffered I/O from an interrupt handler like
6095 * this (via error). However, I'm leaving the error-calling code there
6096 * in the hope that on the rare occasion the error call is actually made
6097 * (e.g., a fluky I/O error or permissions problem prevents the deletion
6098 * of a just-created file) reentrancy won't be an issue.
6101 /* We don't want to be interrupted during calls which set globals to NULL,
6102 * but we know that by the time we reach this function, interrupts have
6103 * already been blocked.
6106 /* Since we install this function in an atexit() handler before forking,
6107 * reuse the ERROR_USE_PROTOCOL flag, which we know is only set in the
6108 * parent server process, to avoid cleaning up the temp space multiple
6109 * times. Skip the buf_to_net checks too as an optimization since we know
6110 * they will be set to NULL in the child process anyhow.
6112 if (error_use_protocol)
6114 if (buf_to_net != NULL)
6118 /* Since we're done, go ahead and put BUF_TO_NET back into blocking
6119 * mode and send any pending output. In the usual case there won't
6120 * won't be any, but there might be if an error occured.
6123 set_block (buf_to_net);
6124 buf_flush (buf_to_net, 1);
6126 /* Next we shut down BUF_FROM_NET. That will pick up the checksum
6127 * generated when the client shuts down its buffer. Then, after we
6128 * have generated any final output, we shut down BUF_TO_NET.
6131 /* SIG_beginCrSect(); */
6134 status = buf_shutdown (buf_from_net);
6136 error (0, status, "shutting down buffer from client");
6137 buf_free (buf_from_net);
6138 buf_from_net = NULL;
6140 /* SIG_endCrSect(); */
6143 if (!dont_delete_temp)
6147 /* What a bogus kludge. This disgusting code makes all kinds of
6148 assumptions about SunOS, and is only for a bug in that system.
6149 So only enable it on Suns. */
6151 if (command_pid > 0)
6153 /* To avoid crashes on SunOS due to bugs in SunOS tmpfs
6154 * triggered by the use of rename() in RCS, wait for the
6155 * subprocess to die. Unfortunately, this means draining
6156 * output while waiting for it to unblock the signal we sent
6162 signal (SIGCHLD, wait_sig);
6163 /* Perhaps SIGTERM would be more correct. But the child
6164 process will delay the SIGINT delivery until its own
6165 children have exited. */
6166 kill (command_pid, SIGINT);
6167 /* The caller may also have sent a signal to command_pid, so
6168 * always try waiting. First, though, check and see if it's
6172 r = waitpid (command_pid, &status, WNOHANG);
6175 else if (r == command_pid)
6176 command_pid_is_dead++;
6181 command_pid_is_dead++;
6187 /* waitpid should always return one of the above values */
6189 while (!command_pid_is_dead)
6191 struct timeval timeout;
6192 struct fd_set_wrapper readfds;
6196 /* Use a non-zero timeout to avoid eating up CPU cycles. */
6198 timeout.tv_usec = 0;
6199 readfds = command_fds_to_drain;
6200 switch (select (max_command_fd + 1, &readfds.fds,
6201 NULL, NULL &timeout))
6210 for (i = 0; i <= max_command_fd; i++)
6212 if (!FD_ISSET (i, &readfds.fds))
6214 /* this fd is non-blocking */
6215 while (read (i, buf, sizeof (buf)) >= 1)
6224 #endif /* SUNOS_KLUDGE */
6226 /* Make sure our working directory isn't inside the tree we're
6228 CVS_CHDIR (get_cvs_tmp_dir ());
6230 /* Temporarily clear noexec, so that we clean up our temp directory
6231 regardless of it (this could more cleanly be handled by moving
6232 the noexec check to all the unlink_file_dir callers from
6233 unlink_file_dir itself). */
6234 save_noexec = noexec;
6236 /* SIG_beginCrSect(); */
6238 unlink_file_dir (orig_server_temp_dir);
6239 noexec = save_noexec;
6240 /* SIG_endCrSect(); */
6241 } /* !dont_delete_temp */
6243 /* SIG_beginCrSect(); */
6244 if (buf_to_net != NULL)
6246 /* Save BUF_TO_NET and set the global pointer to NULL so that any
6247 * error messages generated during shutdown go to the syslog rather
6248 * than getting lost.
6250 struct buffer *buf_to_net_save = buf_to_net;
6253 (void) buf_flush (buf_to_net_save, 1);
6254 (void) buf_shutdown (buf_to_net_save);
6255 buf_free (buf_to_net_save);
6256 error_use_protocol = 0;
6258 /* SIG_endCrSect(); */
6266 #ifdef PROXY_SUPPORT
6267 size_t MaxProxyBufferSize = (size_t)(8 * 1024 * 1024); /* 8 megabytes,
6270 #endif /* PROXY_SUPPORT */
6272 static const char *const server_usage[] =
6274 "Usage: %s %s [-c config-file]\n",
6275 "\t-c config-file\tPath to an alternative CVS config file.\n",
6276 "Normally invoked by a cvs client on a remote machine.\n",
6283 parseServerOptions (int argc, char **argv)
6288 while ((c = getopt (argc, argv, "+c:")) != -1)
6292 #ifdef ALLOW_CONFIG_OVERRIDE
6294 if (gConfigPath) free (gConfigPath);
6295 gConfigPath = xstrdup (optarg);
6300 usage (server_usage);
6309 server (int argc, char **argv)
6311 char *error_prog_name; /* Used in error messages */
6314 usage (server_usage);
6316 /* Options were pre-parsed in main.c. */
6319 * Set this in .bashrc if you want to give yourself time to attach
6320 * to the subprocess with a debugger.
6322 if (getenv ("CVS_PARENT_SERVER_SLEEP"))
6324 int secs = atoi (getenv ("CVS_PARENT_SERVER_SLEEP"));
6325 TRACE (TRACE_DATA, "Sleeping CVS_PARENT_SERVER_SLEEP (%d) seconds",
6330 TRACE (TRACE_DATA, "CVS_PARENT_SERVER_SLEEP not set.");
6332 /* pserver_authenticate_connection () (called from main ()) can initialize
6337 buf_to_net = fd_buffer_initialize (STDOUT_FILENO, 0, NULL, false,
6338 outbuf_memory_error);
6339 buf_from_net = fd_buffer_initialize (STDIN_FILENO, 0, NULL, true,
6340 outbuf_memory_error);
6343 setup_logfiles ("CVS_SERVER_LOG", &buf_to_net, &buf_from_net);
6345 #ifdef PROXY_SUPPORT
6346 /* We have to set up the recording for all servers. Until we receive the
6347 * `Root' request and load CVSROOT/config, we can't tell if we are a
6348 * secondary or primary.
6351 /* Open the secondary log. */
6352 buf_from_net = log_buffer_initialize (buf_from_net, NULL,
6353 # ifdef PROXY_SUPPORT
6356 ? config->MaxProxyBufferSize
6357 : MaxProxyBufferSize,
6358 # endif /* PROXY_SUPPORT */
6359 true, outbuf_memory_error);
6360 proxy_log = buf_from_net;
6362 /* And again for the out log. */
6363 buf_to_net = log_buffer_initialize (buf_to_net, NULL,
6364 # ifdef PROXY_SUPPORT
6367 ? config->MaxProxyBufferSize
6368 : MaxProxyBufferSize,
6369 # endif /* PROXY_SUPPORT */
6370 false, outbuf_memory_error);
6371 proxy_log_out = buf_to_net;
6373 #endif /* PROXY_SUPPORT */
6375 saved_output = buf_nonio_initialize (outbuf_memory_error);
6376 saved_outerr = buf_nonio_initialize (outbuf_memory_error);
6378 /* Since we're in the server parent process, error should use the
6379 protocol to report error messages. */
6380 error_use_protocol = 1;
6382 /* Now initialize our argument vector (for arguments from the client). */
6384 /* Small for testing. */
6385 argument_vector_size = 1;
6386 argument_vector = xmalloc (argument_vector_size * sizeof (char *));
6388 /* This gets printed if the client supports an option which the
6389 server doesn't, causing the server to print a usage message.
6390 FIXME: just a nit, I suppose, but the usage message the server
6391 prints isn't literally true--it suggests "cvs server" followed
6392 by options which are for a particular command. Might be nice to
6393 say something like "client apparently supports an option not supported
6394 by this server" or something like that instead of usage message. */
6395 error_prog_name = xmalloc (strlen (program_name) + 8);
6396 sprintf(error_prog_name, "%s server", program_name);
6397 argument_vector[0] = error_prog_name;
6401 char *cmd, *orig_cmd;
6405 status = buf_read_line (buf_from_net, &cmd, NULL);
6408 buf_output0 (buf_to_net, "E Fatal server error, aborting.\n\
6409 error ENOMEM Virtual memory exhausted.\n");
6416 for (rq = requests; rq->name != NULL; ++rq)
6417 if (strncmp (cmd, rq->name, strlen (rq->name)) == 0)
6419 int len = strlen (rq->name);
6420 if (cmd[len] == '\0')
6422 else if (cmd[len] == ' ')
6426 * The first len characters match, but it's a different
6427 * command. e.g. the command is "cooperate" but we matched
6432 if (!(rq->flags & RQ_ROOTLESS)
6433 && current_parsed_root == NULL)
6435 if (alloc_pending (80))
6436 sprintf (pending_error_text,
6437 "E Protocol error: Root request missing");
6441 if (config && config->MinCompressionLevel && !gzip_level
6442 && !(rq->flags & RQ_ROOTLESS))
6444 /* This is a rootless request, a minimum compression
6445 * level has been configured, and no compression has
6446 * been requested by the client.
6448 if (alloc_pending (80 + strlen (program_name)))
6449 sprintf (pending_error_text,
6450 "E %s [server aborted]: Compression must be used with this server.",
6457 if (rq->name == NULL)
6459 if (!print_pending_error ())
6461 buf_output0 (buf_to_net, "error unrecognized request `");
6462 buf_output0 (buf_to_net, cmd);
6463 buf_append_char (buf_to_net, '\'');
6464 buf_append_char (buf_to_net, '\n');
6470 free (error_prog_name);
6472 /* We expect the client is done talking to us at this point. If there is
6473 * any data in the buffer or on the network pipe, then something we didn't
6474 * prepare for is happening.
6476 if (!buf_empty (buf_from_net))
6478 /* Try to send the error message to the client, but also syslog it, in
6479 * case the client isn't listening anymore.
6481 #ifdef HAVE_SYSLOG_H
6482 /* FIXME: Can the IP address of the connecting client be retrieved
6485 syslog (LOG_DAEMON | LOG_ERR, "Dying gasps received from client.");
6486 #endif /* HAVE_SYSLOG_H */
6487 error (0, 0, "Dying gasps received from client.");
6495 retval = pam_close_session (pamh, 0);
6496 # ifdef HAVE_SYSLOG_H
6497 if (retval != PAM_SUCCESS)
6498 syslog (LOG_DAEMON | LOG_ERR,
6499 "PAM close session error: %s",
6500 pam_strerror (pamh, retval));
6501 # endif /* HAVE_SYSLOG_H */
6503 retval = pam_end (pamh, retval);
6504 # ifdef HAVE_SYSLOG_H
6505 if (retval != PAM_SUCCESS)
6506 syslog (LOG_DAEMON | LOG_ERR,
6507 "PAM failed to release authenticator, error: %s",
6508 pam_strerror (pamh, retval));
6509 # endif /* HAVE_SYSLOG_H */
6511 #endif /* HAVE_PAM */
6513 /* server_cleanup() will be called on a normal exit and close the buffers
6521 #if defined (HAVE_KERBEROS) || defined (AUTH_SERVER_SUPPORT) || defined (HAVE_GSSAPI)
6523 switch_to_user (const char *cvs_username, const char *username)
6528 char *pam_stage = "open session";
6532 retval = pam_open_session (pamh, 0);
6533 if (retval == PAM_SUCCESS)
6535 pam_stage = "get pam user";
6536 retval = pam_get_item (pamh, PAM_USER, (const void **)&username);
6539 if (retval != PAM_SUCCESS)
6541 printf("E PAM %s error: %s\n", pam_stage,
6542 pam_strerror (pamh, retval));
6543 exit (EXIT_FAILURE);
6548 pw = getpwnam (username);
6551 /* check_password contains a similar check, so this usually won't be
6552 reached unless the CVS user is mapped to an invalid system user. */
6554 printf ("E Fatal error, aborting.\n\
6555 error 0 %s: no such system user\n", username);
6556 exit (EXIT_FAILURE);
6559 if (pw->pw_uid == 0)
6561 #ifdef HAVE_SYSLOG_H
6562 /* FIXME: Can the IP address of the connecting client be retrieved
6565 syslog (LOG_DAEMON | LOG_ALERT,
6566 "attempt to root from account: %s", cvs_username
6568 #endif /* HAVE_SYSLOG_H */
6569 printf("error 0: root not allowed\n");
6570 exit (EXIT_FAILURE);
6574 if (initgroups (pw->pw_name, pw->pw_gid) < 0
6576 /* At least on the system I tried, initgroups() only works as root.
6577 But we do still want to report ENOMEM and whatever other
6578 errors initgroups() might dish up. */
6583 /* This could be a warning, but I'm not sure I see the point
6584 in doing that instead of an error given that it would happen
6585 on every connection. We could log it somewhere and not tell
6586 the user. But at least for now make it an error. */
6587 printf ("error 0 initgroups failed: %s\n", strerror (errno));
6588 exit (EXIT_FAILURE);
6590 #endif /* HAVE_INITGROUPS */
6595 retval = pam_setcred (pamh, PAM_ESTABLISH_CRED);
6596 if (retval != PAM_SUCCESS)
6598 printf("E PAM reestablish credentials error: %s\n",
6599 pam_strerror (pamh, retval));
6600 exit (EXIT_FAILURE);
6605 #ifdef SETXID_SUPPORT
6606 /* honor the setgid bit iff set*/
6607 if (getgid() != getegid())
6609 if (setgid (getegid ()) < 0)
6611 /* See comments at setuid call below for more discussion. */
6612 printf ("error 0 setgid failed: %s\n", strerror (errno));
6613 exit (EXIT_FAILURE);
6619 if (setgid (pw->pw_gid) < 0)
6621 /* See comments at setuid call below for more discussion. */
6622 printf ("error 0 setgid failed: %s\n", strerror (errno));
6623 #ifdef HAVE_SYSLOG_H
6624 syslog (LOG_DAEMON | LOG_ERR,
6625 "setgid to %d failed (%m): real %d/%d, effective %d/%d ",
6626 pw->pw_gid, getuid(), getgid(), geteuid(), getegid());
6627 #endif /* HAVE_SYSLOG_H */
6628 exit (EXIT_FAILURE);
6632 if (setuid (pw->pw_uid) < 0)
6634 /* Note that this means that if run as a non-root user,
6635 CVSROOT/passwd must contain the user we are running as
6636 (e.g. "joe:FsEfVcu:cvs" if run as "cvs" user). This seems
6637 cleaner than ignoring the error like CVS 1.10 and older but
6638 it does mean that some people might need to update their
6639 CVSROOT/passwd file. */
6640 printf ("error 0 setuid failed: %s\n", strerror (errno));
6641 #ifdef HAVE_SYSLOG_H
6642 syslog (LOG_DAEMON | LOG_ERR,
6643 "setuid to %d failed (%m): real %d/%d, effective %d/%d ",
6644 pw->pw_uid, getuid(), getgid(), geteuid(), getegid());
6645 #endif /* HAVE_SYSLOG_H */
6646 exit (EXIT_FAILURE);
6649 /* We don't want our umask to change file modes. The modes should
6650 be set by the modes used in the repository, and by the umask of
6654 #ifdef AUTH_SERVER_SUPPORT
6655 /* Make sure our CVS_Username has been set. */
6656 if (CVS_Username == NULL)
6657 CVS_Username = xstrdup (username);
6660 /* Set LOGNAME, USER and CVS_USER in the environment, in case they
6661 are already set to something else. */
6662 setenv ("LOGNAME", username, 1);
6663 setenv ("USER", username, 1);
6664 # ifdef AUTH_SERVER_SUPPORT
6665 setenv ("CVS_USER", CVS_Username, 1);
6670 #ifdef AUTH_SERVER_SUPPORT
6672 extern char *crypt (const char *, const char *);
6676 * 0 means no entry found for this user.
6677 * 1 means entry found and password matches (or found password is empty)
6678 * 2 means entry found, but password does not match.
6680 * If 1, host_user_ptr will be set to point at the system
6681 * username (i.e., the "real" identity, which may or may not be the
6682 * CVS username) of this user; caller may free this. Global
6683 * CVS_Username will point at an allocated copy of cvs username (i.e.,
6684 * the username argument below).
6685 * kff todo: FIXME: last sentence is not true, it applies to caller.
6688 check_repository_password (char *username, char *password, char *repository, char **host_user_ptr)
6693 char *linebuf = NULL;
6698 /* We don't use current_parsed_root->directory because it hasn't been
6699 * set yet -- our `repository' argument came from the authentication
6700 * protocol, not the regular CVS protocol.
6703 filename = xmalloc (strlen (repository)
6705 + strlen (CVSROOTADM)
6707 + strlen (CVSROOTADM_PASSWD)
6710 (void) sprintf (filename, "%s/%s/%s", repository,
6711 CVSROOTADM, CVSROOTADM_PASSWD);
6713 fp = CVS_FOPEN (filename, "r");
6716 if (!existence_error (errno))
6717 error (0, errno, "cannot open %s", filename);
6722 /* Look for a relevant line -- one with this user's name. */
6723 namelen = strlen (username);
6724 while (getline (&linebuf, &linebuf_len, fp) >= 0)
6726 if ((strncmp (linebuf, username, namelen) == 0)
6727 && (linebuf[namelen] == ':'))
6734 error (0, errno, "cannot read %s", filename);
6735 if (fclose (fp) < 0)
6736 error (0, errno, "cannot close %s", filename);
6738 /* If found_it, then linebuf contains the information we need. */
6741 char *found_password, *host_user_tmp;
6742 char *non_cvsuser_portion;
6744 /* We need to make sure lines such as
6746 * "username::sysuser\n"
6750 * all result in a found_password of NULL, but we also need to
6753 * "username: :sysuser\n"
6754 * "username: <whatever>:sysuser\n"
6756 * continues to result in an impossible password. That way,
6757 * an admin would be on safe ground by going in and tacking a
6758 * space onto the front of a password to disable the account
6759 * (a technique some people use to close accounts
6763 /* Make `non_cvsuser_portion' contain everything after the CVS
6764 username, but null out any final newline. */
6765 non_cvsuser_portion = linebuf + namelen;
6766 strtok (non_cvsuser_portion, "\n");
6768 /* If there's a colon now, we just want to inch past it. */
6769 if (strchr (non_cvsuser_portion, ':') == non_cvsuser_portion)
6770 non_cvsuser_portion++;
6772 /* Okay, after this conditional chain, found_password and
6773 host_user_tmp will have useful values: */
6775 if ((non_cvsuser_portion == NULL)
6776 || (strlen (non_cvsuser_portion) == 0)
6777 || ((strspn (non_cvsuser_portion, " \t"))
6778 == strlen (non_cvsuser_portion)))
6780 found_password = NULL;
6781 host_user_tmp = NULL;
6783 else if (strncmp (non_cvsuser_portion, ":", 1) == 0)
6785 found_password = NULL;
6786 host_user_tmp = non_cvsuser_portion + 1;
6787 if (strlen (host_user_tmp) == 0)
6788 host_user_tmp = NULL;
6792 found_password = strtok (non_cvsuser_portion, ":");
6793 host_user_tmp = strtok (NULL, ":");
6796 /* Of course, maybe there was no system user portion... */
6797 if (host_user_tmp == NULL)
6798 host_user_tmp = username;
6800 /* Verify blank passwords directly, otherwise use crypt(). */
6801 if ((found_password == NULL)
6802 || ((strcmp (found_password, crypt (password, found_password))
6805 /* Give host_user_ptr permanent storage. */
6806 *host_user_ptr = xstrdup (host_user_tmp);
6812 syslog (LOG_AUTHPRIV | LOG_NOTICE,
6813 "password mismatch for %s in %s: %s vs. %s", username,
6814 repository, crypt(password, found_password), found_password);
6816 *host_user_ptr = NULL;
6820 else /* Didn't find this user, so deny access. */
6822 *host_user_ptr = NULL;
6836 cvs_pam_conv (int num_msg, const struct pam_message **msg,
6837 struct pam_response **resp, void *appdata_ptr)
6840 struct pam_response *response;
6842 assert (msg && resp);
6844 response = xnmalloc (num_msg, sizeof (struct pam_response));
6845 memset (response, 0, num_msg * sizeof (struct pam_response));
6847 for (i = 0; i < num_msg; i++)
6849 switch (msg[i]->msg_style)
6851 /* PAM wants a username */
6852 case PAM_PROMPT_ECHO_ON:
6853 assert (pam_username != 0);
6854 response[i].resp = xstrdup (pam_username);
6856 /* PAM wants a password */
6857 case PAM_PROMPT_ECHO_OFF:
6858 assert (pam_password != 0);
6859 response[i].resp = xstrdup (pam_password);
6863 printf ("E %s\n", msg[i]->msg);
6865 /* PAM wants something we don't understand - bail out */
6875 for (i = 0; i < num_msg; i++)
6877 if (response[i].resp)
6879 free (response[i].resp);
6880 response[i].resp = 0;
6884 return PAM_CONV_ERR;
6888 check_pam_password (char **username, char *password)
6891 struct pam_conv conv = { cvs_pam_conv, 0 };
6892 char *pam_stage = "start";
6894 pam_username = *username;
6895 pam_password = password;
6897 retval = pam_start (PAM_SERVICE_NAME, *username, &conv, &pamh);
6899 /* sets a dummy tty name which pam modules can check for */
6900 if (retval == PAM_SUCCESS)
6902 pam_stage = "set dummy tty";
6903 retval = pam_set_item (pamh, PAM_TTY, PAM_SERVICE_NAME);
6906 if (retval == PAM_SUCCESS)
6908 pam_stage = "authenticate";
6909 retval = pam_authenticate (pamh, 0);
6912 if (retval == PAM_SUCCESS)
6914 pam_stage = "account";
6915 retval = pam_acct_mgmt (pamh, 0);
6918 if (retval == PAM_SUCCESS)
6920 pam_stage = "get pam user";
6921 retval = pam_get_item (pamh, PAM_USER, (const void **)username);
6924 if (retval != PAM_SUCCESS)
6925 printf ("E PAM %s error: %s\n", pam_stage, pam_strerror (pamh, retval));
6927 /* clear the pointers to make sure we don't use these references again */
6931 return retval == PAM_SUCCESS; /* indicate success */
6936 check_system_password (char *username, char *password)
6938 char *found_passwd = NULL;
6940 #ifdef HAVE_GETSPNAM
6944 spw = getspnam (username);
6946 found_passwd = spw->sp_pwdp;
6950 if (found_passwd == NULL && (pw = getpwnam (username)) != NULL)
6951 found_passwd = pw->pw_passwd;
6953 if (found_passwd == NULL)
6955 printf ("E Fatal error, aborting.\n\
6956 error 0 %s: no such user\n", username);
6958 exit (EXIT_FAILURE);
6961 /* Allow for dain bramaged HPUX passwd aging
6962 * - Basically, HPUX adds a comma and some data
6963 * about whether the passwd has expired or not
6964 * on the end of the passwd field.
6965 * - This code replaces the ',' with '\0'.
6967 * FIXME - our workaround is brain damaged too. I'm
6968 * guessing that HPUX WANTED other systems to think the
6969 * password was wrong so logins would fail if the
6970 * system didn't handle expired passwds and the passwd
6971 * might be expired. I think the way to go here
6974 strtok (found_passwd, ",");
6978 /* user exists and has a password */
6979 if (strcmp (found_passwd, crypt (password, found_passwd)) == 0)
6984 syslog (LOG_AUTHPRIV | LOG_NOTICE,
6985 "password mismatch for %s: %s vs. %s", username,
6986 crypt(password, found_passwd), found_passwd);
6993 syslog (LOG_AUTHPRIV | LOG_NOTICE,
6994 "user %s authenticated because of blank system password",
7002 /* Return a hosting username if password matches, else NULL. */
7004 check_password (char *username, char *password, char *repository)
7007 char *host_user = NULL;
7009 /* First we see if this user has a password in the CVS-specific
7010 password file. If so, that's enough to authenticate with. If
7011 not, we'll check /etc/passwd or maybe whatever is configured via PAM. */
7013 rc = check_repository_password (username, password, repository,
7020 /* host_user already set by reference, so just return. */
7025 if (!config->system_auth)
7027 /* Note that the message _does_ distinguish between the case in
7028 which we check for a system password and the case in which
7029 we do not. It is a real pain to track down why it isn't
7030 letting you in if it won't say why, and I am not convinced
7031 that the potential information disclosure to an attacker
7033 printf ("error 0 no such user %s in CVSROOT/passwd\n", username);
7035 exit (EXIT_FAILURE);
7038 /* No cvs password found, so try /etc/passwd. */
7040 if (check_pam_password (&username, password))
7041 #else /* !HAVE_PAM */
7042 if (check_system_password (username, password))
7043 #endif /* HAVE_PAM */
7044 host_user = xstrdup (username);
7050 syslog (LOG_AUTHPRIV | LOG_NOTICE,
7051 "login refused for %s: user has no password", username);
7057 /* Set CVS_Username here, in allocated space.
7058 It might or might not be the same as host_user. */
7059 CVS_Username = xmalloc (strlen (username) + 1);
7060 strcpy (CVS_Username, username);
7066 #endif /* AUTH_SERVER_SUPPORT */
7068 #if defined (AUTH_SERVER_SUPPORT) || defined (HAVE_GSSAPI)
7071 pserver_read_line (char **tmp, size_t *tmp_len)
7075 /* Make sure the protocol starts off on the right foot... */
7076 status = buf_read_short_line (buf_from_net, tmp, tmp_len, PATH_MAX);
7079 # ifdef HAVE_SYSLOG_H
7080 syslog (LOG_DAEMON | LOG_NOTICE,
7081 "unexpected EOF encountered during authentication");
7082 # endif /* HAVE_SYSLOG_H */
7083 error (1, 0, "unexpected EOF encountered during authentication");
7089 # ifdef HAVE_SYSLOG_H
7090 syslog (LOG_DAEMON | LOG_NOTICE,
7091 "error reading from net while validating pserver");
7092 # endif /* HAVE_SYSLOG_H */
7093 error (1, status, "error reading from net while validating pserver");
7097 /* Read username and password from client (i.e., stdin).
7098 If correct, then switch to run as that user and send an ACK to the
7099 client via stdout, else send NACK and die. */
7101 pserver_authenticate_connection (void)
7104 #ifdef AUTH_SERVER_SUPPORT
7105 char *repository = NULL;
7106 char *username = NULL;
7107 char *password = NULL;
7110 char *descrambled_password;
7111 #endif /* AUTH_SERVER_SUPPORT */
7112 int verify_and_exit = 0;
7114 /* The Authentication Protocol. Client sends:
7116 * BEGIN AUTH REQUEST\n
7120 * END AUTH REQUEST\n
7122 * Server uses above information to authenticate, then sends
7126 * if it grants access, else
7130 * if it denies access (and it exits if denying).
7132 * When the client is "cvs login", the user does not desire actual
7133 * repository access, but would like to confirm the password with
7134 * the server. In this case, the start and stop strings are
7136 * BEGIN VERIFICATION REQUEST\n
7140 * END VERIFICATION REQUEST\n
7142 * On a verification request, the server's responses are the same
7143 * (with the obvious semantics), but it exits immediately after
7144 * sending the response in both cases.
7146 * Why is the repository sent? Well, note that the actual
7147 * client/server protocol can't start up until authentication is
7148 * successful. But in order to perform authentication, the server
7149 * needs to look up the password in the special CVS passwd file,
7150 * before trying /etc/passwd. So the client transmits the
7151 * repository as part of the "authentication protocol". The
7152 * repository will be redundantly retransmitted later, but that's no
7156 /* Initialize buffers. */
7157 buf_to_net = fd_buffer_initialize (STDOUT_FILENO, 0, NULL, false,
7158 outbuf_memory_error);
7159 buf_from_net = fd_buffer_initialize (STDIN_FILENO, 0, NULL, true,
7160 outbuf_memory_error);
7163 /* Set SO_KEEPALIVE on the socket, so that we don't hang forever
7164 if the client dies while we are waiting for input. */
7168 if (setsockopt (STDIN_FILENO, SOL_SOCKET, SO_KEEPALIVE,
7169 &on, sizeof on) < 0)
7171 # ifdef HAVE_SYSLOG_H
7172 syslog (LOG_DAEMON | LOG_ERR, "error setting KEEPALIVE: %m");
7173 # endif /* HAVE_SYSLOG_H */
7178 /* Make sure the protocol starts off on the right foot... */
7179 pserver_read_line (&tmp, NULL);
7181 if (strcmp (tmp, "BEGIN VERIFICATION REQUEST") == 0)
7182 verify_and_exit = 1;
7183 else if (strcmp (tmp, "BEGIN AUTH REQUEST") == 0)
7185 else if (strcmp (tmp, "BEGIN GSSAPI REQUEST") == 0)
7189 gserver_authenticate_connection ();
7192 error (1, 0, "GSSAPI authentication not supported by this server");
7196 error (1, 0, "bad auth protocol start: %s", tmp);
7198 #ifndef AUTH_SERVER_SUPPORT
7200 error (1, 0, "Password authentication not supported by this server");
7202 #else /* AUTH_SERVER_SUPPORT */
7206 /* Get the three important pieces of information in order. */
7207 /* See above comment about error handling. */
7208 pserver_read_line (&repository, NULL);
7209 pserver_read_line (&username, NULL);
7210 pserver_read_line (&password, NULL);
7212 /* ... and make sure the protocol ends on the right foot. */
7213 /* See above comment about error handling. */
7214 pserver_read_line (&tmp, NULL);
7217 "END VERIFICATION REQUEST" : "END AUTH REQUEST")
7220 error (1, 0, "bad auth protocol end: %s", tmp);
7224 if (!root_allow_ok (repository))
7226 error (1, 0, "%s: no such repository", repository);
7227 # ifdef HAVE_SYSLOG_H
7228 syslog (LOG_DAEMON | LOG_NOTICE, "login refused for %s", repository);
7229 # endif /* HAVE_SYSLOG_H */
7233 /* OK, now parse the config file, so we can use it to control how
7234 to check passwords. If there was an error parsing the config
7235 file, parse_config already printed an error. We keep going.
7236 Why? Because if we didn't, then there would be no way to check
7237 in a new CVSROOT/config file to fix the broken one! */
7238 config = get_root_allow_config (repository, gConfigPath);
7240 /* We need the real cleartext before we hash it. */
7241 descrambled_password = descramble (password);
7242 host_user = check_password (username, descrambled_password, repository);
7243 if (host_user == NULL)
7245 # ifdef HAVE_SYSLOG_H
7246 syslog (LOG_DAEMON | LOG_NOTICE, "login failure (for %s)", repository);
7247 # endif /* HAVE_SYSLOG_H */
7248 memset (descrambled_password, 0, strlen (descrambled_password));
7249 free (descrambled_password);
7251 buf_output0 (buf_to_net, "I HATE YOU\n");
7252 buf_flush (buf_to_net, true);
7254 /* Don't worry about server_cleanup, server_active isn't set
7256 exit (EXIT_FAILURE);
7258 memset (descrambled_password, 0, strlen (descrambled_password));
7259 free (descrambled_password);
7261 /* Don't go any farther if we're just responding to "cvs login". */
7262 if (verify_and_exit)
7264 buf_output0 (buf_to_net, "I LOVE YOU\n");
7265 buf_flush (buf_to_net, true);
7266 exit (EXIT_SUCCESS);
7269 /* Set Pserver_Repos so that we can check later that the same
7270 repository is sent in later client/server protocol. */
7271 Pserver_Repos = xmalloc (strlen (repository) + 1);
7272 strcpy (Pserver_Repos, repository);
7274 /* Switch to run as this user. */
7275 switch_to_user (username, host_user);
7281 buf_output0 (buf_to_net, "I LOVE YOU\n");
7282 buf_flush (buf_to_net, true);
7283 #endif /* AUTH_SERVER_SUPPORT */
7286 #endif /* AUTH_SERVER_SUPPORT || HAVE_GSSAPI */
7289 #ifdef HAVE_KERBEROS
7291 kserver_authenticate_connection( void )
7294 char instance[INST_SZ];
7295 struct sockaddr_in peer;
7296 struct sockaddr_in laddr;
7300 char version[KRB_SENDAUTH_VLEN];
7301 char user[ANAME_SZ];
7303 strcpy (instance, "*");
7305 if (getpeername (STDIN_FILENO, (struct sockaddr *) &peer, &len) < 0
7306 || getsockname (STDIN_FILENO, (struct sockaddr *) &laddr,
7309 printf ("E Fatal error, aborting.\n\
7310 error %s getpeername or getsockname failed\n", strerror (errno));
7312 exit (EXIT_FAILURE);
7316 /* Set SO_KEEPALIVE on the socket, so that we don't hang forever
7317 if the client dies while we are waiting for input. */
7321 if (setsockopt (STDIN_FILENO, SOL_SOCKET, SO_KEEPALIVE,
7322 (char *) &on, sizeof on) < 0)
7324 # ifdef HAVE_SYSLOG_H
7325 syslog (LOG_DAEMON | LOG_ERR, "error setting KEEPALIVE: %m");
7326 # endif /* HAVE_SYSLOG_H */
7331 status = krb_recvauth (KOPT_DO_MUTUAL, STDIN_FILENO, &ticket, "rcmd",
7332 instance, &peer, &laddr, &auth, "", sched,
7334 if (status != KSUCCESS)
7336 printf ("E Fatal error, aborting.\n\
7337 error 0 kerberos: %s\n", krb_get_err_text(status));
7339 exit (EXIT_FAILURE);
7342 memcpy (kblock, auth.session, sizeof (C_Block));
7344 /* Get the local name. */
7345 status = krb_kntoln (&auth, user);
7346 if (status != KSUCCESS)
7348 printf ("E Fatal error, aborting.\n"
7349 "error 0 kerberos: can't get local name: %s\n",
7350 krb_get_err_text(status));
7352 exit (EXIT_FAILURE);
7355 /* Switch to run as this user. */
7356 switch_to_user ("Kerberos 4", user);
7358 #endif /* HAVE_KERBEROS */
7362 # ifdef HAVE_GSSAPI /* && SERVER_SUPPORT */
7363 /* Authenticate a GSSAPI connection. This is called from
7364 * pserver_authenticate_connection, and it handles success and failure
7368 * server_hostname The name of this host, as set via a call to
7369 * xgethostname() in main().
7372 gserver_authenticate_connection (void)
7375 gss_buffer_desc tok_in, tok_out;
7379 OM_uint32 stat_min, ret;
7380 gss_name_t server_name, client_name;
7381 gss_cred_id_t server_creds;
7385 hn = canon_host (server_hostname);
7387 error (1, 0, "can't get canonical hostname for `%s': %s",
7388 server_hostname, ch_strerror ());
7390 sprintf (buf, "cvs@%s", hn);
7393 tok_in.length = strlen (buf);
7395 if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
7396 &server_name) != GSS_S_COMPLETE)
7397 error (1, 0, "could not import GSSAPI service name %s", buf);
7399 /* Acquire the server credential to verify the client's
7401 if (gss_acquire_cred (&stat_min, server_name, 0, GSS_C_NULL_OID_SET,
7402 GSS_C_ACCEPT, &server_creds,
7403 NULL, NULL) != GSS_S_COMPLETE)
7404 error (1, 0, "could not acquire GSSAPI server credentials");
7406 gss_release_name (&stat_min, &server_name);
7408 /* The client will send us a two byte length followed by that many
7410 if (fread (buf, 1, 2, stdin) != 2)
7411 error (1, errno, "read of length failed");
7413 nbytes = ((buf[0] & 0xff) << 8) | (buf[1] & 0xff);
7414 if (nbytes <= sizeof buf)
7417 credbuflen = sizeof buf;
7421 credbuflen = nbytes;
7422 credbuf = xmalloc (credbuflen);
7425 if (fread (credbuf, 1, nbytes, stdin) != nbytes)
7426 error (1, errno, "read of data failed");
7428 gcontext = GSS_C_NO_CONTEXT;
7429 tok_in.length = nbytes;
7430 tok_in.value = credbuf;
7432 if (gss_accept_sec_context (&stat_min,
7433 &gcontext, /* context_handle */
7434 server_creds, /* verifier_cred_handle */
7435 &tok_in, /* input_token */
7436 NULL, /* channel bindings */
7437 &client_name, /* src_name */
7438 &mechid, /* mech_type */
7439 &tok_out, /* output_token */
7441 NULL, /* ignore time_rec */
7442 NULL) /* ignore del_cred_handle */
7445 error (1, 0, "could not verify credentials");
7448 /* FIXME: Use Kerberos v5 specific code to authenticate to a user.
7449 We could instead use an authentication to access mapping. */
7453 gss_buffer_desc desc;
7455 krb5_init_context (&kc);
7456 if (gss_display_name (&stat_min, client_name, &desc,
7457 &mechid) != GSS_S_COMPLETE
7458 || krb5_parse_name (kc, ((gss_buffer_t) &desc)->value, &p) != 0
7459 || krb5_aname_to_localname (kc, p, sizeof buf, buf) != 0
7460 || krb5_kuserok (kc, p, buf) != TRUE)
7462 error (1, 0, "access denied");
7464 krb5_free_principal (kc, p);
7465 krb5_free_context (kc);
7468 if (tok_out.length != 0)
7472 cbuf[0] = (tok_out.length >> 8) & 0xff;
7473 cbuf[1] = tok_out.length & 0xff;
7474 if (fwrite (cbuf, 1, 2, stdout) != 2
7475 || (fwrite (tok_out.value, 1, tok_out.length, stdout)
7477 error (1, errno, "fwrite failed");
7480 switch_to_user ("GSSAPI", buf);
7485 printf ("I LOVE YOU\n");
7489 # endif /* HAVE_GSSAPI */
7491 #endif /* SERVER_SUPPORT */
7493 #if defined (CLIENT_SUPPORT) || defined (SERVER_SUPPORT)
7495 /* This global variable is non-zero if the user requests encryption on
7496 the command line. */
7499 /* This global variable is non-zero if the users requests stream
7500 authentication on the command line. */
7501 int cvsauthenticate;
7505 #ifdef HAVE_KERBEROS
7507 /* An encryption interface using Kerberos. This is built on top of a
7508 packetizing buffer. */
7510 /* This structure is the closure field of the Kerberos translation
7512 struct krb_encrypt_data
7514 /* The Kerberos key schedule. */
7516 /* The Kerberos DES block. */
7522 /* Decrypt Kerberos data. */
7524 krb_encrypt_input( void *fnclosure, const char *input, char *output, int size )
7526 struct krb_encrypt_data *kd = (struct krb_encrypt_data *) fnclosure;
7529 des_cbc_encrypt ((C_Block *) input, (C_Block *) output,
7530 size, kd->sched, &kd->block, 0);
7532 /* SIZE is the size of the buffer, which is set by the encryption
7533 routine. The packetizing buffer will arrange for the first two
7534 bytes in the decrypted buffer to be the real (unaligned)
7535 length. As a safety check, make sure that the length in the
7536 buffer corresponds to SIZE. Note that the length in the buffer
7537 is just the length of the data. We must add 2 to account for
7538 the buffer count itself. */
7539 tcount = ((output[0] & 0xff) << 8) + (output[1] & 0xff);
7540 if (((tcount + 2 + 7) & ~7) != size)
7541 error (1, 0, "Decryption failure");
7548 /* Encrypt Kerberos data. */
7550 krb_encrypt_output( void *fnclosure, const char *input, char *output,
7551 int size, int *translated )
7553 struct krb_encrypt_data *kd = (struct krb_encrypt_data *) fnclosure;
7556 /* For security against a known plaintext attack, we should
7557 initialize any padding bytes to random values. Instead, we
7558 just pick up whatever is on the stack, which is at least better
7561 /* Align SIZE to an 8 byte boundary. Note that SIZE includes the
7562 two byte buffer count at the start of INPUT which was added by
7563 the packetizing buffer. */
7564 aligned = (size + 7) & ~7;
7566 /* We use des_cbc_encrypt rather than krb_mk_priv because the
7567 latter sticks a timestamp in the block, and krb_rd_priv expects
7568 that timestamp to be within five minutes of the current time.
7569 Given the way the CVS server buffers up data, that can easily
7570 fail over a long network connection. We trust krb_recvauth to
7571 guard against a replay attack. */
7573 des_cbc_encrypt ((C_Block *) input, (C_Block *) output, aligned,
7574 kd->sched, &kd->block, 1);
7576 *translated = aligned;
7583 /* Create a Kerberos encryption buffer. We use a packetizing buffer
7584 with Kerberos encryption translation routines. */
7586 krb_encrypt_buffer_initialize( struct buffer *buf, int input,
7587 Key_schedule sched, C_Block block,
7588 void *memory( struct buffer * ) )
7590 struct krb_encrypt_data *kd;
7592 kd = (struct krb_encrypt_data *) xmalloc (sizeof *kd);
7593 memcpy (kd->sched, sched, sizeof (Key_schedule));
7594 memcpy (kd->block, block, sizeof (C_Block));
7596 return packetizing_buffer_initialize (buf,
7597 input ? krb_encrypt_input : NULL,
7598 input ? NULL : krb_encrypt_output,
7603 #endif /* HAVE_KERBEROS */
7604 #endif /* ENCRYPTION */
7605 #endif /* defined (CLIENT_SUPPORT) || defined (SERVER_SUPPORT) */
7609 /* Output LEN bytes at STR. If LEN is zero, then output up to (not including)
7610 the first '\0' byte. */
7612 cvs_output (const char *str, size_t len)
7616 #ifdef SERVER_SUPPORT
7617 if (error_use_protocol)
7621 buf_output (saved_output, str, len);
7622 buf_copy_lines (buf_to_net, saved_output, 'M');
7626 syslog (LOG_DAEMON | LOG_ERR,
7627 "Attempt to write message after close of network buffer. "
7630 # endif /* HAVE_SYSLOG_H */
7632 else if (server_active)
7636 buf_output (saved_output, str, len);
7637 buf_copy_lines (protocol, saved_output, 'M');
7638 buf_send_counted (protocol);
7642 syslog (LOG_DAEMON | LOG_ERR,
7643 "Attempt to write message before initialization of "
7644 "protocol buffer. Message was: %s",
7646 # endif /* HAVE_SYSLOG_H */
7652 size_t to_write = len;
7653 const char *p = str;
7655 /* Local users that do 'cvs status 2>&1' on a local repository
7656 may see the informational messages out-of-order with the
7657 status messages unless we use the fflush (stderr) here. */
7660 while (to_write > 0)
7662 written = fwrite (p, 1, to_write, stdout);
7666 to_write -= written;
7671 /* Output LEN bytes at STR in binary mode. If LEN is zero, then
7672 output zero bytes. */
7675 cvs_output_binary (char *str, size_t len)
7677 #ifdef SERVER_SUPPORT
7678 if (error_use_protocol || server_active)
7683 if (error_use_protocol)
7690 if (!supported_response ("Mbinary"))
7693 this client does not support writing binary files to stdout");
7697 buf_output0 (buf, "Mbinary\012");
7698 sprintf (size_text, "%lu\012", (unsigned long) len);
7699 buf_output0 (buf, size_text);
7701 /* Not sure what would be involved in using buf_append_data here
7702 without stepping on the toes of our caller (which is responsible
7703 for the memory allocation of STR). */
7704 buf_output (buf, str, len);
7706 if (!error_use_protocol)
7707 buf_send_counted (protocol);
7713 size_t to_write = len;
7714 const char *p = str;
7715 #ifdef USE_SETMODE_STDOUT
7719 /* Local users that do 'cvs status 2>&1' on a local repository
7720 may see the informational messages out-of-order with the
7721 status messages unless we use the fflush (stderr) here. */
7724 #ifdef USE_SETMODE_STDOUT
7725 /* It is possible that this should be the same ifdef as
7726 USE_SETMODE_BINARY but at least for the moment we keep them
7727 separate. Mostly this is just laziness and/or a question
7728 of what has been tested where. Also there might be an
7729 issue of setmode vs. _setmode. */
7730 /* The Windows doc says to call setmode only right after startup.
7731 I assume that what they are talking about can also be helped
7732 by flushing the stream before changing the mode. */
7734 oldmode = _setmode (_fileno (stdout), OPEN_BINARY);
7736 error (0, errno, "failed to setmode on stdout");
7739 while (to_write > 0)
7741 written = fwrite (p, 1, to_write, stdout);
7745 to_write -= written;
7747 #ifdef USE_SETMODE_STDOUT
7749 if (_setmode (_fileno (stdout), oldmode) != OPEN_BINARY)
7750 error (0, errno, "failed to setmode on stdout");
7757 /* Like CVS_OUTPUT but output is for stderr not stdout. */
7759 cvs_outerr (const char *str, size_t len)
7763 #ifdef SERVER_SUPPORT
7764 if (error_use_protocol)
7768 buf_output (saved_outerr, str, len);
7769 buf_copy_lines (buf_to_net, saved_outerr, 'E');
7773 syslog (LOG_DAEMON | LOG_ERR,
7774 "Attempt to write error message after close of network "
7775 "buffer. Message was: `%s'",
7777 # endif /* HAVE_SYSLOG_H */
7779 else if (server_active)
7783 buf_output (saved_outerr, str, len);
7784 buf_copy_lines (protocol, saved_outerr, 'E');
7785 buf_send_counted (protocol);
7789 syslog (LOG_DAEMON | LOG_ERR,
7790 "Attempt to write error message before initialization of "
7791 "protocol buffer. Message was: `%s'",
7793 # endif /* HAVE_SYSLOG_H */
7799 size_t to_write = len;
7800 const char *p = str;
7802 /* Make sure that output appears in order if stdout and stderr
7803 point to the same place. For the server case this is taken
7804 care of by the fact that saved_outerr always holds less
7808 while (to_write > 0)
7810 written = fwrite (p, 1, to_write, stderr);
7814 to_write -= written;
7821 /* Flush stderr. stderr is normally flushed automatically, of course,
7822 but this function is used to flush information from the server back
7827 #ifdef SERVER_SUPPORT
7828 if (error_use_protocol)
7830 /* skip the actual stderr flush in this case since the parent process
7831 * on the server should only be writing to stdout anyhow
7833 /* Flush what we can to the network, but don't block. */
7834 buf_flush (buf_to_net, 0);
7836 else if (server_active)
7838 /* make sure stderr is flushed before we send the flush count on the
7842 /* Send a special count to tell the parent to flush. */
7843 buf_send_special_count (protocol, -2);
7852 /* Make it possible for the user to see what has been written to
7853 stdout (it is up to the implementation to decide exactly how far it
7854 should go to ensure this). */
7858 #ifdef SERVER_SUPPORT
7859 if (error_use_protocol)
7861 /* Flush what we can to the network, but don't block. */
7862 buf_flush (buf_to_net, 0);
7864 else if (server_active)
7866 /* Just do nothing. This is because the code which
7867 cvs_flushout replaces, setting stdout to line buffering in
7868 main.c, didn't get called in the server child process. But
7869 in the future it is quite plausible that we'll want to make
7870 this case work analogously to cvs_flusherr.
7872 FIXME - DRP - I tried to implement this and triggered the following
7873 error: "Protocol error: uncounted data discarded". I don't need
7874 this feature right now, so I'm not going to bother with it yet.
7876 buf_send_special_count (protocol, -1);
7885 /* Output TEXT, tagging it according to TAG. There are lots more
7886 details about what TAG means in cvsclient.texi but for the simple
7887 case (e.g. non-client/server), TAG is just "newline" to output a
7888 newline (in which case TEXT must be NULL), and any other tag to
7891 Note that there is no way to output either \0 or \n as part of TEXT. */
7894 cvs_output_tagged (const char *tag, const char *text)
7896 if (text != NULL && strchr (text, '\n') != NULL)
7897 /* Uh oh. The protocol has no way to cope with this. For now
7898 we dump core, although that really isn't such a nice
7899 response given that this probably can be caused by newlines
7900 in filenames and other causes other than bugs in CVS. Note
7901 that we don't want to turn this into "MT newline" because
7902 this case is a newline within a tagged item, not a newline
7903 as extraneous sugar for the user. */
7906 /* Start and end tags don't take any text, per cvsclient.texi. */
7907 if (tag[0] == '+' || tag[0] == '-')
7908 assert (text == NULL);
7910 #ifdef SERVER_SUPPORT
7911 if (server_active && supported_response ("MT"))
7915 if (error_use_protocol)
7920 buf_output0 (buf, "MT ");
7921 buf_output0 (buf, tag);
7924 buf_output (buf, " ", 1);
7925 buf_output0 (buf, text);
7927 buf_output (buf, "\n", 1);
7929 if (!error_use_protocol)
7930 buf_send_counted (protocol);
7933 #endif /* SERVER_SUPPORT */
7935 /* No MT support or we are using a local repository. */
7936 if (strcmp (tag, "newline") == 0)
7937 cvs_output ("\n", 1);
7938 else if (strcmp (tag, "date") == 0)
7940 #ifdef SERVER_SUPPORT
7942 /* Output UTC when running as a server without MT support in
7943 * the client since it is likely to be more meaningful than
7946 cvs_output (text, 0);
7948 #endif /* SERVER_SUPPORT */
7950 char *date_in = xstrdup (text);
7951 char *date = format_date_alloc (date_in);
7952 cvs_output (date, 0);
7957 else if (text != NULL)
7958 cvs_output (text, 0);
7965 * void cvs_trace(int level, const char *fmt, ...)
7967 * Print tracing information to stderr on request. Levels are implemented
7971 cvs_trace (int level, const char *fmt, ...)
7978 #ifdef SERVER_SUPPORT
7979 fprintf (stderr,"%c -> ",server_active?(isProxyServer()?'P':'S'):' ');
7980 #else /* ! SERVER_SUPPORT */
7981 fprintf (stderr," -> ");
7983 vfprintf (stderr, fmt, va);
7984 fprintf (stderr,"\n");