Ensure newly created file descriptors are non-inheritable (#2497)

* Cleanup unused defines * win32: do not inherit open file handles in child processes `O_NOINHERIT` and the `N` flag of `fopen` is available in all supported Windows versions. * unix: ensure any open file handles are closed on exec `O_CLOEXEC` is available since Linux 2.6.23 and is ignored on earlier versions. `e` flag of `fopen` is available since glibc 2.7.
2021-10-26 13:20:03 +02:00 · 2021-10-26 13:20:03 +02:00 · 5d6e9851ba
commit 5d6e9851ba
parent a16f118b0c
4 changed files with 75 additions and 29 deletions
--- a/libvips/iofuncs/source.c
+++ b/libvips/iofuncs/source.c
@ -77,7 +77,7 @@
 #include <io.h>
 #endif /*G_OS_WIN32*/

-/* Try to make an O_BINARY ... sometimes need the leading '_'.
+/* Try to make an O_BINARY and O_NOINHERIT ... sometimes need the leading '_'.
 */
 #if defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)
 #ifndef O_BINARY
@ -85,6 +85,11 @@
 #define O_BINARY _O_BINARY
 #endif /*_O_BINARY*/
 #endif /*!O_BINARY*/
+#ifndef O_NOINHERIT
+#ifdef _O_NOINHERIT
+#define O_NOINHERIT _O_NOINHERIT
+#endif /*_O_NOINHERIT*/
+#endif /*!O_NOINHERIT*/
 #endif /*defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)*/

 /* If we have O_BINARY, add it to a mode flags set.
@ -95,9 +100,17 @@
 #define BINARYIZE(M) (M)
 #endif /*O_BINARY*/

-#define MODE_READ BINARYIZE (O_RDONLY)
-#define MODE_READWRITE BINARYIZE (O_RDWR)
-#define MODE_WRITE BINARYIZE (O_WRONLY | O_CREAT | O_TRUNC)
+/* If we have O_CLOEXEC or O_NOINHERIT, add it to a mode flags set.
+ */
+#ifdef O_CLOEXEC
+#define CLOEXEC(M) ((M) | O_CLOEXEC)
+#elif defined(O_NOINHERIT)
+#define CLOEXEC(M) ((M) | O_NOINHERIT)
+#else /*!O_CLOEXEC && !O_NOINHERIT*/
+#define CLOEXEC(M) (M)
+#endif /*O_CLOEXEC*/
+
+#define MODE_READ CLOEXEC (BINARYIZE (O_RDONLY))

 /* -1 on a pipe isn't actually unbounded. Have a limit to prevent
 * huge sources accidentally filling memory.
--- a/libvips/iofuncs/target.c
+++ b/libvips/iofuncs/target.c
@ -64,7 +64,7 @@
 #include <io.h>
 #endif /*G_OS_WIN32*/

-/* Try to make an O_BINARY ... sometimes need the leading '_'.
+/* Try to make an O_BINARY and O_NOINHERIT ... sometimes need the leading '_'.
 */
 #if defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)
 #ifndef O_BINARY
@ -72,6 +72,11 @@
 #define O_BINARY _O_BINARY
 #endif /*_O_BINARY*/
 #endif /*!O_BINARY*/
+#ifndef O_NOINHERIT
+#ifdef _O_NOINHERIT
+#define O_NOINHERIT _O_NOINHERIT
+#endif /*_O_NOINHERIT*/
+#endif /*!O_NOINHERIT*/
 #endif /*defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)*/

 /* If we have O_BINARY, add it to a mode flags set.
@ -82,9 +87,17 @@
 #define BINARYIZE(M) (M)
 #endif /*O_BINARY*/

-#define MODE_READ BINARYIZE (O_RDONLY)
-#define MODE_READWRITE BINARYIZE (O_RDWR)
-#define MODE_WRITE BINARYIZE (O_WRONLY | O_CREAT | O_TRUNC)
+/* If we have O_CLOEXEC or O_NOINHERIT, add it to a mode flags set.
+ */
+#ifdef O_CLOEXEC
+#define CLOEXEC(M) ((M) | O_CLOEXEC)
+#elif defined(O_NOINHERIT)
+#define CLOEXEC(M) ((M) | O_NOINHERIT)
+#else /*!O_CLOEXEC && !O_NOINHERIT*/
+#define CLOEXEC(M) (M)
+#endif /*O_CLOEXEC*/
+
+#define MODE_WRITE CLOEXEC (BINARYIZE (O_WRONLY | O_CREAT | O_TRUNC))

 G_DEFINE_TYPE( VipsTarget, vips_target, VIPS_TYPE_CONNECTION );

--- a/libvips/iofuncs/util.c
+++ b/libvips/iofuncs/util.c
@ -65,7 +65,7 @@
 */
 #define MAX_BUF (100000)

-/* Try to make an O_BINARY ... sometimes need the leading '_'.
+/* Try to make an O_BINARY and O_NOINHERIT ... sometimes need the leading '_'.
 */
 #if defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)
 #ifndef O_BINARY
@ -73,6 +73,11 @@
 #define O_BINARY _O_BINARY
 #endif /*_O_BINARY*/
 #endif /*!O_BINARY*/
+#ifndef O_NOINHERIT
+#ifdef _O_NOINHERIT
+#define O_NOINHERIT _O_NOINHERIT
+#endif /*_O_NOINHERIT*/
+#endif /*!O_NOINHERIT*/
 #endif /*defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)*/

 /* If we have O_BINARY, add it to a mode flags set.
@ -83,17 +88,17 @@
 #define BINARYIZE(M) (M)
 #endif /*O_BINARY*/

-/* Open mode for image write ... on some systems, have to set BINARY too.
+/* If we have O_CLOEXEC or O_NOINHERIT, add it to a mode flags set.
 */
-#define MODE_WRITE BINARYIZE (O_WRONLY | O_CREAT | O_TRUNC)
+#ifdef O_CLOEXEC
+#define CLOEXEC(M) ((M) | O_CLOEXEC)
+#elif defined(O_NOINHERIT)
+#define CLOEXEC(M) ((M) | O_NOINHERIT)
+#else /*!O_CLOEXEC && !O_NOINHERIT*/
+#define CLOEXEC(M) (M)
+#endif /*O_CLOEXEC*/

-/* Mode for read/write. This is if we might later want to mmaprw () the file.
- */
-#define MODE_READWRITE BINARYIZE (O_RDWR)
-
-/* Mode for read only. This is the fallback if READWRITE fails.
- */
-#define MODE_READONLY BINARYIZE (O_RDONLY)
+#define MODE_READ CLOEXEC (BINARYIZE (O_RDONLY))

 /* Test two lists for eqality.
 */
@ -649,7 +654,7 @@ vips__open( const char *filename, int flags, int mode )
 int 
 vips__open_read( const char *filename )
 {
-	return( vips__open( filename, MODE_READONLY, 0 ) );
+	return( vips__open( filename, MODE_READ, 0 ) );
 }

 /* fopen() with utf8 filename and mode, setting errno.
@ -700,11 +705,11 @@ vips__file_open_read( const char *filename, const char *fallback_dir,

 #if defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)
 	if( text_mode )
-		mode = "r";
+		mode = "rN";
 	else
-		mode = "rb";
+		mode = "rbN";
 #else /*!defined(G_PLATFORM_WIN32) && !defined(G_WITH_CYGWIN)*/
-	mode = "r";
+	mode = "re";
 #endif /*defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)*/

 	if( (fp = vips__fopen( filename, mode )) )
@ -736,11 +741,11 @@ vips__file_open_write( const char *filename, gboolean text_mode )

 #if defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)
 	if( text_mode )
-		mode = "w";
+		mode = "wN";
 	else
-		mode = "wb";
+		mode = "wbN";
 #else /*!defined(G_PLATFORM_WIN32) && !defined(G_WITH_CYGWIN)*/
-	mode = "w";
+	mode = "we";
 #endif /*defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)*/

        if( !(fp = vips__fopen( filename, mode )) ) {
--- a/libvips/iofuncs/vips.c
+++ b/libvips/iofuncs/vips.c
@ -113,7 +113,7 @@
 * world. See vips_init() and vips_guess_prefix().
 */

-/* Try to make an O_BINARY ... sometimes need the leading '_'.
+/* Try to make an O_BINARY and O_NOINHERIT ... sometimes need the leading '_'.
 */
 #if defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)
 #ifndef O_BINARY
@ -121,6 +121,11 @@
 #define O_BINARY _O_BINARY
 #endif /*_O_BINARY*/
 #endif /*!O_BINARY*/
+#ifndef O_NOINHERIT
+#ifdef _O_NOINHERIT
+#define O_NOINHERIT _O_NOINHERIT
+#endif /*_O_NOINHERIT*/
+#endif /*!O_NOINHERIT*/
 #endif /*defined(G_PLATFORM_WIN32) || defined(G_WITH_CYGWIN)*/

 /* If we have O_BINARY, add it to a mode flags set.
@ -131,20 +136,30 @@
 #define BINARYIZE(M) (M)
 #endif /*O_BINARY*/

+/* If we have O_CLOEXEC or O_NOINHERIT, add it to a mode flags set.
+ */
+#ifdef O_CLOEXEC
+#define CLOEXEC(M) ((M) | O_CLOEXEC)
+#elif defined(O_NOINHERIT)
+#define CLOEXEC(M) ((M) | O_NOINHERIT)
+#else /*!O_CLOEXEC && !O_NOINHERIT*/
+#define CLOEXEC(M) (M)
+#endif /*O_CLOEXEC*/
+
 /* Open mode for image write ... on some systems, have to set BINARY too.
 *
 * We use O_RDWR not O_WRONLY since after writing we may want to rewind the 
 * image and read from it.
 */
-#define MODE_WRITE BINARYIZE (O_RDWR | O_CREAT | O_TRUNC)
+#define MODE_WRITE CLOEXEC (BINARYIZE (O_RDWR | O_CREAT | O_TRUNC))

 /* Mode for read/write. This is if we might later want to mmaprw () the file.
 */
-#define MODE_READWRITE BINARYIZE (O_RDWR)
+#define MODE_READWRITE CLOEXEC (BINARYIZE (O_RDWR))

 /* Mode for read only. This is the fallback if READWRITE fails.
 */
-#define MODE_READONLY BINARYIZE (O_RDONLY)
+#define MODE_READONLY CLOEXEC (BINARYIZE (O_RDONLY))

 /* Our XML namespace.
 */