util: move filename_is_valid() and path_is_safe() to path-util.[ch]

src/basic/locale-util.c

@@ -23,6 +23,7 @@
 
 #include "fd-util.h"
 #include "locale-util.h"
+#include "path-util.h"
 #include "set.h"
 #include "string-util.h"
 #include "strv.h"

src/basic/lockfile-util.c

@@ -30,6 +30,7 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "lockfile-util.h"
+#include "path-util.h"
 #include "util.h"
 
 int make_lock_file(const char *p, int operation, LockFile *ret) {

src/basic/path-util.c

@@ -723,3 +723,46 @@ char* dirname_malloc(const char *path) {
 
         return dir2;
 }
+
+bool filename_is_valid(const char *p) {
+        const char *e;
+
+        if (isempty(p))
+                return false;
+
+        if (streq(p, "."))
+                return false;
+
+        if (streq(p, ".."))
+                return false;
+
+        e = strchrnul(p, '/');
+        if (*e != 0)
+                return false;
+
+        if (e - p > FILENAME_MAX)
+                return false;
+
+        return true;
+}
+
+bool path_is_safe(const char *p) {
+
+        if (isempty(p))
+                return false;
+
+        if (streq(p, "..") || startswith(p, "../") || endswith(p, "/..") || strstr(p, "/../"))
+                return false;
+
+        if (strlen(p)+1 > PATH_MAX)
+                return false;
+
+        /* The following two checks are not really dangerous, but hey, they still are confusing */
+        if (streq(p, ".") || startswith(p, "./") || endswith(p, "/.") || strstr(p, "/./"))
+                return false;
+
+        if (strstr(p, "//"))
+                return false;
+
+        return true;
+}

src/basic/path-util.h

@@ -102,3 +102,6 @@ char *prefix_root(const char *root, const char *path);
 int parse_path_argument_and_warn(const char *path, bool suppress_root, char **arg);
 
 char* dirname_malloc(const char *path);
+
+bool filename_is_valid(const char *p) _pure_;
+bool path_is_safe(const char *p) _pure_;

src/basic/util.c

@@ -1439,26 +1439,6 @@ bool in_initrd(void) {
         return saved;
 }
 
-bool filename_is_valid(const char *p) {
-
-        if (isempty(p))
-                return false;
-
-        if (strchr(p, '/'))
-                return false;
-
-        if (streq(p, "."))
-                return false;
-
-        if (streq(p, ".."))
-                return false;
-
-        if (strlen(p) > FILENAME_MAX)
-                return false;
-
-        return true;
-}
-
 bool string_is_safe(const char *p) {
         const char *t;
 
@@ -1476,27 +1456,6 @@ bool string_is_safe(const char *p) {
         return true;
 }
 
-bool path_is_safe(const char *p) {
-
-        if (isempty(p))
-                return false;
-
-        if (streq(p, "..") || startswith(p, "../") || endswith(p, "/..") || strstr(p, "/../"))
-                return false;
-
-        if (strlen(p)+1 > PATH_MAX)
-                return false;
-
-        /* The following two checks are not really dangerous, but hey, they still are confusing */
-        if (streq(p, ".") || startswith(p, "./") || endswith(p, "/.") || strstr(p, "/./"))
-                return false;
-
-        if (strstr(p, "//"))
-                return false;
-
-        return true;
-}
-
 /* hey glibc, APIs with callbacks without a user pointer are so useless */
 void *xbsearch_r(const void *key, const void *base, size_t nmemb, size_t size,
                  int (*compar) (const void *, const void *, void *), void *arg) {

src/basic/util.h

@@ -303,8 +303,6 @@ _alloc_(2, 3) static inline void *memdup_multiply(const void *p, size_t a, size_
         return memdup(p, a * b);
 }
 
-bool filename_is_valid(const char *p) _pure_;
-bool path_is_safe(const char *p) _pure_;
 bool string_is_safe(const char *p) _pure_;
 
 /**

src/hostname/hostnamed.c

@@ -31,6 +31,7 @@
 #include "fileio-label.h"
 #include "hostname-util.h"
 #include "parse-util.h"
+#include "path-util.h"
 #include "selinux-util.h"
 #include "strv.h"
 #include "util.h"

src/import/pull-common.c

@@ -27,6 +27,7 @@
 #include "escape.h"
 #include "fd-util.h"
 #include "io-util.h"
+#include "path-util.h"
 #include "process-util.h"
 #include "pull-common.h"
 #include "pull-job.h"

src/libsystemd/sd-login/sd-login.c

@@ -37,6 +37,7 @@
 #include "login-util.h"
 #include "macro.h"
 #include "parse-util.h"
+#include "path-util.h"
 #include "socket-util.h"
 #include "string-util.h"
 #include "strv.h"

src/locale/localed.c

@@ -30,20 +30,21 @@
 
 #include "sd-bus.h"
 
-#include "util.h"
-#include "mkdir.h"
-#include "strv.h"
-#include "def.h"
-#include "env-util.h"
-#include "fileio.h"
-#include "fileio-label.h"
-#include "bus-util.h"
 #include "bus-error.h"
 #include "bus-message.h"
+#include "bus-util.h"
+#include "def.h"
+#include "env-util.h"
 #include "event-util.h"
-#include "locale-util.h"
-#include "selinux-util.h"
 #include "fd-util.h"
+#include "fileio-label.h"
+#include "fileio.h"
+#include "locale-util.h"
+#include "mkdir.h"
+#include "path-util.h"
+#include "selinux-util.h"
+#include "strv.h"
+#include "util.h"
 
 enum {
         /* We don't list LC_ALL here on purpose. People should be

src/shared/dropin.c

@@ -25,6 +25,7 @@
 #include "fd-util.h"
 #include "fileio-label.h"
 #include "mkdir.h"
+#include "path-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "util.h"

src/shared/import-util.c

@@ -20,9 +20,10 @@
 ***/
 
 #include "btrfs-util.h"
+#include "import-util.h"
+#include "path-util.h"
 #include "string-util.h"
 #include "util.h"
-#include "import-util.h"
 
 int import_url_last_component(const char *url, char **ret) {
         const char *e, *p;

src/test/test-util.c

@@ -50,6 +50,7 @@
 #include "user-util.h"
 #include "util.h"
 #include "virt.h"
+#include "path-util.h"
 
 static void test_streq_ptr(void) {
         assert_se(streq_ptr(NULL, NULL));