Merge pull request #11639 from rouault/CPLFormFilenameSafe

Safer CPL path functions (RFC 105 implementation)
OSGeo · Jan 17, 2025 · 48b704b · 48b704b
2 parents f41af17 + 99dc672
commit 48b704b
Show file tree

Hide file tree

Showing 352 changed files with 4,172 additions and 3,396 deletions.
diff --git a/alg/gdal_rpc.cpp b/alg/gdal_rpc.cpp
@@ -1149,7 +1149,9 @@ static bool RPCInverseTransformPoint(GDALRPCTransformInfo *psTransform,
     if (psTransform->pszRPCInverseLog)
     {
         fpLog = VSIFOpenL(
-            CPLResetExtension(psTransform->pszRPCInverseLog, "csvt"), "wb");
+            CPLResetExtensionSafe(psTransform->pszRPCInverseLog, "csvt")
+                .c_str(),
+            "wb");
         if (fpLog != nullptr)
         {
             VSIFPrintfL(fpLog, "Integer,Real,Real,Real,String,Real,Real\n");

diff --git a/alg/gdalgeoloc.cpp b/alg/gdalgeoloc.cpp
@@ -1817,9 +1817,11 @@ void *GDALCreateGeoLocTransformerEx(GDALDatasetH hBaseDS,
                 papszGeolocationInfo, "X_DATASET_RELATIVE_TO_SOURCE", "NO")) &&
             (hBaseDS != nullptr || pszSourceDataset))
         {
-            CPLString osFilename = CPLProjectRelativeFilename(
-                CPLGetDirname(pszSourceDataset ? pszSourceDataset
-                                               : GDALGetDescription(hBaseDS)),
+            const CPLString osFilename = CPLProjectRelativeFilenameSafe(
+                CPLGetDirnameSafe(pszSourceDataset
+                                      ? pszSourceDataset
+                                      : GDALGetDescription(hBaseDS))
+                    .c_str(),
                 pszDSName);
             psTransform->hDS_X =
                 GDALOpenShared(osFilename.c_str(), GA_ReadOnly);
@@ -1849,9 +1851,11 @@ void *GDALCreateGeoLocTransformerEx(GDALDatasetH hBaseDS,
                 papszGeolocationInfo, "Y_DATASET_RELATIVE_TO_SOURCE", "NO")) &&
             (hBaseDS != nullptr || pszSourceDataset))
         {
-            CPLString osFilename = CPLProjectRelativeFilename(
-                CPLGetDirname(pszSourceDataset ? pszSourceDataset
-                                               : GDALGetDescription(hBaseDS)),
+            const CPLString osFilename = CPLProjectRelativeFilenameSafe(
+                CPLGetDirnameSafe(pszSourceDataset
+                                      ? pszSourceDataset
+                                      : GDALGetDescription(hBaseDS))
+                    .c_str(),
                 pszDSName);
             psTransform->hDS_Y =
                 GDALOpenShared(osFilename.c_str(), GA_ReadOnly);

diff --git a/alg/gdalgeoloc_dataset_accessor.h b/alg/gdalgeoloc_dataset_accessor.h
@@ -104,8 +104,8 @@ bool GDALGeoLocDatasetAccessors::AllocateBackMap()
 
     // CPLResetExtension / CPLGenerateTempFilename generate short-lived strings,
     // so store them in a long-lived std::string
-    const std::string osBackmapTmpFilename =
-        CPLResetExtension(CPLGenerateTempFilename(nullptr), "tif");
+    const std::string osBackmapTmpFilename = CPLResetExtensionSafe(
+        CPLGenerateTempFilenameSafe(nullptr).c_str(), "tif");
     m_poBackmapTmpDataset = poDriver->Create(
         osBackmapTmpFilename.c_str(), m_psTransform->nBackMapWidth,
         m_psTransform->nBackMapHeight, 2, GDT_Float32,
@@ -124,8 +124,8 @@ bool GDALGeoLocDatasetAccessors::AllocateBackMap()
 
     // CPLResetExtension / CPLGenerateTempFilename generate short-lived strings,
     // so store them in a long-lived std::string
-    const std::string osBackmapWeightsTmpFilename =
-        CPLResetExtension(CPLGenerateTempFilename(nullptr), "tif");
+    const std::string osBackmapWeightsTmpFilename = CPLResetExtensionSafe(
+        CPLGenerateTempFilenameSafe(nullptr).c_str(), "tif");
     m_poBackmapWeightsTmpDataset = poDriver->Create(
         osBackmapWeightsTmpFilename.c_str(), m_psTransform->nBackMapWidth,
         m_psTransform->nBackMapHeight, 1, GDT_Float32,
@@ -209,8 +209,8 @@ bool GDALGeoLocDatasetAccessors::LoadGeoloc(bool bIsRegularGrid)
 
         // CPLResetExtension / CPLGenerateTempFilename generate short-lived
         // strings, so store them in a long-lived std::string
-        const std::string osGeolocTmpFilename =
-            CPLResetExtension(CPLGenerateTempFilename(nullptr), "tif");
+        const std::string osGeolocTmpFilename = CPLResetExtensionSafe(
+            CPLGenerateTempFilenameSafe(nullptr).c_str(), "tif");
         m_poGeolocTmpDataset =
             poDriver->Create(osGeolocTmpFilename.c_str(), nXSize, nYSize, 2,
                              GDT_Float64, m_aosGTiffCreationOptions.List());

diff --git a/alg/gdalproximity.cpp b/alg/gdalproximity.cpp
@@ -263,7 +263,7 @@ CPLErr CPL_STDCALL GDALComputeProximity(GDALRasterBandH hSrcBand,
             eErr = CE_Failure;
             goto end;
         }
-        CPLString osTmpFile = CPLGenerateTempFilename("proximity");
+        CPLString osTmpFile = CPLGenerateTempFilenameSafe("proximity");
         hWorkProximityDS = GDALCreate(hDriver, osTmpFile, nXSize, nYSize, 1,
                                       GDT_Float32, nullptr);
         if (hWorkProximityDS == nullptr)

diff --git a/alg/rasterfill.cpp b/alg/rasterfill.cpp
@@ -462,7 +462,7 @@ CPLErr CPL_STDCALL GDALFillNodata(GDALRasterBandH hTargetBand,
         aosWorkFileOptions.SetNameValue("BIGTIFF", "IF_SAFER");
     }
 
-    const CPLString osTmpFile = CPLGenerateTempFilename("");
+    const CPLString osTmpFile = CPLGenerateTempFilenameSafe("");
 
     std::unique_ptr<GDALDataset> poTmpMaskDS;
     if (hMaskBand == nullptr)

diff --git a/apps/dumpoverviews.cpp b/apps/dumpoverviews.cpp
@@ -134,17 +134,19 @@ int main(int argc, char **argv)
             /* --------------------------------------------------------------------
              */
             CPLString osFilename;
-            osFilename.Printf("%s_%d_%d.tif", CPLGetBasename(pszSrcFilename),
+            osFilename.Printf("%s_%d_%d.tif",
+                              CPLGetBasenameSafe(pszSrcFilename).c_str(),
                               iBand + 1, iOverview);
             if (!DumpBand(hSrcDS, hSrcOver, osFilename))
                 bRet = false;
 
             if (bMasks)
             {
                 CPLString osMaskFilename;
-                osMaskFilename.Printf("%s_%d_%d_mask.tif",
-                                      CPLGetBasename(pszSrcFilename), iBand + 1,
-                                      iOverview);
+                osMaskFilename.Printf(
+                    "%s_%d_%d_mask.tif",
+                    CPLGetBasenameSafe(pszSrcFilename).c_str(), iBand + 1,
+                    iOverview);
                 if (!DumpBand(hSrcDS, GDALGetMaskBand(hSrcOver),
                               osMaskFilename))
                     bRet = false;
@@ -159,7 +161,8 @@ int main(int argc, char **argv)
         if (bMasks)
         {
             CPLString osFilename;
-            osFilename.Printf("%s_%d_mask.tif", CPLGetBasename(pszSrcFilename),
+            osFilename.Printf("%s_%d_mask.tif",
+                              CPLGetBasenameSafe(pszSrcFilename).c_str(),
                               iBand + 1);
             if (!DumpBand(hSrcDS, GDALGetMaskBand(hBaseBand), osFilename))
                 bRet = false;

diff --git a/apps/gdal_contour.cpp b/apps/gdal_contour.cpp
@@ -388,7 +388,8 @@ MAIN_START(argc, argv)
             {
                 CPLError(CE_Warning, CPLE_AppDefined,
                          "Several drivers matching %s extension. Using %s",
-                         CPLGetExtension(sOptions.aosDestFilename.c_str()),
+                         CPLGetExtensionSafe(sOptions.aosDestFilename.c_str())
+                             .c_str(),
                          aoDrivers[0].c_str());
             }
             osFormat = aoDrivers[0];

diff --git a/apps/gdal_footprint_lib.cpp b/apps/gdal_footprint_lib.cpp
@@ -568,7 +568,8 @@ GetOutputLayerAndUpdateDstDS(const char *pszDest, GDALDatasetH &hDstDS,
                 {
                     CPLError(CE_Warning, CPLE_AppDefined,
                              "Several drivers matching %s extension. Using %s",
-                             CPLGetExtension(pszDest), aoDrivers[0].c_str());
+                             CPLGetExtensionSafe(pszDest).c_str(),
+                             aoDrivers[0].c_str());
                 }
                 osFormat = aoDrivers[0];
             }
@@ -633,7 +634,7 @@ GetOutputLayerAndUpdateDstDS(const char *pszDest, GDALDatasetH &hDstDS,
             if (poDstDS->GetDriver() &&
                 EQUAL(poDstDS->GetDriver()->GetDescription(), "ESRI Shapefile"))
             {
-                osDestLayerName = CPLGetBasename(pszDest);
+                osDestLayerName = CPLGetBasenameSafe(pszDest);
             }
             else
             {
@@ -1187,8 +1188,8 @@ static bool GDALFootprintProcess(GDALDataset *poSrcDS, OGRLayer *poDstLayer,
                 char *pszCurDir = CPLGetCurrentDir();
                 if (pszCurDir)
                 {
-                    osFilename = CPLProjectRelativeFilename(pszCurDir,
-                                                            osFilename.c_str());
+                    osFilename = CPLProjectRelativeFilenameSafe(
+                        pszCurDir, osFilename.c_str());
                     CPLFree(pszCurDir);
                 }
             }

diff --git a/apps/gdal_translate_bin.cpp b/apps/gdal_translate_bin.cpp
@@ -198,11 +198,12 @@ MAIN_START(argc, argv)
             char *pszSubDest = static_cast<char *>(
                 CPLMalloc(strlen(sOptionsForBinary.osDest.c_str()) + 32));
 
-            CPLString osPath = CPLGetPath(sOptionsForBinary.osDest.c_str());
-            CPLString osBasename =
-                CPLGetBasename(sOptionsForBinary.osDest.c_str());
-            CPLString osExtension =
-                CPLGetExtension(sOptionsForBinary.osDest.c_str());
+            const CPLString osPath =
+                CPLGetPathSafe(sOptionsForBinary.osDest.c_str());
+            const CPLString osBasename =
+                CPLGetBasenameSafe(sOptionsForBinary.osDest.c_str());
+            const CPLString osExtension =
+                CPLGetExtensionSafe(sOptionsForBinary.osDest.c_str());
             CPLString osTemp;
 
             const char *pszFormat = nullptr;
@@ -226,7 +227,7 @@ MAIN_START(argc, argv)
                 char *pszSource =
                     CPLStrdup(strstr(papszSubdatasets[i], "=") + 1);
                 osTemp = CPLSPrintf(pszFormat, osBasename.c_str(), i / 2 + 1);
-                osTemp = CPLFormFilename(osPath, osTemp, osExtension);
+                osTemp = CPLFormFilenameSafe(osPath, osTemp, osExtension);
                 strcpy(pszSubDest, osTemp.c_str());
                 hDataset = GDALOpenEx(pszSource, GDAL_OF_RASTER, nullptr,
                                       sOptionsForBinary.aosOpenOptions.List(),

diff --git a/apps/gdalbuildvrt_bin.cpp b/apps/gdalbuildvrt_bin.cpp
@@ -78,9 +78,10 @@ MAIN_START(argc, argv)
             if (hDriver &&
                 !(EQUAL(GDALGetDriverShortName(hDriver), "VRT") ||
                   (EQUAL(GDALGetDriverShortName(hDriver), "API_PROXY") &&
-                   EQUAL(
-                       CPLGetExtension(sOptionsForBinary.osDstFilename.c_str()),
-                       "VRT"))))
+                   EQUAL(CPLGetExtensionSafe(
+                             sOptionsForBinary.osDstFilename.c_str())
+                             .c_str(),
+                         "VRT"))))
             {
                 fprintf(
                     stderr,

diff --git a/apps/gdalbuildvrt_lib.cpp b/apps/gdalbuildvrt_lib.cpp
@@ -1684,7 +1684,7 @@ static bool add_file_to_list(const char *filename, const char *tile_index,
                              CPLStringList &aosList)
 {
 
-    if (EQUAL(CPLGetExtension(filename), "SHP"))
+    if (EQUAL(CPLGetExtensionSafe(filename).c_str(), "SHP"))
     {
         /* Handle gdaltindex Shapefile as a special case */
         auto poDS = std::unique_ptr<GDALDataset>(GDALDataset::Open(filename));

diff --git a/apps/gdaldem_lib.cpp b/apps/gdaldem_lib.cpp
@@ -2321,7 +2321,7 @@ static CPLErr GDALGenerateVRTColorRelief(const char *pszDstFilename,
     GDALGetBlockSize(hSrcBand, &nBlockXSize, &nBlockYSize);
 
     int bRelativeToVRT = FALSE;
-    CPLString osPath = CPLGetPath(pszDstFilename);
+    const CPLString osPath = CPLGetPathSafe(pszDstFilename);
     char *pszSourceFilename = CPLStrdup(CPLExtractRelativePath(
         osPath.c_str(), GDALGetDescription(hSrcDataset), &bRelativeToVRT));
 

diff --git a/apps/gdalmanage.cpp b/apps/gdalmanage.cpp
@@ -66,8 +66,8 @@ static void ProcessIdentifyTarget(const char *pszTarget,
         if (EQUAL(papszSiblingList[i], "..") || EQUAL(papszSiblingList[i], "."))
             continue;
 
-        CPLString osSubTarget =
-            CPLFormFilename(pszTarget, papszSiblingList[i], nullptr);
+        const CPLString osSubTarget =
+            CPLFormFilenameSafe(pszTarget, papszSiblingList[i], nullptr);
 
         ProcessIdentifyTarget(osSubTarget, papszSiblingList, bRecursive,
                               bReportFailures, bForceRecurse);

diff --git a/apps/gdalmdimtranslate_lib.cpp b/apps/gdalmdimtranslate_lib.cpp
@@ -1794,7 +1794,7 @@ GDALMultiDimTranslate(const char *pszDest, GDALDatasetH hDstDS, int nSrcCount,
     {
         if (osFormat.empty())
         {
-            if (EQUAL(CPLGetExtension(pszDest), "nc"))
+            if (EQUAL(CPLGetExtensionSafe(pszDest).c_str(), "nc"))
                 osFormat = "netCDF";
             else
                 osFormat = GetOutputDriverForRaster(pszDest);

diff --git a/apps/gdaltindex_lib.cpp b/apps/gdaltindex_lib.cpp
@@ -458,8 +458,8 @@ struct GDALTileIndexTileIterator
                     continue;
             }
 
-            const std::string osFilename =
-                CPLFormFilename(osCurDir.c_str(), psEntry->pszName, nullptr);
+            const std::string osFilename = CPLFormFilenameSafe(
+                osCurDir.c_str(), psEntry->pszName, nullptr);
             if (VSI_ISDIR(psEntry->nMode))
             {
                 auto poSrcDS = std::unique_ptr<GDALDataset>(
@@ -607,7 +607,8 @@ GDALDatasetH GDALTileIndex(const char *pszDest, int nSrcCount,
                 {
                     CPLError(CE_Warning, CPLE_AppDefined,
                              "Several drivers matching %s extension. Using %s",
-                             CPLGetExtension(pszDest), aoDrivers[0].c_str());
+                             CPLGetExtensionSafe(pszDest).c_str(),
+                             aoDrivers[0].c_str());
                 }
                 osFormat = aoDrivers[0];
             }
@@ -647,7 +648,7 @@ GDALDatasetH GDALTileIndex(const char *pszDest, int nSrcCount,
             if (EQUAL(osFormat.c_str(), "ESRI Shapefile") ||
                 VSIStat(pszDest, &sStat) == 0)
             {
-                osLayerName = CPLGetBasename(pszDest);
+                osLayerName = CPLGetBasenameSafe(pszDest);
             }
             else
             {
@@ -999,7 +1000,7 @@ GDALDatasetH GDALTileIndex(const char *pszDest, int nSrcCount,
             CPLIsFilenameRelative(osSrcFilename.c_str()) &&
             VSIStat(osSrcFilename.c_str(), &sStatBuf) == 0)
         {
-            osFileNameToWrite = CPLProjectRelativeFilename(
+            osFileNameToWrite = CPLProjectRelativeFilenameSafe(
                 osCurrentPath.c_str(), osSrcFilename.c_str());
         }
         else

diff --git a/apps/gdaltorture.cpp b/apps/gdaltorture.cpp
@@ -204,7 +204,7 @@ static void ProcessTortureTarget(const char *pszTarget, char **papszSiblingList,
             continue;
 
         const CPLString osSubTarget =
-            CPLFormFilename(pszTarget, papszSiblingList[i], nullptr);
+            CPLFormFilenameSafe(pszTarget, papszSiblingList[i], nullptr);
 
         ProcessTortureTarget(osSubTarget, papszSiblingList, bRecursive,
                              bReportFailures, bReadWriteOperations);

diff --git a/apps/gdalwarp_lib.cpp b/apps/gdalwarp_lib.cpp
@@ -1476,7 +1476,7 @@ static bool CheckOptions(const char *pszDest, GDALDatasetH hDstDS,
     }
 
     if ((psOptions->osFormat.empty() &&
-         EQUAL(CPLGetExtension(pszDest), "VRT")) ||
+         EQUAL(CPLGetExtensionSafe(pszDest).c_str(), "VRT")) ||
         (EQUAL(psOptions->osFormat.c_str(), "VRT")))
     {
         if (hDstDS != nullptr)

diff --git a/apps/gnmmanage.cpp b/apps/gnmmanage.cpp
@@ -507,25 +507,27 @@ MAIN_START(nArgc, papszArgv)
     }
     else if (stOper == op_create)
     {
-        const char *pszPath;
-        const char *pszNetworkName = CSLFetchNameValue(papszDSCO, GNM_MD_NAME);
+        std::string osPath;
+        std::string osNetworkName =
+            CSLFetchNameValueDef(papszDSCO, GNM_MD_NAME, "");
 
         if (pszDataSource == nullptr)
             Usage(true, "No network dataset provided");
 
         // the DSCO have priority on input keys
-        if (nullptr == pszNetworkName)
+        if (osNetworkName.empty())
         {
-            pszPath = CPLGetPath(pszDataSource);
-            pszNetworkName = CPLGetBasename(pszDataSource);
-            papszDSCO = CSLAddNameValue(papszDSCO, GNM_MD_NAME, pszNetworkName);
+            osPath = CPLGetPathSafe(pszDataSource);
+            osNetworkName = CPLGetBasenameSafe(pszDataSource);
+            papszDSCO =
+                CSLAddNameValue(papszDSCO, GNM_MD_NAME, osNetworkName.c_str());
         }
         else
         {
-            pszPath = pszDataSource;
+            osPath = pszDataSource;
         }
 
-        if (pszNetworkName == nullptr)
+        if (osNetworkName.empty())
             Usage(true, "No dataset name provided");
 
         const char *pszFinalSRS = CSLFetchNameValue(papszDSCO, GNM_MD_SRS);
@@ -553,16 +555,18 @@ MAIN_START(nArgc, papszArgv)
             if (!CPLFetchBool(papszMD, GDAL_DCAP_GNM, false))
                 Usage(true, "not a GNM driver");
 
-            poDS = cpl::down_cast<GNMNetwork *>(
-                poDriver->Create(pszPath, 0, 0, 0, GDT_Unknown, papszDSCO));
+            poDS = cpl::down_cast<GNMNetwork *>(poDriver->Create(
+                osPath.c_str(), 0, 0, 0, GDT_Unknown, papszDSCO));
 
             if (nullptr == poDS)
             {
                 fprintf(
                     stderr,
                     "\nFAILURE: Failed to create network in a new dataset at "
                     "%s and with driver %s\n",
-                    CPLFormFilename(pszPath, pszNetworkName, nullptr),
+                    CPLFormFilenameSafe(osPath.c_str(), osNetworkName.c_str(),
+                                        nullptr)
+                        .c_str(),
                     pszFormat);
                 nRet = 1;
             }
@@ -571,7 +575,9 @@ MAIN_START(nArgc, papszArgv)
                 if (bQuiet == FALSE)
                     printf("\nNetwork created successfully in a "
                            "new dataset at %s\n",
-                           CPLFormFilename(pszPath, pszNetworkName, nullptr));
+                           CPLFormFilenameSafe(osPath.c_str(),
+                                               osNetworkName.c_str(), nullptr)
+                               .c_str());
             }
         }
     }

diff --git a/apps/nearblack_lib_floodfill.cpp b/apps/nearblack_lib_floodfill.cpp
@@ -509,7 +509,8 @@ bool GDALNearblackFloodFillAlg::Process()
     }
     else
     {
-        osVisitedDataset = CPLGenerateTempFilename(osVisitedDataset.c_str());
+        osVisitedDataset =
+            CPLGenerateTempFilenameSafe(osVisitedDataset.c_str());
     }
     CPLStringList aosOptions;
     if (strcmp(pszTmpDriver, "GTiff") == 0)