path-utils: Check directory from preference is writable.

LiberalArtist · LiberalArtist · commit 6d080b028281 · 2017-11-21T20:08:18.000-06:00
Add tests for this and to check that excessively-long path are shortened.

Update docs accordingly, including specifying what "excessively long"
currently means.

Note: may need to remove the permissions check from `framework/private/main`
if the predicate given to `preferences:set-default` could cause the preference
value in the file to be overwritten.
diff --git a/gui-lib/framework/main.rkt b/gui-lib/framework/main.rkt
@@ -546,9 +546,9 @@
  The value of @racket[(preferences:get 'path-utils:backup-dir)]
  determines the directory of the resulting path.
  The value of this preference must be either a path
- satisfying @racket[complete-path?] and @racket[directory-exists?],
+ satisfying @racket[complete-path?],
  in which case it is additionally checked to ensure that the
- directory has not been deleted since the preference was set,
+ directory exists and is writable,
  or @racket[#f] (the default).
  When the preference contains a valid path,
  the resulting path will use that directory;
@@ -557,7 +557,7 @@
  
  The final element of the resulting path is derived from @racket[filename].
  When @racket[(preferences:get 'path-utils:backup-dir)] does not specify
- an extant directory, the final element of @racket[filename] is
+ a valid directory, the final element of @racket[filename] is
  used directly as the base for the new element.
  Otherwise, the base is formed by transforming the complete path to @racket[filename]
  (resolved, if necessary, relative to @racket[(current-directory)])
@@ -577,6 +577,13 @@
              may be shortened by replacing some bytes in the middle with
              @racket[(bytes-append separator-byte #"..." separator-byte)]
              (i.e. @litchar{!...!} with @litchar{!} as the @racket[separator-byte]).}]
+
+ @margin-note{
+  Currently, "excessively long" is defined as 255 bytes.
+  This is based on @hyperlink["https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx#maxpath"]{
+   a common value} for the maximum length of an individual element of an extended-length path
+  on Windows, but the limit is currently enforced consistently on all platforms.
+ }
  
  In either case, the final path element is formed from the base
  in a platform-specific manner:
@@ -598,19 +605,19 @@
  determines the directory of the resulting path
  in much the same way as @racket[path-utils:generate-backup-name]
  with @racket['path-utils:backup-dir].
- When the preference value is @racket[#f] (the default) or a
- directory that no longer exists, the
+ When the preference value specifies a directory that exists and
+ is writable, the resulting path will use that directory.
+ Otherwise, and by default, the
  result will use the same directory as @racket[filename]
  (or, when @racket[filename] is @racket[#f], the directory determined by
  @racket[(find-system-path 'doc-dir)]).
- Otherwise, the resulting path will use the directory specified by the preference.
 
  When @racket[filename] is @racket[#f], the final element of the
  resulting path will be an automatically-generated unique name.
  
  Otherwise, the final path element will be derived from @racket[filename].
  When @racket[(preferences:get 'path-utils:autosave-dir)] does not return
- an extant directory, the last element of @racket[filename] will be
+ a valid directory, the last element of @racket[filename] will be
  used directly as the base for the new element.
  When a valid autosave directory is specified, the base will be
  the complete path to @racket[filename],
diff --git a/gui-lib/framework/private/main.rkt b/gui-lib/framework/private/main.rkt
@@ -605,7 +605,12 @@
   (or (not v)
       (and (path? v)
            (complete-path? v)
-           (directory-exists? v))))
+           (directory-exists? v)
+           ; Q: Could this cause the user-specified value to be overwritten
+           ; if we don't currently have write permissions? We probably don't
+           ; want that to happen, so maybe we should check this only when the
+           ; value is used.
+           (memq 'write (file-or-directory-permissions v)))))
 
 (define (marshall:maybe-path->bytes v)
   (and (path? v) (path->bytes v)))
diff --git a/gui-lib/framework/private/path-utils.rkt b/gui-lib/framework/private/path-utils.rkt
@@ -14,6 +14,7 @@
     (let ([maybe-dir (preferences:get pref-sym)])
       (and maybe-dir
            (directory-exists? maybe-dir)
+           (memq 'write (file-or-directory-permissions maybe-dir))
            maybe-dir))))
 
 (define current-backup-dir
diff --git a/gui-test/framework/tests/path-utils.rkt b/gui-test/framework/tests/path-utils.rkt
@@ -8,16 +8,84 @@
                      generate-backup-name])
          racket/file
          racket/contract/base
+         racket/sequence
+         racket/list
          framework/preferences)
 
-;; For uniform comparisons, all tests use simplified paths normalized
-;; with path->directory-path when applicable.
+;; For uniform comparisons with equal?, all tests use simplified paths 
+;; normalized with path->directory-path when applicable.
 
+
+;; path-base: path? -> path?
+;; Returns the directory of the input path (i.e. removes the final element),
+;; normalized for comparison with equal?
 (define (path-base pth)
   (define-values (base name dir?)
     (split-path pth))
   (path->directory-path base))
 
+
+;; remove-all-write-permissions: path? -> any
+;; Modifies the permissions of the given file/directory so no one can write to it
+(define (remove-all-write-permissions pth)
+  (define old-permissions-bits
+    (file-or-directory-permissions pth 'bits))
+  (file-or-directory-permissions
+   pth
+   (bitwise-and old-permissions-bits
+                (bitwise-not user-write-bit)
+                (bitwise-not group-write-bit)
+                (bitwise-not other-write-bit))))
+
+
+;; call-with-preference-not-writable: procedure? (-> any) -> any
+;; Takes a procedure produced with preferences:get/set and a thunk.
+;; Calls the thunk in a context where:
+;;   (a) it ensures the preference will have the value it did
+;;       when call-with-preference-not-writable was called, which
+;;       is assumed to be a path, and
+;;   (b) it removes all write permissions from the directory
+;;       specified by the preference before calling the thunk.
+;; After the thunk returns (or control escapes), call-with-preference-not-writable::
+;;   (a) restores the directory's original permissions and
+;;   (b) restores the preference to its initial value.
+(define (call-with-preference-not-writable get/set-proc thunk)
+  (define pth
+    (get/set-proc))
+  (define old-permissions-bits
+    (file-or-directory-permissions pth 'bits))
+  (dynamic-wind
+   (λ ()
+     (get/set-proc pth)
+     (remove-all-write-permissions pth))
+   thunk
+   (λ ()
+     (file-or-directory-permissions pth old-permissions-bits)
+     (get/set-proc pth))))
+
+
+;; See framework/private/path-utils for rationale
+(define max-path-element-length
+  255)
+
+
+;                                          
+;                                          
+;                                          
+;                                          
+;    ;;                      ;;            
+;    ;;                      ;;            
+;  ;;;;;;;    ;;;     ;;   ;;;;;;;    ;;   
+;    ;;     ;;   ;  ;;  ;    ;;     ;;  ;  
+;    ;;     ;    ;   ;       ;;      ;     
+;    ;;    ;;;;;;;;   ;;     ;;       ;;   
+;    ;;     ;           ;;   ;;         ;; 
+;     ;     ;;   ;  ;   ;     ;     ;   ;  
+;      ;;;    ;;;    ;;;       ;;;   ;;;   
+;                                          
+;                                          
+;                                          
+;                                          
 (let ([the-prefs-table (make-hash)])
   (parameterize ([preferences:low-level-put-preferences
                   (λ (syms vals)
@@ -42,6 +110,21 @@
       (build-path current-dir "somewhere" elem))
     (define dir-of-complete
       (path-base complete))
+    (define too-long-pth
+      (build-path
+       current-dir
+       (bytes->path-element
+        (bytes-append
+         (list->bytes
+          (for/list ([i (in-range (+ 10 max-path-element-length))]
+                     [b (in-cycle
+                         (sequence-filter (compose1 (λ (c)
+                                                      (or (char-alphabetic? c)
+                                                          (char-numeric? c)))
+                                                    integer->char)
+                                          (in-range 48 123)))])
+            b))
+         #".rkt"))))
     ;; Tests with #f for directories
     (current-backup-dir #f)
     (current-autosave-dir #f)
@@ -96,6 +179,24 @@
             (equal? (simplify-path (generate-autosave-name complete))
                     (simplify-path (generate-autosave-name clashing-name)))
             "files with the same name in different directories should not collide")
+           ; long path element
+           (check-not-false
+            (< (bytes-length (path-element->bytes
+                              (last (explode-path (generate-autosave-name
+                                                   too-long-pth)))))
+               max-path-element-length)
+            "excessively long elements should be shortened")
+           ; write permission
+           (call-with-preference-not-writable
+            current-autosave-dir
+            (λ ()
+              (test-case
+               "autosave dir not writable"
+               (check-false (memq 'write (file-or-directory-permissions autosave-dir))
+                            "autosave dir should have been made non-writable")
+               (check-equal? (path-base (generate-autosave-name complete))
+                             dir-of-complete
+                             "should fall back when autosave dir not writable"))))
            ; delete
            (delete-directory autosave-dir)
            (check-equal? (path-base (generate-autosave-name complete))
@@ -112,6 +213,24 @@
             (equal? (simplify-path (generate-backup-name complete))
                     (simplify-path (generate-backup-name clashing-name)))
             "files with the same name in different directories should not collide")
+           ; long path element
+           (check-not-false
+            (< (bytes-length (path-element->bytes
+                              (last (explode-path (generate-backup-name
+                                                   too-long-pth)))))
+               max-path-element-length)
+            "excessively long elements should be shortened")
+           ; write permission
+           (call-with-preference-not-writable
+            current-backup-dir
+            (λ ()
+              (test-case
+               "backup dir not writable"
+               (check-false (memq 'write (file-or-directory-permissions backup-dir))
+                            "backup dir should have been made non-writable")
+               (check-equal? (path-base (generate-backup-name complete))
+                             dir-of-complete
+                             "should fall back when backup dir not writable"))))
            ; delete
            (delete-directory backup-dir)
            (check-equal? (path-base (generate-backup-name complete))
