1/*
2 * ------+---------+---------+---------+---------+---------+---------+---------*
3 * Copyright (c) 2001,2011  - Garance Alistair Drosehn <gad@FreeBSD.org>.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *   1. Redistributions of source code must retain the above copyright
10 *      notice, this list of conditions and the following disclaimer.
11 *   2. Redistributions in binary form must reproduce the above copyright
12 *      notice, this list of conditions and the following disclaimer in the
13 *      documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 *
27 * The views and conclusions contained in the software and documentation
28 * are those of the authors and should not be interpreted as representing
29 * official policies, either expressed or implied, of the FreeBSD Project.
30 *
31 * ------+---------+---------+---------+---------+---------+---------+---------*
32 */
33
34#include "lp.cdefs.h"		/* A cross-platform version of <sys/cdefs.h> */
35__FBSDID("$FreeBSD$");
36
37/*
38 * ctlinfo - This collection of routines will know everything there is to
39 * know about the information inside a control file ('cf*') which is used
40 * to describe a print job in lpr & friends.  The eventual goal is that it
41 * will be the ONLY source file to know what's inside these control-files.
42 */
43
44/*
45 * Some define's useful for debuging.
46 * TRIGGERTEST_FNAME and DEBUGREADCF_FNAME, allow us to do testing on
47 * a per-spool-directory basis.
48 */
49/* #define TRIGGERTEST_FNAME "LpdTestRenameTF" */
50/* #define DEBUGREADCF_FNAME "LpdDebugReadCF" */
51/* #define LEAVE_TMPCF_FILES 1 */
52
53#include <sys/types.h>
54#include <sys/stat.h>
55#include <ctype.h>
56#include <errno.h>
57#include <fcntl.h>
58#include <limits.h>
59#include <netdb.h>
60#include <pwd.h>
61#include <stdio.h>
62#include <stdlib.h>
63#include <string.h>
64#include <syslog.h>
65#include <unistd.h>
66#include "ctlinfo.h"
67
68struct cjprivate {
69	struct cjobinfo pub;
70	char	*cji_buff;		/* buffer for getline */
71	char	*cji_eobuff;		/* last byte IN the buffer */
72	FILE	*cji_fstream;
73	int	 cji_buffsize;		/* # bytes in the buffer */
74	int	 cji_dumpit;
75};
76
77/*
78 * All the following take a parameter of 'int', but expect values in the
79 * range of unsigned char.  Define wrappers which take values of type 'char',
80 * whether signed or unsigned, and ensure they end up in the right range.
81 */
82#define	isdigitch(Anychar) isdigit((u_char)(Anychar))
83#define	islowerch(Anychar) islower((u_char)(Anychar))
84#define	isupperch(Anychar) isupper((u_char)(Anychar))
85#define	tolowerch(Anychar) tolower((u_char)(Anychar))
86
87#define	OTHER_USERID_CHARS  "-_"	/* special chars valid in a userid */
88
89#define roundup(x, y)   ((((x)+((y)-1))/(y))*(y))
90
91/*
92 * This has to be large enough to fit the maximum length of a single line
93 * in a control-file, including the leading 'command id', a trailing '\n'
94 * and ending '\0'.  The max size of an 'U'nlink line, for instance, is
95 * 1 ('U') + PATH_MAX (filename) + 2 ('\n\0').  The maximum 'H'ost line is
96 * 1 ('H') + NI_MAXHOST (remote hostname) + 2 ('\n\0').  Other lines can be
97 * even longer than those.  So, pick some nice, large, arbitrary value.
98 */
99#define CTI_LINEMAX  PATH_MAX+NI_MAXHOST+5
100
101extern const char	*from_host;	/* client's machine name */
102extern const char	*from_ip;	/* client machine's IP address */
103
104__BEGIN_DECLS
105void		 ctl_dumpcji(FILE *_dbg_stream, const char *_heading,
106		    struct cjobinfo *_cjinf);
107static char	*ctl_getline(struct cjobinfo *_cjinf);
108static void	 ctl_rewindcf(struct cjobinfo *_cjinf);
109char		*ctl_rmjob(const char *_ptrname, const char *_cfname);
110__END_DECLS
111
112/*
113 * Here are some things which might be needed when compiling this under
114 * platforms other than FreeBSD.
115 */
116#ifndef __FreeBSD__
117#   ifndef NAME_MAX
118#	define NAME_MAX	255
119#   endif
120#   ifndef NI_MAXHOST
121#	define NI_MAXHOST	1025
122#   endif
123#   ifndef PATH_MAX
124#	define PATH_MAX	1024
125#   endif
126__BEGIN_DECLS
127char		*strdup(const char *_src);
128size_t		 strlcpy(char *_dst, const char *_src, size_t _siz);
129__END_DECLS
130#endif
131
132/*
133 *	Control-files (cf*) have the following format.
134 *
135 *	Each control-file describes a single job.  It will list one or more
136 *	"datafiles" (df*) which should be copied to some printer.  Usually
137 *	there is only one datafile per job.  For the curious, RFC 1179 is an
138 *	informal and out-of-date description of lpr/lpd circa 1990.
139 *
140 *	Each line in the file gives an attribute of the job as a whole, or one
141 *	of the datafiles in the job, or a "command" indicating something to do
142 *	with one of the datafiles.  Each line starts with an 'id' that indicates
143 *	what that line is there for.  The 'id' is historically a single byte,
144 *	but may be multiple bytes (obviously it would be best if multi-byte ids
145 *	started with some letter not already used as a single-byte id!).
146 *	After the 'id', the remainder of the line will be the value of the
147 *	indicated attribute, or a name of the datafile to be operated on.
148 *
149 *	In the following lists of ids, the ids with a '!' in front of them are
150 *	NOT explicitly supported by this version of lpd, or at least "not yet
151 *	supported".  They are only listed for reference purposes, so people
152 *	won't be tempted to reuse the same id for a different purpose.
153 *
154 *	The following are attributes of the job which should not appear more
155 *	than once in a control file.  Only the 'H' and 'P' lines are required
156 *	by the RFC, but some implementations of lpr won't even get that right.
157 *
158 *	! A   - [used by lprNG]
159 *	  B   - As far as I know, this is never used as a single-byte id.
160 *		Therefore, I intend to use it for multi-byte id codes.
161 *	  C   - "class name" to display on banner page (this is sometimes
162 *		used to hold options for print filters)
163 *	! D   - [in lprNG, "timestamp" of when the job was submitted]
164 *	! E   - "environment variables" to set [some versions of linux]
165 *	  H   - "host name" of machine where the original 'lpr' was done
166 *	  I   - "indent", the amount to indent output
167 *	  J   - "job name" to display on banner page
168 *	  L   - "literal" user's name as it should be displayed on the
169 *		banner page (it is the existence of an 'L' line which
170 *		indicates that a job should have a banner page).
171 *	  M   - "mail", userid to mail to when done printing (with email
172 *		going to 'M'@'H', so to speak).
173 *	  P   - "person", the user's login name (e.g. for accounting)
174 *	! Q   - [used by lprNG for queue-name]
175 *	  R   - "resolution" in dpi, for some laser printer queues
176 *	  T   - "title" for files sent thru 'pr'
177 *	  W   - "width" to use for printing plain-text files
178 *	  Z   - In BSD, "locale" to use for datafiles sent thru 'pr'.
179 *		(this BSD usage should move to a different id...)
180 *		[in lprNG - this line holds the "Z options"]
181 *	  1   - "R font file" for files sent thru troff
182 *	  2   - "I font file" for files sent thru troff
183 *	  3   - "B font file" for files sent thru troff
184 *	  4   - "S font file" for files sent thru troff
185 *
186 *	The following are attributes attached to a datafile, and thus may
187 *	appear multiple times in a control file (once per datafile):
188 *
189 *	  N   - "name" of file (for display purposes, used by 'lpq')
190 *	  S   - "stat() info" used for symbolic link ('lpr -s')
191 *		security checks.
192 *
193 *	The following indicate actions to take on a given datafile.  The same
194 *	datafile may appear on more than one "print this file" command in the
195 *	control file.  Note that ALL ids with lowercase letters are expected
196 *	to be actions to "print this file":
197 *
198 *	  c   - "file name", cifplot file to print.  This action appears
199 *		when the user has requested 'lpr -c'.
200 *	  d   - "file name", dvi file to print, user requested 'lpr -d'
201 *	  f   - "file name", a plain-text file to print = "standard"
202 *	  g   - "file name", plot(1G) file to print, ie 'lpr -g'
203 *	  l   - "file name", text file with control chars which should
204 *		be printed literally, ie 'lpr -l'  (note: some printers
205 *		take this id as a request to print a postscript file,
206 *		and because of *that* some OS's use 'l' to indicate
207 *		that a datafile is a postscript file)
208 *	  n   - "file name", ditroff(1) file to print, ie 'lpr -n'
209 *	  o   - "file name", a postscript file to print.  This id is
210 *		described in the original RFC, but not much has been
211 *		done with it.  This 'lpr' does not generate control
212 *		lines with 'o'-actions, but lpd's printjob processing
213 *		will treat it the same as 'l'.
214 *	  p   - "file name", text file to print with pr(1), ie 'lpr -p'
215 *	  t   - "file name", troff(1) file to print, ie 'lpr -t'
216 *	  v   - "file name", plain raster file to print
217 *
218 *	  U   - "file name" of datafile to unlink (ie, remove file
219 *		from spool directory.  To be done in a 'Pass 2',
220 *		AFTER having processed all datafiles in the job).
221 *
222 */
223
224void
225ctl_freeinf(struct cjobinfo *cjinf)
226{
227#define FREESTR(xStr) \
228	if (xStr != NULL) { \
229		free(xStr); \
230		xStr = NULL;\
231	}
232
233	struct cjprivate *cpriv;
234
235	if (cjinf == NULL)
236		return;
237	cpriv = cjinf->cji_priv;
238	if ((cpriv == NULL) || (cpriv != cpriv->pub.cji_priv)) {
239		syslog(LOG_ERR, "in ctl_freeinf(%p): invalid cjinf (cpriv %p)",
240		    (void *)cjinf, (void *)cpriv);
241		return;
242	}
243
244	FREESTR(cpriv->pub.cji_accthost);
245	FREESTR(cpriv->pub.cji_acctuser);
246	FREESTR(cpriv->pub.cji_class);
247	FREESTR(cpriv->pub.cji_curqueue);
248	/* [cpriv->pub.cji_fname is part of cpriv-malloced area] */
249	FREESTR(cpriv->pub.cji_jobname);
250	FREESTR(cpriv->pub.cji_mailto);
251	FREESTR(cpriv->pub.cji_headruser);
252
253	if (cpriv->cji_fstream != NULL) {
254		fclose(cpriv->cji_fstream);
255		cpriv->cji_fstream = NULL;
256	}
257
258	cjinf->cji_priv = NULL;
259	free(cpriv);
260#undef FREESTR
261}
262
263#ifdef DEBUGREADCF_FNAME
264static FILE *ctl_dbgfile = NULL;
265static struct stat ctl_dbgstat;
266#endif
267static int ctl_dbgline = 0;
268
269struct cjobinfo *
270ctl_readcf(const char *ptrname, const char *cfname)
271{
272	int id;
273	char *lbuff;
274	void *cstart;
275	FILE *cfile;
276	struct cjprivate *cpriv;
277	struct cjobinfo *cjinf;
278	size_t msize, sroom, sroom2;
279
280	cfile = fopen(cfname, "r");
281	if (cfile == NULL) {
282		syslog(LOG_ERR, "%s: ctl_readcf error fopen(%s): %s",
283		    ptrname, cfname, strerror(errno));
284		return NULL;
285	}
286
287	sroom = roundup(sizeof(struct cjprivate), 8);
288	sroom2 = sroom + strlen(cfname) + 1;
289	sroom2 = roundup(sroom2, 8);
290	msize = sroom2 + CTI_LINEMAX;
291	msize = roundup(msize, 8);
292	cstart = malloc(msize);
293	if (cstart == NULL)
294		return NULL;
295	memset(cstart, 0, msize);
296	cpriv = (struct cjprivate *)cstart;
297	cpriv->pub.cji_priv = cpriv;
298
299	cpriv->pub.cji_fname = (char *)cstart + sroom;
300	strcpy(cpriv->pub.cji_fname, cfname);
301	cpriv->cji_buff = (char *)cstart + sroom2;
302	cpriv->cji_buffsize = (int)(msize - sroom2);
303	cpriv->cji_eobuff = (char *)cstart + msize - 1;
304
305	cpriv->cji_fstream = cfile;
306	cpriv->pub.cji_curqueue = strdup(ptrname);
307
308	ctl_dbgline = 0;
309#ifdef DEBUGREADCF_FNAME
310	ctl_dbgfile = NULL;
311	id = stat(DEBUGREADCF_FNAME, &ctl_dbgstat);
312	if (id != -1) {
313		/* the file exists in this spool directory, write some simple
314		 * debugging info to it */
315		ctl_dbgfile = fopen(DEBUGREADCF_FNAME, "a");
316		if (ctl_dbgfile != NULL) {
317			fprintf(ctl_dbgfile, "%s: s=%p r=%ld e=%p %p->%s\n",
318			    ptrname, (void *)cpriv, (long)sroom,
319			    cpriv->cji_eobuff, cpriv->pub.cji_fname,
320			    cpriv->pub.cji_fname);
321		}
322	}
323#endif
324	/*
325	 * Copy job-attribute values from control file to the struct of
326	 * "public" information.  In some cases, it is invalid for the
327	 * value to be a null-string, so that is ignored.
328	 */
329	cjinf = &(cpriv->pub);
330	lbuff = ctl_getline(cjinf);
331	while (lbuff != NULL) {
332		id = *lbuff++;
333		switch (id) {
334		case 'C':
335			cpriv->pub.cji_class = strdup(lbuff);
336			break;
337		case 'H':
338			if (*lbuff == '\0')
339				break;
340			cpriv->pub.cji_accthost = strdup(lbuff);
341			break;
342		case 'J':
343			cpriv->pub.cji_jobname = strdup(lbuff);
344			break;
345		case 'L':
346			cpriv->pub.cji_headruser = strdup(lbuff);
347			break;
348		case 'M':
349			/*
350			 * No valid mail-to address would start with a minus.
351			 * If this one does, it is probably some trickster who
352			 * is trying to trigger options on sendmail.  Ignore.
353			 */
354			if (*lbuff == '-')
355				break;
356			if (*lbuff == '\0')
357				break;
358			cpriv->pub.cji_mailto = strdup(lbuff);
359			break;
360		case 'P':
361			if (*lbuff == '\0')
362				break;
363			/* The userid must not start with a minus sign */
364			if (*lbuff == '-')
365				*lbuff = '_';
366			cpriv->pub.cji_acctuser = strdup(lbuff);
367			break;
368		default:
369			if (islower(id)) {
370				cpriv->pub.cji_dfcount++;
371			}
372			break;
373		}
374		lbuff = ctl_getline(cjinf);
375	}
376
377	/* the 'H'ost and 'P'erson fields are *always* supposed to be there */
378	if (cpriv->pub.cji_accthost == NULL)
379		cpriv->pub.cji_accthost = strdup(".na.");
380	if (cpriv->pub.cji_acctuser == NULL)
381		cpriv->pub.cji_acctuser = strdup(".na.");
382
383#ifdef DEBUGREADCF_FNAME
384	if (ctl_dbgfile != NULL) {
385		if (cpriv->cji_dumpit)
386			ctl_dumpcji(ctl_dbgfile, "end readcf", &(cpriv->pub));
387		fclose(ctl_dbgfile);
388		ctl_dbgfile = NULL;
389	}
390#endif
391	return &(cpriv->pub);
392}
393
394/*
395 * This routine renames the temporary control file as received from some
396 * other (remote) host.  That file will almost always with `tfA*', because
397 * recvjob.c creates the file by changing `c' to `t' in the original name
398 * for the control file.  Now if you read the RFC, you would think that all
399 * control filenames start with `cfA*'.  However, it seems there are some
400 * implementations which send control filenames which start with `cf'
401 * followed by *any* letter, so this routine can not assume what the third
402 * letter will (or will not) be.  Sigh.
403 *
404 * So this will rewrite the temporary file to `rf*' (correcting any lines
405 * which need correcting), rename that `rf*' file to `cf*', and then remove
406 * the original `tf*' temporary file.
407 *
408 * The *main* purpose of this routine is to be paranoid about the contents
409 * of that control file.  It is partially meant to protect against people
410 * TRYING to cause trouble (perhaps after breaking into root of some host
411 * that this host will accept print jobs from).  The fact that we're willing
412 * to print jobs from some remote host does not mean that we should blindly
413 * do anything that host tells us to do.
414 *
415 * This is also meant to protect us from errors in other implementations of
416 * lpr, particularly since we may want to use some values from the control
417 * file as environment variables when it comes time to print, or as parameters
418 * to commands which will be exec'ed, or values in statistics records.
419 *
420 * This may also do some "conversions" between how different versions of
421 * lpr or lprNG define the contents of various lines in a control file.
422 *
423 * If there is an error, it returns a pointer to a descriptive error message.
424 * Error messages which are RETURNED (as opposed to syslog-ed) do not include
425 * the printer-queue name.  Let the caller add that if it is wanted.
426 */
427char *
428ctl_renametf(const char *ptrname, const char *tfname)
429{
430	int chk3rd, has_uc, newfd, nogood, res;
431	FILE *newcf;
432	struct cjobinfo *cjinf;
433	char *lbuff, *slash, *cp;
434	char tfname2[NAME_MAX+1], cfname2[NAME_MAX+1];
435	char errm[CTI_LINEMAX];
436
437#ifdef TRIGGERTEST_FNAME
438	struct stat tstat;
439	res = stat(TRIGGERTEST_FNAME, &tstat);
440	if (res == -1) {
441		/*
442		 * if the trigger file does NOT exist in this spool directory,
443		 * then do the exact same steps that the pre-ctlinfo code had
444		 * been doing.  Ie, very little.
445		 */
446		strlcpy(cfname2, tfname, sizeof(cfname2));
447		cfname2[0] = 'c';
448		res = link(tfname, cfname2);
449		if (res < 0) {
450			snprintf(errm, sizeof(errm),
451			    "ctl_renametf error link(%s,%s): %s", tfname,
452			    cfname2, strerror(errno));
453			return strdup(errm);
454		}
455		unlink(tfname);
456		return NULL;
457	}
458#endif
459	cjinf = NULL;		/* in case of early jump to error_ret */
460	newcf = NULL;		/* in case of early jump to error_ret */
461	*errm = '\0';		/* in case of early jump to error_ret */
462
463	chk3rd = tfname[2];
464	if ((tfname[0] != 't') || (tfname[1] != 'f') || (!isalpha(chk3rd))) {
465		snprintf(errm, sizeof(errm),
466		    "ctl_renametf invalid filename: %s", tfname);
467		goto error_ret;
468	}
469
470	cjinf = ctl_readcf(ptrname, tfname);
471	if (cjinf == NULL) {
472		snprintf(errm, sizeof(errm),
473		    "ctl_renametf error cti_readcf(%s)", tfname);
474		goto error_ret;
475	}
476
477	/*
478	 * This uses open+fdopen instead of fopen because that combination
479	 * gives us greater control over file-creation issues.
480	 */
481	strlcpy(tfname2, tfname, sizeof(tfname2));
482	tfname2[0] = 'r';		/* rf<letter><job><hostname> */
483	newfd = open(tfname2, O_WRONLY|O_CREAT|O_TRUNC, 0660);
484	if (newfd == -1) {
485		snprintf(errm, sizeof(errm),
486		    "ctl_renametf error open(%s): %s", tfname2,
487		    strerror(errno));
488		goto error_ret;
489	}
490	newcf = fdopen(newfd, "w");
491	if (newcf == NULL) {
492		close(newfd);
493		snprintf(errm, sizeof(errm),
494		    "ctl_renametf error fopen(%s): %s", tfname2,
495		    strerror(errno));
496		goto error_ret;
497	}
498
499	/*
500	 * Do extra sanity checks on some key job-attribute fields, and
501	 * write them out first (thus making sure they are written in the
502	 * order we generally expect them to be in).
503	 */
504	/*
505	 * Some lpr implementations on PC's set a null-string for their
506	 * hostname.  A MacOS 10 system which has not correctly setup
507	 * /etc/hostconfig will claim a hostname of 'localhost'.  Anything
508	 * with blanks in it would be an invalid value for hostname.  For
509	 * any of these invalid hostname values, replace the given value
510	 * with the name of the host that this job is coming from.
511	 */
512	nogood = 0;
513	if (cjinf->cji_accthost == NULL)
514		nogood = 1;
515	else if (strcmp(cjinf->cji_accthost, ".na.") == 0)
516		nogood = 1;
517	else if (strcmp(cjinf->cji_accthost, "localhost") == 0)
518		nogood = 1;
519	else {
520		for (cp = cjinf->cji_accthost; *cp != '\0'; cp++) {
521			if (*cp <= ' ') {
522				nogood = 1;
523				break;
524			}
525		}
526	}
527	if (nogood)
528		fprintf(newcf, "H%s\n", from_host);
529	else
530		fprintf(newcf, "H%s\n", cjinf->cji_accthost);
531
532	/*
533	 * Now do some sanity checks on the 'P' (original userid) value.  Note
534	 * that the 'P'erson line is the second line which is ALWAYS supposed
535	 * to be present in a control file.
536	 *
537	 * There is no particularly good value to use for replacements, but
538	 * at least make sure the value is something reasonable to use in
539	 * environment variables and statistics records.  Again, some PC
540	 * implementations send a null-string for a value.  Various Mac
541	 * implementations will set whatever string the user has set for
542	 * their 'Owner Name', which usually includes blanks, etc.
543	 */
544	nogood = 0;
545	if (cjinf->cji_acctuser == NULL)
546		nogood = 1;
547	else if (strcmp(cjinf->cji_acctuser, ".na.") == 0)
548		;			/* No further checks needed... */
549	else {
550		has_uc = 0;
551		cp = cjinf->cji_acctuser;
552		if (*cp == '-')
553			*cp++ = '_';
554		for (; *cp != '\0'; cp++) {
555			if (islowerch(*cp) || isdigitch(*cp))
556				continue;	/* Standard valid characters */
557			if (strchr(OTHER_USERID_CHARS, *cp) != NULL)
558				continue;	/* Some more valid characters */
559			if (isupperch(*cp)) {
560				has_uc = 1;	/* These may be valid... */
561				continue;
562			}
563			*cp = '_';
564		}
565		/*
566		 * Some Windows hosts send print jobs where the correct userid
567		 * has been converted to uppercase, and that can cause trouble
568		 * for sites that expect the correct value (for something like
569		 * accounting).  On the other hand, some sites do use uppercase
570		 * in their userids, so we can't blindly convert to lowercase.
571		 */
572		if (has_uc && (getpwnam(cjinf->cji_acctuser) == NULL)) {
573			for (cp = cjinf->cji_acctuser; *cp != '\0'; cp++) {
574				if (isupperch(*cp))
575					*cp = tolowerch(*cp);
576			}
577		}
578	}
579	if (nogood)
580		fprintf(newcf, "P%s\n", ".na.");
581	else
582		fprintf(newcf, "P%s\n", cjinf->cji_acctuser);
583
584	/* No need for sanity checks on class, jobname, "literal" user. */
585	if (cjinf->cji_class != NULL)
586		fprintf(newcf, "C%s\n", cjinf->cji_class);
587	if (cjinf->cji_jobname != NULL)
588		fprintf(newcf, "J%s\n", cjinf->cji_jobname);
589	if (cjinf->cji_headruser != NULL)
590		fprintf(newcf, "L%s\n", cjinf->cji_headruser);
591
592	/*
593	 * This should probably add more sanity checks on mailto value.
594	 * Note that if the mailto value is "wrong", then there's no good
595	 * way to know what the "correct" value would be, and we should not
596	 * semd email to some random address.  At least for now, just ignore
597	 * any invalid values.
598	 */
599	nogood = 0;
600	if (cjinf->cji_mailto == NULL)
601		nogood = 1;
602	else {
603		for (cp = cjinf->cji_mailto; *cp != '\0'; cp++) {
604			if (*cp <= ' ') {
605				nogood = 1;
606				break;
607			}
608		}
609	}
610	if (!nogood)
611		fprintf(newcf, "M%s\n", cjinf->cji_mailto);
612
613	/*
614	 * Now go thru the old control file, copying all information which
615	 * hasn't already been written into the new file.
616	 */
617	ctl_rewindcf(cjinf);
618	lbuff = ctl_getline(cjinf);
619	while (lbuff != NULL) {
620		switch (lbuff[0]) {
621		case 'H':
622		case 'P':
623		case 'C':
624		case 'J':
625		case 'L':
626		case 'M':
627			/* already wrote values for these to the newcf */
628			break;
629		case 'N':
630			/* see comments under 'U'... */
631			if (cjinf->cji_dfcount == 0) {
632				/* in this case, 'N's will be done in 'U' */
633				break;
634			}
635			fprintf(newcf, "%s\n", lbuff);
636			break;
637		case 'U':
638			/*
639			 * check for the very common case where the remote
640			 * host had to process 'lpr -s -r', but it did not
641			 * remove the Unlink line from the control file.
642			 * Such Unlink lines will legitimately have a '/' in
643			 * them, but it is the original lpr host which would
644			 * have done the unlink of such files, and not any
645			 * host receiving that job.
646			 */
647			slash = strchr(lbuff, '/');
648			if (slash != NULL) {
649				break;		/* skip this line */
650			}
651			/*
652			 * Okay, another kind of broken lpr implementation
653			 * is one which send datafiles, and Unlink's those
654			 * datafiles, but never includes any PRINT request
655			 * for those files.  Experimentation shows that one
656			 * copy of those datafiles should be printed with a
657			 * format of 'f'.  If this is an example of such a
658			 * screwed-up control file, fix it here.
659			 */
660			if (cjinf->cji_dfcount == 0) {
661				lbuff++;
662				if (strncmp(lbuff, "df", (size_t)2) == 0) {
663					fprintf(newcf, "f%s\n", lbuff);
664					fprintf(newcf, "U%s\n", lbuff);
665					fprintf(newcf, "N%s\n", lbuff);
666				}
667				break;
668			}
669			fprintf(newcf, "%s\n", lbuff);
670			break;
671		default:
672			fprintf(newcf, "%s\n", lbuff);
673			break;
674		}
675		lbuff = ctl_getline(cjinf);
676	}
677
678	ctl_freeinf(cjinf);
679	cjinf = NULL;
680
681	res = fclose(newcf);
682	newcf = NULL;
683	if (res != 0) {
684		snprintf(errm, sizeof(errm),
685		    "ctl_renametf error fclose(%s): %s", tfname2,
686		    strerror(errno));
687		goto error_ret;
688	}
689
690	strlcpy(cfname2, tfname, sizeof(cfname2));
691	cfname2[0] = 'c';		/* rename new file to 'cfA*' */
692	res = link(tfname2, cfname2);
693	if (res != 0) {
694		snprintf(errm, sizeof(errm),
695		    "ctl_renametf error link(%s,%s): %s", tfname2, cfname2,
696		    strerror(errno));
697		goto error_ret;
698	}
699
700	/* All the important work is done.  Now just remove temp files */
701#ifdef LEAVE_TMPCF_FILES
702	{
703		struct stat tfstat;
704		size_t size1;
705		tfstat.st_size = 1;	/* certainly invalid value */
706		res = stat(tfname, &tfstat);
707		size1 = tfstat.st_size;
708		tfstat.st_size = 2;	/* certainly invalid value */
709		res = stat(tfname2, &tfstat);
710		/*
711		 * If the sizes do not match, or either stat call failed,
712		 * then do not remove the temp files, but just move them
713		 * out of the way.  This is so I can see what this routine
714		 * had changed (and the files won't interfere with some
715		 * later job coming in from the same host).  In this case,
716		 * we don't care if we clobber some previous file.
717		 */
718		if (size1 != tfstat.st_size) {
719			strlcpy(cfname2, tfname, sizeof(cfname2));
720			strlcat(cfname2, "._T", sizeof(cfname2));
721			rename(tfname, cfname2);
722			strlcpy(cfname2, tfname2, sizeof(cfname2));
723			strlcat(cfname2, "._T", sizeof(cfname2));
724			rename(tfname2, cfname2);
725			return NULL;
726		}
727	}
728#endif
729	unlink(tfname);
730	unlink(tfname2);
731
732	return NULL;
733
734error_ret:
735	if (cjinf != NULL)
736		ctl_freeinf(cjinf);
737	if (newcf != NULL)
738		fclose(newcf);
739
740	if (*errm != '\0')
741		return strdup(errm);
742	return strdup("ctl_renametf internal (missed) error");
743}
744
745void
746ctl_rewindcf(struct cjobinfo *cjinf)
747{
748	struct cjprivate *cpriv;
749
750	if (cjinf == NULL)
751		return;
752	cpriv = cjinf->cji_priv;
753	if ((cpriv == NULL) || (cpriv != cpriv->pub.cji_priv)) {
754		syslog(LOG_ERR, "in ctl_rewindcf(%p): invalid cjinf (cpriv %p)",
755		    (void *)cjinf, (void *)cpriv);
756		return;
757	}
758
759	rewind(cpriv->cji_fstream);		/* assume no errors... :-) */
760}
761
762char *
763ctl_rmjob(const char *ptrname, const char *cfname)
764{
765	struct cjobinfo	*cjinf;
766	char *lbuff;
767	char errm[CTI_LINEMAX];
768
769	cjinf = ctl_readcf(ptrname, cfname);
770	if (cjinf == NULL) {
771		snprintf(errm, sizeof(errm),
772		    "ctl_renametf error cti_readcf(%s)", cfname);
773		return strdup(errm);
774	}
775
776	ctl_rewindcf(cjinf);
777	lbuff = ctl_getline(cjinf);
778	while (lbuff != NULL) {
779		/* obviously we need to fill in the following... */
780		switch (lbuff[0]) {
781		case 'S':
782			break;
783		case 'U':
784			break;
785		default:
786			break;
787		}
788		lbuff = ctl_getline(cjinf);
789	}
790
791	ctl_freeinf(cjinf);
792	cjinf = NULL;
793
794	return NULL;
795}
796
797/*
798 * The following routine was originally written to pin down a bug.  It is
799 * no longer needed for that problem, but may be useful to keep around for
800 * other debugging.
801 */
802void
803ctl_dumpcji(FILE *dbg_stream, const char *heading, struct cjobinfo *cjinf)
804{
805#define PRINTSTR(xHdr,xStr) \
806	astr = xStr; \
807	ctl_dbgline++; \
808	fprintf(dbg_stream, "%4d] %12s = ", ctl_dbgline, xHdr); \
809	if (astr == NULL) \
810		fprintf(dbg_stream, "NULL\n"); \
811	else \
812		fprintf(dbg_stream, "%p -> %s\n", astr, astr)
813
814	struct cjprivate *cpriv;
815	char *astr;
816
817	if (cjinf == NULL) {
818		fprintf(dbg_stream,
819		    "ctl_dumpcji: ptr to cjobinfo for '%s' is NULL\n",
820		    heading);
821		return;
822	}
823	cpriv = cjinf->cji_priv;
824
825	fprintf(dbg_stream, "ctl_dumpcji: Dump '%s' of cjobinfo at %p->%p\n",
826	    heading, (void *)cjinf, cpriv->cji_buff);
827
828	PRINTSTR("accthost.H", cpriv->pub.cji_accthost);
829	PRINTSTR("acctuser.P", cpriv->pub.cji_acctuser);
830	PRINTSTR("class.C", cpriv->pub.cji_class);
831	PRINTSTR("cf-qname", cpriv->pub.cji_curqueue);
832	PRINTSTR("cf-fname", cpriv->pub.cji_fname);
833	PRINTSTR("jobname.J", cpriv->pub.cji_jobname);
834	PRINTSTR("mailto.M", cpriv->pub.cji_mailto);
835	PRINTSTR("headruser.L", cpriv->pub.cji_headruser);
836
837	ctl_dbgline++;
838	fprintf(dbg_stream, "%4d] %12s = ", ctl_dbgline, "*cjprivate");
839	if (cpriv->pub.cji_priv == NULL)
840		fprintf(dbg_stream, "NULL !!\n");
841	else
842		fprintf(dbg_stream, "%p\n", (void *)cpriv->pub.cji_priv);
843
844	fprintf(dbg_stream, "|- - - - --> Dump '%s' complete\n", heading);
845
846	/* flush output for the benefit of anyone doing a 'tail -f' */
847	fflush(dbg_stream);
848
849#undef PRINTSTR
850}
851
852/*
853 * This routine reads in the next line from the control-file, and removes
854 * the trailing newline character.
855 *
856 * Historical note: Earlier versions of this routine did tab-expansion for
857 * ALL lines read in, which did not make any sense for most of the lines
858 * in a control file.  For the lines where tab-expansion is useful, it will
859 * now have to be done by the calling routine.
860 */
861static char *
862ctl_getline(struct cjobinfo *cjinf)
863{
864	char *strp, *nl;
865	struct cjprivate *cpriv;
866
867	if (cjinf == NULL)
868		return NULL;
869	cpriv = cjinf->cji_priv;
870	if ((cpriv == NULL) || (cpriv != cpriv->pub.cji_priv)) {
871		syslog(LOG_ERR, "in ctl_getline(%p): invalid cjinf (cpriv %p)",
872		    (void *)cjinf, (void *)cpriv);
873		return NULL;
874	}
875
876	errno = 0;
877	strp = fgets(cpriv->cji_buff, cpriv->cji_buffsize, cpriv->cji_fstream);
878	if (strp == NULL) {
879		if (errno != 0)
880			syslog(LOG_ERR, "%s: ctl_getline error fgets(%s): %s",
881			    cpriv->pub.cji_curqueue, cpriv->pub.cji_fname,
882			    strerror(errno));
883		return NULL;
884	}
885	nl = strchr(strp, '\n');
886	if (nl != NULL)
887		*nl = '\0';
888
889#ifdef DEBUGREADCF_FNAME
890	/* I'd like to find out if the previous work to expand tabs was ever
891	 * really used, and if so, on what lines and for what reason.
892	 * Yes, all this work probably means I'm obsessed about this 'tab'
893	 * issue, but isn't programming a matter of obsession?
894	 */
895	{
896		int tabcnt;
897		char *ch;
898
899		tabcnt = 0;
900		ch = strp;
901		for (ch = strp; *ch != '\0'; ch++) {
902			if (*ch == '\t')
903				tabcnt++;
904		}
905
906		if (tabcnt && (ctl_dbgfile != NULL)) {
907			cpriv->cji_dumpit++;
908			fprintf(ctl_dbgfile, "%s: tabs=%d '%s'\n",
909			    cpriv->pub.cji_fname, tabcnt, cpriv->cji_buff);
910		}
911	}
912#endif
913	return strp;
914}
915