xdg-thumbnail 0.1.0

Freedesktop thumbnail cache primitives
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415

// SPDX-FileCopyrightText: 2026 KIM Hyunjae
// SPDX-License-Identifier: MPL-2.0

use std::fmt;
use std::os::unix::ffi::OsStrExt;
use std::path::Path;
use std::str::FromStr;

use crate::{Result, ThumbnailError};

/// A canonical absolute URI identity for entries in the personal thumbnail cache.
#[derive(Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
pub struct PersonalOriginalUri {
    value: String,
}

impl PersonalOriginalUri {
    /// Constructs a canonical `file:///` URI from an absolute local path.
    ///
    /// This constructor preserves Unix path bytes, performs byte-level percent-encoding, and never
    /// expands shell syntax or resolves symlinks.
    ///
    /// # Errors
    ///
    /// Returns an error when the path is not absolute or contains bytes that cannot be represented
    /// as a local thumbnail URI identity.
    pub fn from_absolute_path(path: impl AsRef<Path>) -> Result<Self> {
        Self::from_absolute_path_bytes(path.as_ref().as_os_str().as_bytes())
    }

    /// Constructs a canonical `file:///` URI from absolute Unix path bytes.
    ///
    /// This is the low-level byte-preserving constructor for callers that already have raw Unix
    /// path bytes. Most callers should use [`Self::from_absolute_path`].
    ///
    /// # Errors
    ///
    /// Returns an error when the path bytes are not absolute or contain NUL.
    pub fn from_absolute_path_bytes(path: &[u8]) -> Result<Self> {
        if !path.starts_with(b"/") {
            return Err(ThumbnailError::invalid_uri("local path must be absolute"));
        }
        if path.contains(&0) {
            return Err(ThumbnailError::invalid_uri(
                "local path must not contain NUL",
            ));
        }

        Ok(Self {
            value: format!("file://{}", encode_uri_path_bytes(path, true)),
        })
    }

    /// Accepts textual local `file:` URI input and normalizes local file URI casing.
    ///
    /// # Errors
    ///
    /// Returns an error when the input is not an ASCII absolute local `file:` URI, has a non-local
    /// authority, or contains invalid percent escapes or decoded path bytes.
    pub fn from_local_file_uri(uri: &str) -> Result<Self> {
        validate_ascii_uri_identity(uri)?;
        let scheme_end = uri
            .find(':')
            .ok_or_else(|| ThumbnailError::invalid_uri("local URI must use the file scheme"))?;
        let scheme = &uri[..scheme_end];
        validate_scheme(scheme)?;
        if !scheme.eq_ignore_ascii_case("file") {
            return Err(ThumbnailError::invalid_uri(
                "local URI must use the file scheme",
            ));
        }
        let rest = &uri[scheme_end + 1..];

        let path = if let Some(rest) = rest.strip_prefix("//") {
            let (authority, path) = rest
                .split_once('/')
                .ok_or_else(|| ThumbnailError::invalid_uri("file URI path must be absolute"))?;
            if !(authority.is_empty() || authority.eq_ignore_ascii_case("localhost")) {
                return Err(ThumbnailError::invalid_uri(
                    "file URI authority is not directly local",
                ));
            }
            format!("/{path}")
        } else if rest.starts_with('/') {
            rest.to_owned()
        } else {
            return Err(ThumbnailError::invalid_uri(
                "file URI path must be absolute",
            ));
        };
        if !path.starts_with('/') {
            return Err(ThumbnailError::invalid_uri(
                "file URI path must be absolute",
            ));
        }
        validate_uri_path_text(path.as_bytes(), true)?;
        let path_bytes = percent_decode_bytes(path.as_bytes())?;
        Self::from_absolute_path_bytes(&path_bytes)
    }

    /// Accepts caller-selected non-file absolute thumbnail URI identity text and preserves it exactly.
    ///
    /// This validates that the text can be used as a thumbnail URI identity. It does not promise
    /// full RFC URI parsing or scheme-specific normalization.
    ///
    /// # Errors
    ///
    /// Returns an error when the URI is relative, not ASCII percent-encoded identity text, invalid
    /// as absolute thumbnail URI identity text, or uses the local `file:` scheme.
    pub fn from_non_file_uri(uri: &str) -> Result<Self> {
        let scheme = validate_absolute_uri_identity(uri)?;
        if scheme.eq_ignore_ascii_case("file") {
            return Err(ThumbnailError::invalid_uri(
                "non-file URI identity must not use the file scheme",
            ));
        }

        Ok(Self {
            value: uri.to_owned(),
        })
    }

    pub(crate) fn from_validated_absolute_uri(uri: &str) -> Result<Self> {
        validate_absolute_uri_identity(uri)?;
        Ok(Self {
            value: uri.to_owned(),
        })
    }

    /// Returns the canonical URI identity string.
    #[must_use]
    pub fn as_str(&self) -> &str {
        &self.value
    }

    /// Returns the Freedesktop thumbnail filename for this URI identity.
    #[must_use]
    pub fn thumbnail_file_name(&self) -> String {
        format!("{}.png", md5_stem(self.value.as_bytes()))
    }
}

impl fmt::Display for PersonalOriginalUri {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.write_str(&self.value)
    }
}

impl AsRef<str> for PersonalOriginalUri {
    fn as_ref(&self) -> &str {
        self.as_str()
    }
}

/// A canonical `./`-prefixed URI identity for direct children in shared repositories.
#[derive(Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
pub struct SharedRelativeOriginalUri {
    value: String,
}

impl SharedRelativeOriginalUri {
    /// Constructs a shared URI from one raw direct child filename.
    ///
    /// # Errors
    ///
    /// Returns an error when the filename is empty, is `.` or `..`, contains `/`, or contains NUL.
    pub fn from_raw_child_name(name: &[u8]) -> Result<Self> {
        validate_raw_shared_child_name(name)?;

        Ok(Self {
            value: format!("./{}", encode_uri_path_bytes(name, false)),
        })
    }

    /// Parses textual `./` shared URI input without allowing encoded path separators.
    ///
    /// # Errors
    ///
    /// Returns an error when the URI is not ASCII `./` text for exactly one direct child filename,
    /// contains invalid percent escapes, or decodes to an invalid child filename.
    pub fn parse(uri: &str) -> Result<Self> {
        validate_ascii_uri_identity(uri)?;
        let encoded = uri
            .strip_prefix("./")
            .ok_or_else(|| ThumbnailError::invalid_uri("shared URI must start with ./"))?;
        if encoded.is_empty() {
            return Err(ThumbnailError::invalid_uri(
                "shared URI child name must not be empty",
            ));
        }
        if encoded.contains('/') {
            return Err(ThumbnailError::invalid_uri(
                "shared URI must name one direct child",
            ));
        }
        validate_uri_path_text(encoded.as_bytes(), false)?;
        let decoded = percent_decode_bytes(encoded.as_bytes())?;
        Self::from_raw_child_name(&decoded)
    }

    /// Returns the canonical shared relative URI identity string.
    #[must_use]
    pub fn as_str(&self) -> &str {
        &self.value
    }

    /// Returns the Freedesktop thumbnail filename for this URI identity.
    #[must_use]
    pub fn thumbnail_file_name(&self) -> String {
        format!("{}.png", md5_stem(self.value.as_bytes()))
    }
}

impl fmt::Display for SharedRelativeOriginalUri {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.write_str(&self.value)
    }
}

impl AsRef<str> for SharedRelativeOriginalUri {
    fn as_ref(&self) -> &str {
        self.as_str()
    }
}

impl FromStr for SharedRelativeOriginalUri {
    type Err = ThumbnailError;

    fn from_str(value: &str) -> Result<Self> {
        Self::parse(value)
    }
}

fn md5_stem(input: &[u8]) -> String {
    format!("{:x}", md5::compute(input))
}

pub(crate) fn validate_absolute_uri_identity(uri: &str) -> Result<&str> {
    validate_ascii_uri_identity(uri)?;
    let scheme_end = uri
        .find(':')
        .ok_or_else(|| ThumbnailError::invalid_uri("URI must be absolute"))?;
    let scheme = &uri[..scheme_end];
    validate_scheme(scheme)?;
    validate_percent_escapes(uri.as_bytes())?;
    Ok(scheme)
}

fn validate_raw_shared_child_name(name: &[u8]) -> Result<()> {
    if name.is_empty() {
        return Err(ThumbnailError::invalid_uri(
            "shared child name must not be empty",
        ));
    }
    if name == b"." || name == b".." {
        return Err(ThumbnailError::invalid_uri(
            "shared child name must not be . or ..",
        ));
    }
    if name.contains(&b'/') || name.contains(&0) {
        return Err(ThumbnailError::invalid_uri(
            "shared child name must be one path segment",
        ));
    }
    Ok(())
}

fn validate_scheme(scheme: &str) -> Result<()> {
    let mut bytes = scheme.bytes();
    let Some(first) = bytes.next() else {
        return Err(ThumbnailError::invalid_uri("URI scheme must not be empty"));
    };
    if !first.is_ascii_alphabetic() {
        return Err(ThumbnailError::invalid_uri(
            "URI scheme must start with an ASCII letter",
        ));
    }
    if !bytes.all(|byte| byte.is_ascii_alphanumeric() || matches!(byte, b'+' | b'-' | b'.')) {
        return Err(ThumbnailError::invalid_uri(
            "URI scheme contains an invalid character",
        ));
    }
    Ok(())
}

fn validate_ascii_uri_identity(uri: &str) -> Result<()> {
    if uri.is_empty() {
        return Err(ThumbnailError::invalid_uri("URI must not be empty"));
    }
    if !uri.is_ascii() {
        return Err(ThumbnailError::invalid_uri(
            "URI identity must be ASCII and percent-encoded",
        ));
    }
    if uri
        .bytes()
        .any(|byte| byte.is_ascii_control() || byte == b' ')
    {
        return Err(ThumbnailError::invalid_uri(
            "URI identity must not contain control characters or spaces",
        ));
    }
    Ok(())
}

fn validate_uri_path_text(input: &[u8], allow_slash: bool) -> Result<()> {
    let mut i = 0;
    while i < input.len() {
        if input[i] == b'%' {
            if i + 2 >= input.len()
                || !input[i + 1].is_ascii_hexdigit()
                || !input[i + 2].is_ascii_hexdigit()
            {
                return Err(ThumbnailError::invalid_uri(
                    "URI contains an invalid percent escape",
                ));
            }
            i += 3;
        } else if is_safe_path_byte(input[i], allow_slash) {
            i += 1;
        } else {
            return Err(ThumbnailError::invalid_uri(
                "URI path contains an unescaped byte that must be percent-encoded",
            ));
        }
    }
    Ok(())
}

fn validate_percent_escapes(input: &[u8]) -> Result<()> {
    let mut i = 0;
    while i < input.len() {
        if input[i] == b'%' {
            if i + 2 >= input.len()
                || !input[i + 1].is_ascii_hexdigit()
                || !input[i + 2].is_ascii_hexdigit()
            {
                return Err(ThumbnailError::invalid_uri(
                    "URI contains an invalid percent escape",
                ));
            }
            i += 3;
        } else {
            i += 1;
        }
    }
    Ok(())
}

fn percent_decode_bytes(input: &[u8]) -> Result<Vec<u8>> {
    validate_percent_escapes(input)?;
    let mut output = Vec::with_capacity(input.len());
    let mut i = 0;
    while i < input.len() {
        if input[i] == b'%' {
            let high = hex_value(input[i + 1]).ok_or_else(|| {
                ThumbnailError::invalid_uri("URI contains an invalid percent escape")
            })?;
            let low = hex_value(input[i + 2]).ok_or_else(|| {
                ThumbnailError::invalid_uri("URI contains an invalid percent escape")
            })?;
            output.push(high << 4 | low);
            i += 3;
        } else {
            output.push(input[i]);
            i += 1;
        }
    }
    Ok(output)
}

fn hex_value(byte: u8) -> Option<u8> {
    match byte {
        b'0'..=b'9' => Some(byte - b'0'),
        b'a'..=b'f' => Some(byte - b'a' + 10),
        b'A'..=b'F' => Some(byte - b'A' + 10),
        _ => None,
    }
}

fn encode_uri_path_bytes(bytes: &[u8], allow_slash: bool) -> String {
    let mut encoded = String::with_capacity(bytes.len());
    for &byte in bytes {
        if is_safe_path_byte(byte, allow_slash) {
            encoded.push(char::from(byte));
        } else {
            encoded.push_str(&format!("%{byte:02X}"));
        }
    }
    encoded
}

fn is_safe_path_byte(byte: u8, allow_slash: bool) -> bool {
    byte.is_ascii_alphanumeric()
        || (allow_slash && byte == b'/')
        || matches!(
            byte,
            b'-' | b'.'
                | b'_'
                | b'~'
                | b'!'
                | b'$'
                | b'&'
                | b'\''
                | b'('
                | b')'
                | b'*'
                | b'+'
                | b','
                | b';'
                | b'='
                | b':'
                | b'@'
        )
}