Import CUPS v2.0.1

[thirdparty/cups.git] / cups / http.c

diff --git a/cups/http.c b/cups/http.c
index b5cf4e167b8d3e1d0d0f252149a5a024035f86eb..23d56d2de08910858f4249d673a84df4b070a4cd 100644 (file)
--- a/cups/http.c
+++ b/cups/http.c
@@ -1,5 +1,5 @@
 /*
- * "$Id: http.c 12125 2014-08-28 15:49:29Z msweet $"
+ * "$Id: http.c 12230 2014-10-21 13:55:24Z msweet $"
  *
  * HTTP routines for CUPS.
  *
@@ -2702,6 +2702,19 @@ httpSetField(http_t       *http, /* I - HTTP connection */
         http->server = _cupsStrAlloc(value);
         break;
 
+    case HTTP_FIELD_WWW_AUTHENTICATE :
+       /* CUPS STR #4503 - don't override WWW-Authenticate for unknown auth schemes */
+        if (http->fields[HTTP_FIELD_WWW_AUTHENTICATE][0] &&
+           _cups_strncasecmp(value, "Basic ", 6) &&
+           _cups_strncasecmp(value, "Digest ", 7) &&
+           _cups_strncasecmp(value, "Negotiate ", 10))
+       {
+         DEBUG_printf(("1httpSetField: Ignoring unknown auth scheme in \"%s\".", value));
+          return;
+       }
+
+       /* Fall through to copy */
+
     default :
        strlcpy(http->fields[field], value, HTTP_MAX_VALUE);
        break;
@@ -3611,6 +3624,17 @@ httpWriteResponse(http_t        *http,   /* I - HTTP connection */
        return (-1);
       }
     }
+
+   /*
+    * "Click-jacking" defense (STR #4492)...
+    */
+
+    if (httpPrintf(http, "X-Frame-Options: DENY\r\n"
+                         "Content-Security-Policy: frame-ancestors 'none'\r\n") < 1)
+    {
+      http->status = HTTP_STATUS_ERROR;
+      return (-1);
+    }
   }
 
   if (httpWrite2(http, "\r\n", 2) < 2)
@@ -4826,5 +4850,5 @@ http_write_chunk(http_t     *http,        /* I - HTTP connection */
 
 
 /*
- * End of "$Id: http.c 12125 2014-08-28 15:49:29Z msweet $".
+ * End of "$Id: http.c 12230 2014-10-21 13:55:24Z msweet $".
  */