From: Michael Sweet Date: Fri, 4 Aug 2017 16:52:43 +0000 (-0400) Subject: Add header validation option to ipptool. X-Git-Tag: v2.2.5~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=345e10ca719b6a5c460f3e760f31384770e066de;p=thirdparty%2Fcups.git Add header validation option to ipptool. Update HTML versions of man pages. --- diff --git a/CHANGES.md b/CHANGES.md index ad406c9c0..62a8b81a9 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -38,6 +38,7 @@ CHANGES IN CUPS V2.2.5 - CUPS now sends the `Date` HTTP header in IPP requests (rdar://33302034) - The `ippCopyAttribute` function did not copy out-of-band values correctly (rdar://33688003) +- The `ipptool` program now offers an option to validate response headers. CHANGES IN CUPS V2.2.4 diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html index 0fef0d479..b9791376f 100644 --- a/doc/help/man-client.conf.html +++ b/doc/help/man-client.conf.html @@ -40,13 +40,14 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n Note: This directive is not supported on macOS 10.7 or later.
ServerName hostname-or-ip-address[:port]/version=1.1
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. -
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyTLS1.0] +
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0]
SSLOptions None
Sets encryption options (only in /etc/cups/client.conf). By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. The AllowDH option enables cipher suites using plain Diffie-Hellman key negotiation. The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +The DenyCBC option disables all CBC cipher suites. The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
TrustOnFirstUse Yes
TrustOnFirstUse No diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html index 85e601edf..a2b95f983 100644 --- a/doc/help/man-cupsd.conf.html +++ b/doc/help/man-cupsd.conf.html @@ -310,12 +310,15 @@ The default is "Minimal".
SSLListen [ipv6-address]:port
SSLListen *:port
Listens on the specified address and port for encrypted connections. -
SSLOptions [AllowRC4] [AllowSSL3] +
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0]
SSLOptions None
Sets encryption options. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +The AllowDH option enables cipher suites using plain Diffie-Hellman key negotiation. The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +The DenyCBC option disables all CBC cipher suites. +The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
SSLPort port
Listens on the specified port for encrypted connections.
StrictConformance Yes diff --git a/doc/help/man-ipptool.html b/doc/help/man-ipptool.html index ef95bfee4..ec40d1ad1 100644 --- a/doc/help/man-ipptool.html +++ b/doc/help/man-ipptool.html @@ -51,6 +51,8 @@ ipptool - perform internet printing protocol requests -f filename ] [ +-h +] [ -i seconds ] [ @@ -134,6 +136,8 @@ This option is incompatible with the -i (interval) and -n (repeat-
Defines the named variable.
-f filename
Defines the default request filename for tests. +
-h +
Validate HTTP response headers.
-i seconds
Specifies that the (last) testfile diff --git a/doc/help/man-ipptoolfile.html b/doc/help/man-ipptoolfile.html index 2921bea2d..c426af7d8 100644 --- a/doc/help/man-ipptoolfile.html +++ b/doc/help/man-ipptoolfile.html @@ -139,9 +139,11 @@ command-line. Support for content length requests is required for conformance wi

Test Directives

The following directives are understood within a test:
-
ATTR tag attribute-name value(s) +
ATTR out-of-band-tag attribute-name +
ATTR tag attribute-name value(s)
Adds an attribute to the test request. -Values are separated by the comma (",") character - escape commas using the "" character. +Out-of-band tags (admin-define, delete-attribute, no-value, not-settable, unknown, unsupported) have no value. +Values for other tags are separated by the comma (",") character - escape commas using the "" character. Common attributes and values are listed in the IANA IPP registry - see references below.
ATTR collection attribute-name { MEMBER tag member-name value(s) ... } [ ... ,{ ... } ]
Adds a collection attribute to the test request. @@ -303,7 +305,7 @@ Specifies the maximum number of times to repeat. The default value is 1000.
Specifies that the current test should be repeated when the response status-code matches or does not match the value specified by the STATUS directive.

Operation Codes

-Operation codes correspond to the hexadecimal numbers (0xHHHH) and names from RFC 2911 and other IPP extension specifications. Here is a complete list of names supported by +Operation codes correspond to the hexadecimal numbers (0xHHHH) and names from RFC 8011 and other IPP extension specifications. Here is a complete list of names supported by ipptool(8): 
 
@@ -376,7 +378,7 @@ Operation codes correspond to the hexadecimal numbers (0xHHHH) and names from RF
     Validate-Job

Status Codes

-Status codes correspond to the hexadecimal numbers (0xHHHH) and names from RFC 2911 and other IPP extension specifications. Here is a complete list of the names supported by +Status codes correspond to the hexadecimal numbers (0xHHHH) and names from RFC 8011 and other IPP extension specifications. Here is a complete list of the names supported by ipptool(8): 
 
@@ -439,7 +441,7 @@ Status codes correspond to the hexadecimal numbers (0xHHHH) and names from RFC 2
     successful-ok-too-many-events

Tags

-Value and group tags correspond to the names from RFC 2911 and other IPP extension specifications. Here are the group tags: +Value and group tags correspond to the names from RFC 8011 and other IPP extension specifications. Here are the group tags: 
 
     document-attributes-tag
diff --git a/man/ipptool.man b/man/ipptool.man
index ecc957525..9373b6602 100644
--- a/man/ipptool.man
+++ b/man/ipptool.man
@@ -9,7 +9,7 @@
 .\" which should have been included with this file.  If this file is
 .\" file is missing or damaged, see the license at "http://www.cups.org/".
 .\"
-.TH ipptool 1 "CUPS" "13 June 2017" "Apple Inc."
+.TH ipptool 1 "CUPS" "4 August 2017" "Apple Inc."
 .SH NAME
 ipptool \- perform internet printing protocol requests
 .SH SYNOPSIS
@@ -54,6 +54,8 @@ ipptool \- perform internet printing protocol requests
 .B \-f
 .I filename
 ] [
+.B \-h
+] [
 .B \-i
 .I seconds
 ] [
@@ -154,6 +156,9 @@ Defines the named variable.
 .BI \-f \ filename
 Defines the default request filename for tests.
 .TP 5
+.B \-h
+Validate HTTP response headers.
+.TP 5
 .BI \-i \ seconds
 Specifies that the (last)
 .I testfile
diff --git a/test/ipptool.c b/test/ipptool.c
index 55b9b9796..005800b6f 100644
--- a/test/ipptool.c
+++ b/test/ipptool.c
@@ -135,7 +135,8 @@ static int	Cancel = 0,		/* Cancel test? */
 		IgnoreErrors = 0,	/* Ignore errors? */
 		StopAfterIncludeError = 0,
 					/* Stop after include errors? */
-		Verbosity = 0,		/* Show all attributes? */
+		ValidateHeaders = 0,    /* Validate HTTP headers in response? */
+                Verbosity = 0,          /* Show all attributes? */
 		Version = 11,		/* Default IPP version */
 		XMLHeader = 0,		/* 1 if header is written */
 		TestCount = 0,		/* Number of tests run */
@@ -510,6 +511,10 @@ main(int  argc,				/* I - Number of command-line args */
               }
 	      break;
 
+          case 'h' : /* Validate response headers */
+              ValidateHeaders = 1;
+              break;
+
           case 'i' : /* Test every N seconds */
 	      i ++;
 
@@ -2810,6 +2815,17 @@ do_tests(cups_file_t  *outfile,		/* I - Output file */
 	add_stringf(errors, "Bad HTTP version (%d.%d)", http->version / 100,
 		    http->version % 100);
 
+      if (ValidateHeaders)
+      {
+        const char *header;               /* HTTP header value */
+
+        if ((header = httpGetField(http, HTTP_FIELD_CONTENT_TYPE)) == NULL || _cups_strcasecmp(header, "application/ipp"))
+          add_stringf(errors, "Bad HTTP Content-Type in response (%s)", header && *header ? header : "");
+
+        if ((header = httpGetField(http, HTTP_FIELD_DATE)) != NULL && *header && httpGetDateTime(header) == 0)
+          add_stringf(errors, "Bad HTTP Date in response (%s)", header);
+      }
+
       if (!response)
       {
        /*
@@ -5070,6 +5086,7 @@ usage(void)
   _cupsLangPuts(stderr, _("  -c                      Produce CSV output."));
   _cupsLangPuts(stderr, _("  -d name=value           Set named variable to value."));
   _cupsLangPuts(stderr, _("  -f filename             Set default request filename."));
+  _cupsLangPuts(stderr, _("  -h                      Validate HTTP response headers."));
   _cupsLangPuts(stderr, _("  -i seconds              Repeat the last file with the given time interval."));
   _cupsLangPuts(stderr, _("  -l                      Produce plain text output."));
   _cupsLangPuts(stderr, _("  -n count                Repeat the last file the given number of times."));