- snprintf(filename, len, "%s/%s", CacheDir, con->uri + 7);
+ strlcpy(dest, con->uri + 7, sizeof(dest));
+ ptr = dest + strlen(dest) - 4;
+
+ if (ptr <= dest || strcmp(ptr, ".png"))
+ {
+ cupsdLogClient(con, CUPSD_LOG_INFO, "Disallowed path \"%s\".", con->uri);
+ return (NULL);
+ }
+
+ *ptr = '\0';
+ if (!cupsdFindDest(dest))
+ {
+ cupsdLogClient(con, CUPSD_LOG_INFO, "No printer \"%s\" found.", dest);
+ return (NULL);
+ }
+
+ snprintf(filename, len, "%s/%s.png", CacheDir, dest);