- lpq and lpstat did not list jobs in the correct order when priorities
were specified (STR #4326)
- The D-BUS notifier did not remove its lockfile (STR #4314)
+ - CUPS incorrectly used the USER environment variable when the name did
+ not match the user ID (STR #4327)
CHANGES IN CUPS V1.7.0
cups_expiredcerts = getenv("CUPS_EXPIREDCERTS");
if ((cups_user = getenv("CUPS_USER")) == NULL)
- cups_user = getenv("USER");
+ {
+ /*
+ * Try the USER environment variable...
+ */
+
+ if ((cups_user = getenv("USER")) != NULL)
+ {
+ /*
+ * Validate USER matches the current UID, otherwise don't allow it to
+ * override things... This makes sure that printing after doing su or
+ * sudo records the correct username.
+ */
+
+ struct passwd *pw; /* Account information */
+
+ if ((pw = getpwnam(cups_user)) == NULL || pw->pw_uid != getuid())
+ cups_user = NULL;
+ }
+ }
/*
* Then, if needed, read the ~/.cups/client.conf or /etc/cups/client.conf