Validate notify-recipient-uri values.

diff --git a/CHANGES.md b/CHANGES.md
index 6e46c56524a849debde2def06ab56268174f2bfe..fa8a9eb69c72f297898398232d605f7ce36b5595 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -18,6 +18,8 @@ Changes in CUPS v2.3b5
 - Documentation updates (Issue #5299, Issue #5301, Issue #5306)
 - Fax queues did not support pause (p) or wait-for-dialtone (w) characters
   (rdar://39212256)
+- The scheduler did not validate notify-recipient-uri values properly
+  (rdar://40068936)
 - The IPP parser allowed invalid group tags (rdar://40442124)
 - Fixed a parsing bug in the new authentication code.
 

diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index 917ef71d821692489c017f28df0f8dfa7f808667..89058d2851066e56a3f37328b2ce689968ac3804 100644 (file)
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -2032,7 +2032,7 @@ add_job_subscriptions(
 
         snprintf(notifier, sizeof(notifier), "%s/notifier/%s", ServerBin,
                 scheme);
-        if (access(notifier, X_OK))
+        if (access(notifier, X_OK) || !strcmp(scheme, ".") || !strcmp(scheme, ".."))
        {
           send_ipp_status(con, IPP_NOT_POSSIBLE,
                          _("notify-recipient-uri URI \"%s\" uses unknown "