From: Michael R Sweet Date: Sat, 18 Aug 2018 12:50:24 +0000 (-0400) Subject: Validate attribute group for initial request attributes (rdar://41098178) X-Git-Tag: v2.2.9~36 X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fcups.git;a=commitdiff_plain;h=918d2b07482d9a5a3728cc11cf94b44832b0b215 Validate attribute group for initial request attributes (rdar://41098178) --- diff --git a/CHANGES.md b/CHANGES.md index 3bd2e9678..6bc00e633 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,4 +1,4 @@ -CHANGES - 2.2.9 - 2018-07-18 +CHANGES - 2.2.9 - 2018-08-18 ============================ @@ -18,6 +18,8 @@ Changes in CUPS v2.2.9 - Fixed some typos in the label printer drivers (Issue #5350) - The scheduler was being backgrounded on macOS, causing applications to spin (rdar://40436080) +- The scheduler did not validate that required initial request attributes were + in the operation group (rdar://41098178) - Authentication in the web interface did not work on macOS (rdar://41444473) - Dropped non-working RSS subscriptions UI from web interface templates. - Fixed a memory leak for some IPP (extension) syntaxes. diff --git a/man/cups-files.conf.man.in b/man/cups-files.conf.man.in index 6ac4e72d3..f5e6a9f39 100644 --- a/man/cups-files.conf.man.in +++ b/man/cups-files.conf.man.in @@ -1,7 +1,7 @@ .\" .\" cups-files.conf man page for CUPS. .\" -.\" Copyright 2007-2017 by Apple Inc. +.\" Copyright 2007-2018 by Apple Inc. .\" Copyright 1997-2006 by Easy Software Products. .\" .\" These coded instructions, statements, and computer programs are the @@ -10,7 +10,7 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH cups-files.conf 5 "CUPS" "21 September 2017" "Apple Inc." +.TH cups-files.conf 5 "CUPS" "25 February 2018 " "Apple Inc." .SH NAME cups\-files.conf \- file and directory configuration file for cups .SH DESCRIPTION @@ -284,4 +284,4 @@ Specifies the SMB service configuration file to update. .BR subscriptions.conf (5), CUPS Online Help (http://localhost:631/help) .SH COPYRIGHT -Copyright \[co] 2007-2017 by Apple Inc. +Copyright \[co] 2007-2018 by Apple Inc. diff --git a/scheduler/ipp.c b/scheduler/ipp.c index d1c6a89fb..825cabbf0 100644 --- a/scheduler/ipp.c +++ b/scheduler/ipp.c @@ -253,7 +253,7 @@ cupsdProcessIPPRequest( */ attr = con->request->attrs; - if (attr && attr->name && !strcmp(attr->name, "attributes-charset") && (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_CHARSET) + if (attr && attr->name && !strcmp(attr->name, "attributes-charset") && (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_CHARSET && attr->group_tag == IPP_TAG_OPERATION) charset = attr; else charset = NULL; @@ -261,7 +261,7 @@ cupsdProcessIPPRequest( if (attr) attr = attr->next; - if (attr && attr->name && !strcmp(attr->name, "attributes-natural-language") && (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_LANGUAGE) + if (attr && attr->name && !strcmp(attr->name, "attributes-natural-language") && (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_LANGUAGE && attr->group_tag == IPP_TAG_OPERATION) { language = attr; @@ -279,12 +279,12 @@ cupsdProcessIPPRequest( else language = NULL; - if ((attr = ippFindAttribute(con->request, "printer-uri", IPP_TAG_URI)) != NULL) + if ((attr = ippFindAttribute(con->request, "printer-uri", IPP_TAG_URI)) != NULL && attr->group_tag == IPP_TAG_OPERATION) uri = attr; - else if ((attr = ippFindAttribute(con->request, "job-uri", IPP_TAG_URI)) != NULL) + else if ((attr = ippFindAttribute(con->request, "job-uri", IPP_TAG_URI)) != NULL && attr->group_tag == IPP_TAG_OPERATION) uri = attr; - else if (con->request->request.op.operation_id == CUPS_GET_PPD) - uri = ippFindAttribute(con->request, "ppd-name", IPP_TAG_NAME); + else if (con->request->request.op.operation_id == CUPS_GET_PPD && (attr = ippFindAttribute(con->request, "ppd-name", IPP_TAG_NAME)) != NULL && attr->group_tag == IPP_TAG_OPERATION) + uri = attr; else uri = NULL;