Make sure /icons/printer.png and /ppds/printer.ppd point to real queues.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12936 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/CHANGES-2.1.txt b/CHANGES-2.1.txt
index 6ae15c13f3f4349281faa313fdeb76503d47b8c4..443557ad5c9a27d13239eb41ea98a43678a25182 100644 (file)
--- a/CHANGES-2.1.txt
+++ b/CHANGES-2.1.txt
@@ -8,7 +8,8 @@ CHANGES IN CUPS V2.1.1
          <rdar://problem/23132803>, <rdar://problem/23133230>,
          <rdar://problem/23133393>, <rdar://problem/23133466>,
          <rdar://problem/23133833>, <rdar://problem/23133998>,
-         <rdar://problem/23134228>, <rdar://problem/23134299>)
+         <rdar://problem/23134228>, <rdar://problem/23134299>,
+         <rdar://problem/23134356>)
        - The cupsGetPPD* functions did not work with IPP printers (STR #4725)
        - Some older HP LaserJet printers need a delayed close when printing
          using the libusb-based USB backend (STR #4549)

diff --git a/scheduler/client.c b/scheduler/client.c
index c0d6eec744f0b70f5488a907247dbee285e23b39..7f4d774de4dda2c16b0d80a10d3116e186f8c59b 100644 (file)
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2961,7 +2961,8 @@ get_file(cupsd_client_t *con,             /* I  - Client connection */
   int          status;                 /* Status of filesystem calls */
   char         *ptr;                   /* Pointer info filename */
   size_t       plen;                   /* Remaining length after pointer */
-  char         language[7];            /* Language subdirectory, if any */
+  char         language[7],            /* Language subdirectory, if any */
+               dest[1024];             /* Destination name */
   int          perm_check = 1;         /* Do permissions check? */
 
 
@@ -2973,13 +2974,45 @@ get_file(cupsd_client_t *con,           /* I  - Client connection */
 
   if (!strncmp(con->uri, "/ppd/", 5) && !strchr(con->uri + 5, '/'))
   {
+    strlcpy(dest, con->uri + 5, sizeof(dest));
+    ptr = dest + strlen(dest) - 4;
+
+    if (ptr <= dest || strcmp(ptr, ".ppd"))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "Disallowed path \"%s\".", con->uri);
+      return (NULL);
+    }
+
+    *ptr = '\0';
+    if (!cupsdFindPrinter(dest))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "No printer \"%s\" found.", dest);
+      return (NULL);
+    }
+
     snprintf(filename, len, "%s%s", ServerRoot, con->uri);
 
     perm_check = 0;
   }
   else if (!strncmp(con->uri, "/icons/", 7) && !strchr(con->uri + 7, '/'))
   {
-    snprintf(filename, len, "%s/%s", CacheDir, con->uri + 7);
+    strlcpy(dest, con->uri + 7, sizeof(dest));
+    ptr = dest + strlen(dest) - 4;
+
+    if (ptr <= dest || strcmp(ptr, ".png"))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "Disallowed path \"%s\".", con->uri);
+      return (NULL);
+    }
+
+    *ptr = '\0';
+    if (!cupsdFindDest(dest))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "No printer \"%s\" found.", dest);
+      return (NULL);
+    }
+
+    snprintf(filename, len, "%s/%s.png", CacheDir, dest);
     if (access(filename, F_OK) < 0)
       snprintf(filename, len, "%s/images/generic.png", DocumentRoot);