From: Michael R Sweet Date: Wed, 4 Feb 2026 16:49:57 +0000 (-0500) Subject: Don't allow resolver to return 'localhost' for a non-loopback address. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=727cb8944756ebeb5a42d09ce849696a96494d8d;p=thirdparty%2Fcups.git Don't allow resolver to return 'localhost' for a non-loopback address. --- diff --git a/CHANGES.md b/CHANGES.md index a576a3374a..9b229e8c37 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -90,6 +90,8 @@ v2.5b1 - YYYY-MM-DD supported document formats for a printer (Issue #1392) - Updated the scheduler to hold password/PIN jobs for 15 seconds before releasing to the printer (Issue #1456) +- Updated `httpAddrLookup` to return a numeric address when the resolver + returns "localhost" for a non-loopback address. - Deprecated the "page-border" Job Template attribute (Issue #1020) - Removed the `cups-config` utility (use `pkg-config` instead) - Fixed use-after-free in `cupsdAcceptClient()` when we log warning during error diff --git a/cups/http-addr.c b/cups/http-addr.c index 3862be7ffe..262a9fc4ea 100644 --- a/cups/http-addr.c +++ b/cups/http-addr.c @@ -1,7 +1,7 @@ // // HTTP address routines for CUPS. // -// Copyright © 2023-2025 by OpenPrinting. +// Copyright © 2023-2026 by OpenPrinting. // Copyright © 2007-2021 by Apple Inc. // Copyright © 1997-2006 by Easy Software Products, all rights reserved. // @@ -373,7 +373,7 @@ httpAddrLookup( #endif // AF_LOCAL // Optimize lookups for localhost/loopback addresses... - if (httpAddrLocalhost(addr)) + if (httpAddrIsLocalhost(addr)) { cupsCopyString(name, "localhost", (size_t)namelen); return (name); @@ -401,12 +401,12 @@ httpAddrLookup( // // FWIW, I think this is really a bug in the implementation of // getnameinfo(), but falling back on httpAddrString() is easy to do... - if ((error = getnameinfo(&addr->addr, (socklen_t)httpAddrLength(addr), name, (socklen_t)namelen, NULL, 0, 0)) != 0) + if ((error = getnameinfo(&addr->addr, (socklen_t)httpAddrLength(addr), name, (socklen_t)namelen, NULL, 0, 0)) != 0 || !strcasecmp(name, "localhost")) { if (error == EAI_FAIL) cg->need_res_init = 1; - return (httpAddrGetString(addr, name, (size_t)namelen)); + httpAddrGetString(addr, name, (size_t)namelen); } DEBUG_printf("1httpAddrLookup: returning \"%s\"...", name);