From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Date: Mon, 26 Oct 2015 17:17:40 +0000 (+0000)
Subject: Make sure /icons/printer.png and /ppds/printer.ppd point to real queues.
X-Git-Tag: v2.2b1~165
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8a60ef8deb3da1b1f970bb619bed0f1aed96645;p=thirdparty%2Fcups.git

Make sure /icons/printer.png and /ppds/printer.ppd point to real queues.


git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12936 a1ca3aef-8c08-0410-bb20-df032aa958be
---

diff --git a/CHANGES-2.1.txt b/CHANGES-2.1.txt
index 6ae15c13f3..443557ad5c 100644
--- a/CHANGES-2.1.txt
+++ b/CHANGES-2.1.txt
@@ -8,7 +8,8 @@ CHANGES IN CUPS V2.1.1
 	  <rdar://problem/23132803>, <rdar://problem/23133230>,
 	  <rdar://problem/23133393>, <rdar://problem/23133466>,
 	  <rdar://problem/23133833>, <rdar://problem/23133998>,
-	  <rdar://problem/23134228>, <rdar://problem/23134299>)
+	  <rdar://problem/23134228>, <rdar://problem/23134299>,
+	  <rdar://problem/23134356>)
 	- The cupsGetPPD* functions did not work with IPP printers (STR #4725)
 	- Some older HP LaserJet printers need a delayed close when printing
 	  using the libusb-based USB backend (STR #4549)
diff --git a/scheduler/client.c b/scheduler/client.c
index c0d6eec744..7f4d774de4 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2961,7 +2961,8 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
   int		status;			/* Status of filesystem calls */
   char		*ptr;			/* Pointer info filename */
   size_t	plen;			/* Remaining length after pointer */
-  char		language[7];		/* Language subdirectory, if any */
+  char		language[7],		/* Language subdirectory, if any */
+		dest[1024];		/* Destination name */
   int		perm_check = 1;		/* Do permissions check? */
 
 
@@ -2973,13 +2974,45 @@ get_file(cupsd_client_t *con,		/* I  - Client connection */
 
   if (!strncmp(con->uri, "/ppd/", 5) && !strchr(con->uri + 5, '/'))
   {
+    strlcpy(dest, con->uri + 5, sizeof(dest));
+    ptr = dest + strlen(dest) - 4;
+
+    if (ptr <= dest || strcmp(ptr, ".ppd"))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "Disallowed path \"%s\".", con->uri);
+      return (NULL);
+    }
+
+    *ptr = '\0';
+    if (!cupsdFindPrinter(dest))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "No printer \"%s\" found.", dest);
+      return (NULL);
+    }
+
     snprintf(filename, len, "%s%s", ServerRoot, con->uri);
 
     perm_check = 0;
   }
   else if (!strncmp(con->uri, "/icons/", 7) && !strchr(con->uri + 7, '/'))
   {
-    snprintf(filename, len, "%s/%s", CacheDir, con->uri + 7);
+    strlcpy(dest, con->uri + 7, sizeof(dest));
+    ptr = dest + strlen(dest) - 4;
+
+    if (ptr <= dest || strcmp(ptr, ".png"))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "Disallowed path \"%s\".", con->uri);
+      return (NULL);
+    }
+
+    *ptr = '\0';
+    if (!cupsdFindDest(dest))
+    {
+      cupsdLogClient(con, CUPSD_LOG_INFO, "No printer \"%s\" found.", dest);
+      return (NULL);
+    }
+
+    snprintf(filename, len, "%s/%s.png", CacheDir, dest);
     if (access(filename, F_OK) < 0)
       snprintf(filename, len, "%s/images/generic.png", DocumentRoot);