From beb37da67b6c9a72d5da7ee73bce6bc2e4d0a206 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Tue, 8 May 2018 13:50:09 -0700
Subject: [PATCH] Validate notify-recipient-uri values.

---
 CHANGES.md      | 2 ++
 scheduler/ipp.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGES.md b/CHANGES.md
index 6e46c56524..fa8a9eb69c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -18,6 +18,8 @@ Changes in CUPS v2.3b5
 - Documentation updates (Issue #5299, Issue #5301, Issue #5306)
 - Fax queues did not support pause (p) or wait-for-dialtone (w) characters
   (rdar://39212256)
+- The scheduler did not validate notify-recipient-uri values properly
+  (rdar://40068936)
 - The IPP parser allowed invalid group tags (rdar://40442124)
 - Fixed a parsing bug in the new authentication code.
 
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index 917ef71d82..89058d2851 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -2032,7 +2032,7 @@ add_job_subscriptions(
 
         snprintf(notifier, sizeof(notifier), "%s/notifier/%s", ServerBin,
 	         scheme);
-        if (access(notifier, X_OK))
+        if (access(notifier, X_OK) || !strcmp(scheme, ".") || !strcmp(scheme, ".."))
 	{
           send_ipp_status(con, IPP_NOT_POSSIBLE,
 	                  _("notify-recipient-uri URI \"%s\" uses unknown "
-- 
2.47.2