Protect against HTML in the URL (STR #4356)

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11620 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/CHANGES-1.7.txt b/CHANGES-1.7.txt
index 580b60c5fb9d2c97f3a48a2d44371d88c13784f9..6a456f08c2c9316f3baae8b6e2f548734dccb8e6 100644 (file)
--- a/CHANGES-1.7.txt
+++ b/CHANGES-1.7.txt
@@ -3,6 +3,8 @@ CHANGES-1.7.txt
 
 CHANGES IN CUPS V1.7.2
 
+       - Security: The scheduler now blocks URLs containing embedded HTML
+         (STR #4356)
        - The scheduler did not always update the MakeModel value in
          printers.conf after updating the driver (STR #4264)
        - The LPD mini daemon did not support print jobs larger than 2GB

diff --git a/scheduler/client.c b/scheduler/client.c
index 23fb71305a534f98317835ce4c4e70dd3a9a23d4..9bb2305465a40af320ce66810ee331c20a3544e6 100644 (file)
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -3315,6 +3315,14 @@ is_path_absolute(const char *path)       /* I - Input path */
   if (path[0] != '/')
     return (0);
 
+ /*
+  * Check for "<" or quotes in the path and reject since this is probably
+  * someone trying to inject HTML...
+  */
+
+  if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
+    return (0);
+
  /*
   * Check for "/.." in the path...
   */