dilfridge 14/04/15 21:26:13 Added: cups-1.7.1-str4356.patch Log: Backport for bug 507696 (Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key EBE6A336BE19039C!)
Revision Changes Path 1.1 net-print/cups/files/cups-1.7.1-str4356.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-print/cups/files/cups-1.7.1-str4356.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-print/cups/files/cups-1.7.1-str4356.patch?rev=1.1&content-type=text/plain Index: cups-1.7.1-str4356.patch =================================================================== Index: scheduler/client.c =================================================================== --- scheduler/client.c (revision 11597) +++ scheduler/client.c (working copy) @@ -3316,6 +3316,14 @@ return (0); /* + * Check for "<" or quotes in the path and reject since this is probably + * someone trying to inject HTML... + */ + + if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) + return (0); + + /* * Check for "/.." in the path... */
