author | Mohana Rao Gorai <mohana.gorai@oracle.com> |
Mon, 13 Oct 2014 02:16:00 -0700 | |
branch | s11u2-sru |
changeset 3389 | b77a52ff5cfd |
permissions | -rw-r--r-- |
See : http://www.cups.org/str.php?L4356 for details. Index: scheduler/client.c =================================================================== --- scheduler/client.c +++ scheduler/client.c @@ -4251,6 +4251,14 @@ return (0); /* + * Check for "<" or quotes in the path and reject since this is probably + * someone trying to inject HTML... + */ + + if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) + return (0); + + /* * Check for "/.." in the path... */