author | Rich Burridge <rich.burridge@oracle.com> |
Tue, 18 Apr 2017 15:20:35 -0700 | |
changeset 7904 | c63c09f88833 |
parent 2108 | 6145b31310ca |
permissions | -rw-r--r-- |
See : http://www.cups.org/str.php?L4356 for details. Index: scheduler/client.c =================================================================== --- scheduler/client.c +++ scheduler/client.c @@ -4251,6 +4251,14 @@ return (0); /* + * Check for "<" or quotes in the path and reject since this is probably + * someone trying to inject HTML... + */ + + if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) + return (0); + + /* * Check for "/.." in the path... */