Problematic characters allowed in printer and class names #320

Closed
michaelrsweet opened this Issue Oct 6, 2003 · 5 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Oct 6, 2003

Version: 1.1.18
CUPS.org User: robert2.dds

CUPS 1.1.18 let me create a printer with the name "printer#2". After adding the printer CUPS offered a link to http://hostname:631/printers/printer#2. That URL won't work. Another problematic character was the dot. This caused problems for Windows clients. There are likely more problematic characters. You could probably do silly stuff like create a printer called "printer?op=print-test-page". These special characters should probably be either disallowed or escaped.

Collaborator

michaelrsweet commented Oct 6, 2003

CUPS.org User: mike

The CGI's are not escaping these characters properly, however the ? probably should not be allowed (same for *) to prevent problems with shell scripts...

Will be fixed for 1.1.20 final...

Collaborator

michaelrsweet commented Oct 7, 2003

CUPS.org User: robert2.dds

The ? and * can easily be escaped in shell scripts, so I don't think disallowing them is required. Escaping non-alphanumeric characters in the CGI's sounds like a good idea.

Collaborator

michaelrsweet commented Oct 16, 2003

CUPS.org User: mike

Try the patch file and let me know how it works for you...

Collaborator

michaelrsweet commented Nov 7, 2003

CUPS.org User: mike

This STR has not been updated by the submitter for two or more weeks and has been closed as required by the CUPS Configuration Management Plan. If the issue still requires resolution, please re-submit a new STR.

Collaborator

michaelrsweet commented Nov 7, 2003

"str320.patch":

Index: ipp-var.c

RCS file: /development/cvs/cups/cgi-bin/ipp-var.c,v
retrieving revision 1.38
diff -u -r1.38 ipp-var.c
--- ipp-var.c 2 Sep 2003 20:17:24 -0000 1.38
+++ ipp-var.c 16 Oct 2003 19:08:36 -0000
@@ -419,7 +419,9 @@
*/

               for (rawptr = rawresource, resptr = resource; *rawptr;)
  •       if (*rawptr & 128 || *rawptr == '%' || *rawptr == ' ')
    
  •       if ((*rawptr & 128) || *rawptr == '%' || *rawptr == ' ' ||
    
  •           *rawptr == '#' || *rawptr == '?' ||
    
  •           _rawptr == '.') /_ For MSIE */
        {
          if (resptr < (resource + sizeof(resource) - 3))
          {
    

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment