Device URIs containning username & password end up in error_log

[michaelrsweet]

Version: 1.1-current
CUPS.org User: jlovell

Device URIs containning username & password end up in error_log.

This was recently reported to us and will be fixed in the next Mac OS X security update, to be released sometime soon.

The attached patch fixes it. Note that this uses the httpSeparate3 patch attached to http://www.cups.org/str.php?L878.

Thanks!

[michaelrsweet]

CUPS.org User: mike

I'll work up a cleaner patch for this that doesn't add/use another public API.

FWIW, only adding/modifying a printer will expose the unsanitized URI with a default configuration. You need to use LogLevel debug to see the StartJob messages, and those values are always available in the process list which is already a documented issue in the Software Security Report documentation, which is why we tell people not to hardcode usernames and passwords in device URIs...

Also, we expose Basic passwords (base64 encoded) in the error_log file at LogLevel debug2.

Looks like we'll be doing a 1.1.22 release... :(

[michaelrsweet]

CUPS.org User: jlovell

I've been asked to add "We have proposed to "vendor-sec" a release date of this information to be October 11 at 1.00pm Pacific Time. Please contact product-security@apple.com to confirm this date or if you have any questions."

Yes, device URIs are still a problem...

Sorry for 1.1.22!

[michaelrsweet]

CUPS.org User: mike

Do you have an ID number or some other identifier for me to use when I contact them?

I think we can do a 1.1.22 release candidate on Tuesday next week, which would mean a final release on the 17th.

We won't be treating this as a vulnerability, as the same device URI information has been available via the environment and argv[0](all visible via the "ps" command) and has been documented for a very long time.

[michaelrsweet]

CUPS.org User: jlovell

CAN-2004-0923 has been assigned for this issue.

[michaelrsweet]

CUPS.org User: jlovell

Can you make sure the release candidate information is made available to vendor-sec@lst.de? They are aware of the issue, but since the "official" CUPS changes are going to be different from ours the people are going to need to build/patch from something.

[michaelrsweet]

CUPS.org User: mike

See my attached patch which does not depend on the new httpSeparate3() API.

[michaelrsweet]

CUPS.org User: mike

Fixed in CVS - the anonymous CVS repository will be updated at midnight EST.

[michaelrsweet]

CUPS.org User: mike

New patch which combines the previous patch with a patch from STR #933 which sanitizes the device URI in argv[0](the environment variable is not sanitized, and will be the only source for authentication information)

[michaelrsweet]

"sanitize.patch":

Index: client.c

RCS file: /home/anoncvs/cups/scheduler/client.c,v
retrieving revision 1.194
diff -u -d -b -w -r1.194 client.c
--- client.c 12 Sep 2004 18:49:26 -0000 1.194
+++ client.c 29 Sep 2004 20:36:51 -0000
@@ -35,6 +35,7 @@

• SendHeader() - Send an HTTP request.
• UpdateCGI() - Read status messages from CGI scripts and programs.
• WriteClient() - Write data to a client as needed.
• * SanitizeURI() - Remove any username and password from a uri.
• check_if_modified() - Decode an "If-Modified-Since" line.
• decode_auth() - Decode an authorization string.
• get_file() - Get a filename and state info.
  @@ -2486,6 +2487,34 @@

/*

• * 'SanitizeURI()' - Remove any username and password from a uri.
• /
  +
  +char * / O - sanitized uri /
  +SanitizeURI(char *buf, / O - buffer for sanitized uri */

•   int bufsize,        /\* I - buffer size */
  

•   const char _uri)        /_ I - uri to sanitize */
  

  +{
• char method[HTTP_MAX_URI], /* Method portion of URI */
• username[HTTP_MAX_URI], /* Username portion of URI */
• host[HTTP_MAX_URI], /* Host portion of URI */
• resource[HTTP_MAX_URI]; /* Resource portion of URI */
• int port; /* Port portion of URI */
  +
  +
• httpSeparate3(uri, method, sizeof(method), username, sizeof(username),

•   host, sizeof(host), &port, resource, sizeof(resource), 0);
  
• if (port)
• snprintf(buf, bufsize, "%s://%s:%d%s", method, host, port, resource);
• else
• snprintf(buf, bufsize, "%s://%s%s", method, host, resource);
  +
• return buf;
  +}
  +
  +
  +/*
• 'check_if_modified()' - Decode an "If-Modified-Since" line.
  */

Index: client.h

RCS file: /home/anoncvs/cups/scheduler/client.h,v
retrieving revision 1.33
diff -u -d -b -w -r1.33 client.h
--- client.h 23 Aug 2004 18:00:59 -0000 1.33
+++ client.h 29 Sep 2004 20:36:51 -0000
@@ -112,6 +112,7 @@
extern void StopListening(void);
extern void UpdateCGI(void);
extern int WriteClient(client_t *con);
+extern char *SanitizeURI(char *buf, int bufsize, const char *uri);

/*

• End of "$Id$".

  Index: ipp.c

  RCS file: /home/anoncvs/cups/scheduler/ipp.c,v
  retrieving revision 1.233
  diff -u -d -b -w -r1.233 ipp.c
  --- ipp.c 23 Aug 2004 18:36:50 -0000 1.233
  +++ ipp.c 29 Sep 2004 20:36:51 -0000
  @@ -1035,8 +1035,12 @@
  /* Username portion of URI /
  host[HTTP_MAX_URI],
  / Host portion of URI */

  •       resource[HTTP_MAX_URI];
    

  •       resource[HTTP_MAX_URI],
            /\* Resource portion of URI */
    

  •       old_device_uri[HTTP_MAX_URI],
    

  •               /\* Sanitized old URI */
    

  •       new_device_uri[HTTP_MAX_URI];
    

  •               /* Sanitized new URI */
    

    int port; /* Port portion of URI /
    printer_t *printer; / Printer/class /
    ipp_attribute_t *attr; / Printer attribute */
    @@ -1222,7 +1226,9 @@
    }

    LogMessage(L_INFO, "Setting %s device-uri to "%s" (was "%s".)",

  •           printer->name, attr->values[0].string.text, printer->device_uri);
    

  •   printer->name, 
    

  •   SanitizeURI(new_device_uri, sizeof(new_device_uri), attr->values[0].string.text),
    

  •   SanitizeURI(old_device_uri, sizeof(old_device_uri), printer->device_uri));
    

    SetString(&printer->device_uri, attr->values[0].string.text);
    }

    Index: job.c

    RCS file: /home/anoncvs/cups/scheduler/job.c,v
    retrieving revision 1.230
    diff -u -d -b -w -r1.230 job.c
    --- job.c 9 Sep 2004 15:10:18 -0000 1.230
    +++ job.c 29 Sep 2004 20:36:51 -0000
    @@ -1202,6 +1202,7 @@
    classification[1024], /* CLASSIFICATION environment variable /
    content_type[1024], / CONTENT_TYPE environment variable /
    device_uri[1024], / DEVICE_URI environment variable */

  •   device_uri2[1024],  /\* Sanitized device uri _/
    

    ppd[1024], /_ PPD environment variable /
    class_name[255], / CLASS environment variable /
    printer_name[255], / PRINTER environment variable */
    @@ -1689,6 +1690,12 @@
    attr->values[0].string.text);
    }

• /*

• * Create a sanitized version of the device uri for logging purposes

• */

• SanitizeURI(device_uri2, sizeof(device_uri2), printer->device_uri);

snprintf(path, sizeof(path), "PATH=%s/filter:/bin:/usr/bin", ServerBin);
snprintf(content_type, sizeof(content_type), "CONTENT_TYPE=%s/%s",
current->filetypes[current->current_file]->super,
@@ -1802,6 +1809,9 @@
envp[envc] = NULL;

for (i = 0; i < envc; i ++)

• if (!strncmp(envp[i], "DEVICE_URI=", 11))

•  LogMessage(L_DEBUG, "StartJob: envp[%d]=\"DEVICE_URI=%s\"", i, device_uri2);
  

• else
  LogMessage(L_DEBUG, "StartJob: envp[%d]="%s"", i, envp[i]);

current->current_file ++;
@@ -1908,10 +1918,10 @@
if (filterfds[slot][1] < 0)
{
LogMessage(L_ERROR, "Unable to open output file "%s" - %s.",

•          printer->device_uri, strerror(errno));
  

•          device_uri2, strerror(errno));
   snprintf(printer->state_message, sizeof(printer->state_message),
   "Unable to open output file \"%s\" - %s.",
  

•        printer->device_uri, strerror(errno));
  

•        device_uri2, strerror(errno));
  

  AddPrinterHistory(printer);

Index: printers.c

RCS file: /home/anoncvs/cups/scheduler/printers.c,v
retrieving revision 1.162
diff -u -d -b -w -r1.162 printers.c
--- printers.c 29 Jun 2004 03:27:35 -0000 1.162
+++ printers.c 29 Sep 2004 20:36:52 -0000
@@ -1150,11 +1150,7 @@
SetPrinterAttrs(printer_t p) / I - Printer to setup /
{
char uri[HTTP_MAX_URI]; / URI for printer */

• char method[HTTP_MAX_URI], /* Method portion of URI */

•   username[HTTP_MAX_URI], /\* Username portion of URI */
  

•   host[HTTP_MAX_URI], /\* Host portion of URI */
  

•   resource[HTTP_MAX_URI]; /\* Resource portion of URI */
  

• int port; /* Port portion of URI */
• char resource[HTTP_MAX_URI]; /* Resource portion of URI /
  int i; / Looping var /
  char filename[1024]; / Name of PPD file /
  int num_media; / Number of media options */
  @@ -1360,12 +1356,7 @@
  * http://..., ipp://..., etc.
  */

•    httpSeparate(p->device_uri, method, username, host, &port, resource);
  

• if (port)

• snprintf(uri, sizeof(uri), "%s://%s:%d%s", method, host, port,
  

•          resource);
  

• else

• snprintf(uri, sizeof(uri), "%s://%s%s", method, host, resource);
  

• SanitizeURI(uri, sizeof(uri), p->device_uri);
  }
  else
  {

[michaelrsweet]

"str920.patch":

Index: ipp.c

RCS file: /development/cvs/cups/scheduler/ipp.c,v
retrieving revision 1.233
diff -u -r1.233 ipp.c
--- ipp.c 23 Aug 2004 18:36:50 -0000 1.233
+++ ipp.c 4 Oct 2004 20:19:17 -0000
@@ -1222,7 +1222,9 @@
}

 LogMessage(L_INFO, "Setting %s device-uri to \"%s\" (was \"%s\".)",

•           printer->name, attr->values[0].string.text, printer->device_uri);
  

•           printer->name,
  

•      cupsdSanitizeURI(attr->values[0].string.text, line, sizeof(line)),
  

•      cupsdSanitizeURI(printer->device_uri, resource, sizeof(resource)));
  

  SetString(&printer->device_uri, attr->values[0].string.text);
  }

  Index: job.c

  RCS file: /development/cvs/cups/scheduler/job.c,v
  retrieving revision 1.231
  diff -u -r1.231 job.c
  --- job.c 4 Oct 2004 19:40:35 -0000 1.231
  +++ job.c 4 Oct 2004 20:19:17 -0000
  @@ -1202,6 +1202,7 @@
  classification[1024], /* CLASSIFICATION environment variable /
  content_type[1024], / CONTENT_TYPE environment variable /
  device_uri[1024], / DEVICE_URI environment variable */

•   sani_uri[1024],     /* Sanitized DEVICE_URI env var */
  ppd[1024],      /* PPD environment variable */
  class_name[255],    /* CLASS environment variable */
  printer_name[255],  /* PRINTER environment variable */
  

  @@ -1803,7 +1804,12 @@
  envp[envc] = NULL;

  for (i = 0; i < envc; i ++)

• LogMessage(L_DEBUG, "StartJob: envp[%d]="%s"", i, envp[i]);

• if (strncmp(envp[i], "DEVICE_URI=", 11))

•  LogMessage(L_DEBUG, "StartJob: envp[%d]=\"%s\"", i, envp[i]);
  

• else

•  LogMessage(L_DEBUG, "StartJob: envp[%d]=\"DEVICE_URI=%s\"", i,
  

•             cupsdSanitizeURI(printer->device_uri, sani_uri,
  

•                     sizeof(sani_uri)));
  

  current->current_file ++;

Index: printers.c

RCS file: /development/cvs/cups/scheduler/printers.c,v
retrieving revision 1.164
diff -u -r1.164 printers.c
--- printers.c 4 Oct 2004 19:40:35 -0000 1.164
+++ printers.c 4 Oct 2004 20:19:17 -0000
@@ -43,6 +43,7 @@

• ValidateDest() - Validate a printer/class destination.

• WritePrintcap() - Write a pseudo-printcap file for older

•                        applications that need it...
  

  • * cupsdSanitizeURI() - Sanitize a device URI...

• write_irix_config() - Update the config files used by the IRIX

•                        desktop tools.
  

• write_irix_state() - Update the status files used by IRIX printing
  @@ -1150,11 +1151,7 @@
  SetPrinterAttrs(printer_t p) / I - Printer to setup /
  {
  char uri[HTTP_MAX_URI]; / URI for printer */

• char method[HTTP_MAX_URI], /* Method portion of URI */

•   username[HTTP_MAX_URI], /\* Username portion of URI */
  

•   host[HTTP_MAX_URI], /\* Host portion of URI */
  

•   resource[HTTP_MAX_URI]; /\* Resource portion of URI */
  

• int port; /* Port portion of URI */

• char resource[HTTP_MAX_URI]; /* Resource portion of URI /
  int i; / Looping var /
  char filename[1024]; / Name of PPD file /
  int num_media; / Number of media options */
  @@ -1360,12 +1357,7 @@
  - http://..., ipp://..., etc.
  */

•    httpSeparate(p->device_uri, method, username, host, &port, resource);
  

• if (port)

• snprintf(uri, sizeof(uri), "%s://%s:%d%s", method, host, port,
  

•          resource);
  

• else

• snprintf(uri, sizeof(uri), "%s://%s%s", method, host, resource);
  

•    cupsdSanitizeURI(p->device_uri, uri, sizeof(uri));
  

  }
  else
  {
  @@ -2172,6 +2164,74 @@
  */

  cupsFileClose(fp);
  +}
  +
  +
  +/*

• * 'cupsdSanitizeURI()' - Sanitize a device URI...

• /
  +
  +char * / O - New device URI /
  +cupsdSanitizeURI(const char *uri, / I - Original device URI */

•             char       _buffer,   /_ O - New device URI */
  

•             int        buflen)    /\* I - Size of new device URI buffer */
  

  +{

• char start, / Start of data after scheme */

• slash, / First slash after scheme:// */

• ptr; / Pointer into user@host:port part */

• /*
• * Range check input...
• */

• if (!uri || !buffer || buflen < 2)
• return (NULL);

• /*
• * Copy the device URI to the new buffer...
• */

• strlcpy(buffer, uri, buflen);

• /*
• * Find the end of the scheme:// part...
• */

• if ((ptr = strchr(buffer, ':')) == NULL)
• return (buffer); /* No scheme: part... */

• for (start = ptr + 1; *start; start ++)
• if (*start != '/')

•  break;
  
• /*
• * Find the next slash (/) in the URI...
• */

• if ((slash = strchr(start, '/')) == NULL)
• slash = start + strlen(start); /* No slash, point to the end */

• /*
• * Check for an @ sign before the slash...
• */

• if ((ptr = strchr(start, '@')) != NULL && ptr < slash)
• {
• /*
• * Found an @ sign and it is before the resource part, so we have
• * an authentication string. Copy the remaining URI over the
• * authentication string...
• */

• cups_strcpy(start, ptr + 1);
• }

• /*
• * Return the new device URI...
• */

• return (buffer);
  }

Index: printers.h

RCS file: /development/cvs/cups/scheduler/printers.h,v
retrieving revision 1.39
diff -u -r1.39 printers.h
--- printers.h 23 Aug 2004 18:00:59 -0000 1.39
+++ printers.h 4 Oct 2004 20:19:17 -0000
@@ -126,6 +126,9 @@
cups_ptype_t *dtype);
extern void WritePrintcap(void);

+extern char *cupsdSanitizeURI(const char *uri, char *buffer,

•                         int buflen);
  

  /*

  • End of "$Id: printers.h,v 1.39 2004/08/23 18:00:59 mike Exp $".

[michaelrsweet]

"str_920_933.patch":

Index: ipp.c

RCS file: /development/cvs/cups/scheduler/ipp.c,v
retrieving revision 1.233
retrieving revision 1.234
diff -u -r1.233 -r1.234
--- ipp.c 23 Aug 2004 18:36:50 -0000 1.233
+++ ipp.c 4 Oct 2004 20:23:54 -0000 1.234
@@ -1222,7 +1222,9 @@
}

 LogMessage(L_INFO, "Setting %s device-uri to \"%s\" (was \"%s\".)",

•           printer->name, attr->values[0].string.text, printer->device_uri);
  

•           printer->name,
  

•      cupsdSanitizeURI(attr->values[0].string.text, line, sizeof(line)),
  

•      cupsdSanitizeURI(printer->device_uri, resource, sizeof(resource)));
  

  SetString(&printer->device_uri, attr->values[0].string.text);
  }

  Index: job.c

  RCS file: /development/cvs/cups/scheduler/job.c,v
  retrieving revision 1.231
  retrieving revision 1.233
  diff -u -r1.231 -r1.233
  --- job.c 4 Oct 2004 19:40:35 -0000 1.231
  +++ job.c 8 Oct 2004 20:18:02 -0000 1.233
  @@ -1202,6 +1202,7 @@
  classification[1024], /* CLASSIFICATION environment variable /
  content_type[1024], / CONTENT_TYPE environment variable /
  device_uri[1024], / DEVICE_URI environment variable */

•   sani_uri[1024],     /\* Sanitized DEVICE_URI env var _/
  ppd[1024],      /_ PPD environment variable _/
  class_name[255],    /_ CLASS environment variable _/
  printer_name[255],  /_ PRINTER environment variable */
  

  @@ -1695,6 +1696,7 @@
  current->filetypes[current->current_file]->super,
  current->filetypes[current->current_file]->type);
  snprintf(device_uri, sizeof(device_uri), "DEVICE_URI=%s", printer->device_uri);

• cupsdSanitizeURI(printer->device_uri, sani_uri, sizeof(sani_uri));
  snprintf(ppd, sizeof(ppd), "PPD=%s/ppd/%s.ppd", ServerRoot, printer->name);
  snprintf(printer_name, sizeof(printer_name), "PRINTER=%s", printer->name);
  snprintf(cache, sizeof(cache), "RIP_MAX_CACHE=%s", RIPCache);
  @@ -1803,7 +1805,10 @@
  envp[envc] = NULL;

for (i = 0; i < envc; i ++)

• LogMessage(L_DEBUG, "StartJob: envp[%d]="%s"", i, envp[i]);

• if (strncmp(envp[i], "DEVICE_URI=", 11))

•  LogMessage(L_DEBUG, "StartJob: envp[%d]=\"%s\"", i, envp[i]);
  

• else

•  LogMessage(L_DEBUG, "StartJob: envp[%d]=\"DEVICE_URI=%s\"", i, sani_uri);
  

  current->current_file ++;

@@ -2013,7 +2018,7 @@
LogMessage(L_DEBUG, "StartJob: %s\n", processPath);
#endif /* APPLE */

• argv[0] = printer->device_uri;
• argv[0] = sani_uri;

filterfds[slot][0] = -1;
filterfds[slot][1] = open("/dev/null", O_WRONLY);

Index: printers.c

RCS file: /development/cvs/cups/scheduler/printers.c,v
retrieving revision 1.164
retrieving revision 1.165
diff -u -r1.164 -r1.165
--- printers.c 4 Oct 2004 19:40:35 -0000 1.164
+++ printers.c 4 Oct 2004 20:23:54 -0000 1.165
@@ -43,6 +43,7 @@

• ValidateDest() - Validate a printer/class destination.
• WritePrintcap() - Write a pseudo-printcap file for older

•                        applications that need it...
  

• * cupsdSanitizeURI() - Sanitize a device URI...
  • write_irix_config() - Update the config files used by the IRIX

  •                        desktop tools.
    

  • write_irix_state() - Update the status files used by IRIX printing
    @@ -1150,11 +1151,7 @@
    SetPrinterAttrs(printer_t p) / I - Printer to setup /
    {
    char uri[HTTP_MAX_URI]; / URI for printer */
• char method[HTTP_MAX_URI], /* Method portion of URI */

•   username[HTTP_MAX_URI], /\* Username portion of URI */
  

•   host[HTTP_MAX_URI], /\* Host portion of URI */
  

•   resource[HTTP_MAX_URI]; /\* Resource portion of URI */
  

• int port; /* Port portion of URI */
• char resource[HTTP_MAX_URI]; /* Resource portion of URI /
  int i; / Looping var /
  char filename[1024]; / Name of PPD file /
  int num_media; / Number of media options */
  @@ -1360,12 +1357,7 @@
  * http://..., ipp://..., etc.
  */

•    httpSeparate(p->device_uri, method, username, host, &port, resource);
  

• if (port)

• snprintf(uri, sizeof(uri), "%s://%s:%d%s", method, host, port,
  

•          resource);
  

• else

• snprintf(uri, sizeof(uri), "%s://%s%s", method, host, resource);
  

•    cupsdSanitizeURI(p->device_uri, uri, sizeof(uri));
  

  }
  else
  {
  @@ -2175,6 +2167,74 @@
  }

+/*

• * 'cupsdSanitizeURI()' - Sanitize a device URI...
• /
  +
  +char * / O - New device URI /
  +cupsdSanitizeURI(const char *uri, / I - Original device URI */

•             char       _buffer,   /_ O - New device URI */
  

•             int        buflen)    /\* I - Size of new device URI buffer */
  

  +{
• char start, / Start of data after scheme */
• slash, / First slash after scheme:// */
• ptr; / Pointer into user@host:port part */

• /*
• * Range check input...
• */

• if (!uri || !buffer || buflen < 2)
• return (NULL);

• /*
• * Copy the device URI to the new buffer...
• */

• strlcpy(buffer, uri, buflen);

• /*
• * Find the end of the scheme:// part...
• */

• if ((ptr = strchr(buffer, ':')) == NULL)
• return (buffer); /* No scheme: part... */

• for (start = ptr + 1; *start; start ++)
• if (*start != '/')

•  break;
  
• /*
• * Find the next slash (/) in the URI...
• */

• if ((slash = strchr(start, '/')) == NULL)
• slash = start + strlen(start); /* No slash, point to the end */

• /*
• * Check for an @ sign before the slash...
• */

• if ((ptr = strchr(start, '@')) != NULL && ptr < slash)
• {
• /*
• * Found an @ sign and it is before the resource part, so we have
• * an authentication string. Copy the remaining URI over the
• * authentication string...
• */

• cups_strcpy(start, ptr + 1);
• }

• /*
• * Return the new device URI...
• */

• return (buffer);
  +}

#ifdef __sgi
/*

• 'write_irix_config()' - Update the config files used by the IRIX
  Index: printers.h

  RCS file: /development/cvs/cups/scheduler/printers.h,v
  retrieving revision 1.39
  retrieving revision 1.40
  diff -u -r1.39 -r1.40
  --- printers.h 23 Aug 2004 18:00:59 -0000 1.39
  +++ printers.h 4 Oct 2004 20:23:54 -0000 1.40
  @@ -126,7 +126,10 @@
  cups_ptype_t *dtype);
  extern void WritePrintcap(void);

+extern char *cupsdSanitizeURI(const char *uri, char *buffer,

•                         int buflen);
  

  /*

  • End of "$Id: printers.h,v 1.39 2004/08/23 18:00:59 mike Exp $".
    */
    */