diff options
author | Garance A Drosehn <gad@FreeBSD.org> | 2001-12-05 02:07:20 +0000 |
---|---|---|
committer | Garance A Drosehn <gad@FreeBSD.org> | 2001-12-05 02:07:20 +0000 |
commit | 7cf2c478e4e39a70ca1085bda864fb6d6678fa28 (patch) | |
tree | a70cd18001a8aa7d9685cf575692001d11fb1c4a /usr.sbin/lpr | |
parent | dd58224e318f75033a37e03e68692e07b26e214c (diff) | |
download | src-7cf2c478e4e39a70ca1085bda864fb6d6678fa28.tar.gz src-7cf2c478e4e39a70ca1085bda864fb6d6678fa28.zip |
Move the checks for '/' a little sooner in the code which receives files
for a remote print job. This change comes from OpenBSD (who got it from
Sebastian Krahmer of SuSE). In OpenBSD this avoids a tiny theoretical
security issue, but that security issue does not exist in FreeBSD's lpr
due to the changes which added 'ctl_renametf()' just before 4.4-release.
This change is still worth doing in our version, but it isn't fixing a
security issue.
MFC after: 4 days
Notes
Notes:
svn path=/head/; revision=87375
Diffstat (limited to 'usr.sbin/lpr')
-rw-r--r-- | usr.sbin/lpr/lpd/recvjob.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c index b69fa12f8d4e..d9f97bf51316 100644 --- a/usr.sbin/lpr/lpd/recvjob.c +++ b/usr.sbin/lpr/lpd/recvjob.c @@ -194,12 +194,13 @@ readjob(struct printer *pp) */ strlcpy(cp + 6, from_host, sizeof(line) + (size_t)(line - cp - 6)); + if (strchr(cp, '/')) { + frecverr("readjob: %s: illegal path name", cp); + /*NOTREACHED*/ + } strlcpy(tfname, cp, sizeof(tfname)); tfname[sizeof (tfname) - 1] = '\0'; tfname[0] = 't'; - if (strchr(tfname, '/')) - frecverr("readjob: %s: illegal path name", - tfname); if (!chksize(size)) { (void) write(STDOUT_FILENO, "\2", (size_t)1); continue; @@ -225,16 +226,15 @@ readjob(struct printer *pp) size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') break; + if (strchr(cp, '/')) { + frecverr("readjob: %s: illegal path name", cp); + /*NOTREACHED*/ + } if (!chksize(size)) { (void) write(STDOUT_FILENO, "\2", (size_t)1); continue; } strlcpy(dfname, cp, sizeof(dfname)); - if (strchr(dfname, '/')) { - frecverr("readjob: %s: illegal path name", - dfname); - /*NOTREACHED*/ - } dfcnt++; trstat_init(pp, dfname, dfcnt); (void) readfile(pp, dfname, (size_t)size); |