diff options
author | gad <gad@FreeBSD.org> | 2001-12-05 02:07:20 +0000 |
---|---|---|
committer | gad <gad@FreeBSD.org> | 2001-12-05 02:07:20 +0000 |
commit | bae50f587d4ac74ba93d8e11ee695f6d24dd8994 (patch) | |
tree | a70cd18001a8aa7d9685cf575692001d11fb1c4a /usr.sbin/lpr | |
parent | f62c954d2f14b594ba21b0430f8bd3a8d0f3b9b7 (diff) | |
download | FreeBSD-src-bae50f587d4ac74ba93d8e11ee695f6d24dd8994.zip FreeBSD-src-bae50f587d4ac74ba93d8e11ee695f6d24dd8994.tar.gz |
Move the checks for '/' a little sooner in the code which receives files
for a remote print job. This change comes from OpenBSD (who got it from
Sebastian Krahmer of SuSE). In OpenBSD this avoids a tiny theoretical
security issue, but that security issue does not exist in FreeBSD's lpr
due to the changes which added 'ctl_renametf()' just before 4.4-release.
This change is still worth doing in our version, but it isn't fixing a
security issue.
MFC after: 4 days
Diffstat (limited to 'usr.sbin/lpr')
-rw-r--r-- | usr.sbin/lpr/lpd/recvjob.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c index b69fa12..d9f97bf 100644 --- a/usr.sbin/lpr/lpd/recvjob.c +++ b/usr.sbin/lpr/lpd/recvjob.c @@ -194,12 +194,13 @@ readjob(struct printer *pp) */ strlcpy(cp + 6, from_host, sizeof(line) + (size_t)(line - cp - 6)); + if (strchr(cp, '/')) { + frecverr("readjob: %s: illegal path name", cp); + /*NOTREACHED*/ + } strlcpy(tfname, cp, sizeof(tfname)); tfname[sizeof (tfname) - 1] = '\0'; tfname[0] = 't'; - if (strchr(tfname, '/')) - frecverr("readjob: %s: illegal path name", - tfname); if (!chksize(size)) { (void) write(STDOUT_FILENO, "\2", (size_t)1); continue; @@ -225,16 +226,15 @@ readjob(struct printer *pp) size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') break; + if (strchr(cp, '/')) { + frecverr("readjob: %s: illegal path name", cp); + /*NOTREACHED*/ + } if (!chksize(size)) { (void) write(STDOUT_FILENO, "\2", (size_t)1); continue; } strlcpy(dfname, cp, sizeof(dfname)); - if (strchr(dfname, '/')) { - frecverr("readjob: %s: illegal path name", - dfname); - /*NOTREACHED*/ - } dfcnt++; trstat_init(pp, dfname, dfcnt); (void) readfile(pp, dfname, (size_t)size); |