From bae50f587d4ac74ba93d8e11ee695f6d24dd8994 Mon Sep 17 00:00:00 2001 From: gad Date: Wed, 5 Dec 2001 02:07:20 +0000 Subject: Move the checks for '/' a little sooner in the code which receives files for a remote print job. This change comes from OpenBSD (who got it from Sebastian Krahmer of SuSE). In OpenBSD this avoids a tiny theoretical security issue, but that security issue does not exist in FreeBSD's lpr due to the changes which added 'ctl_renametf()' just before 4.4-release. This change is still worth doing in our version, but it isn't fixing a security issue. MFC after: 4 days --- usr.sbin/lpr/lpd/recvjob.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'usr.sbin/lpr/lpd/recvjob.c') diff --git a/usr.sbin/lpr/lpd/recvjob.c b/usr.sbin/lpr/lpd/recvjob.c index b69fa12..d9f97bf 100644 --- a/usr.sbin/lpr/lpd/recvjob.c +++ b/usr.sbin/lpr/lpd/recvjob.c @@ -194,12 +194,13 @@ readjob(struct printer *pp) */ strlcpy(cp + 6, from_host, sizeof(line) + (size_t)(line - cp - 6)); + if (strchr(cp, '/')) { + frecverr("readjob: %s: illegal path name", cp); + /*NOTREACHED*/ + } strlcpy(tfname, cp, sizeof(tfname)); tfname[sizeof (tfname) - 1] = '\0'; tfname[0] = 't'; - if (strchr(tfname, '/')) - frecverr("readjob: %s: illegal path name", - tfname); if (!chksize(size)) { (void) write(STDOUT_FILENO, "\2", (size_t)1); continue; @@ -225,16 +226,15 @@ readjob(struct printer *pp) size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') break; + if (strchr(cp, '/')) { + frecverr("readjob: %s: illegal path name", cp); + /*NOTREACHED*/ + } if (!chksize(size)) { (void) write(STDOUT_FILENO, "\2", (size_t)1); continue; } strlcpy(dfname, cp, sizeof(dfname)); - if (strchr(dfname, '/')) { - frecverr("readjob: %s: illegal path name", - dfname); - /*NOTREACHED*/ - } dfcnt++; trstat_init(pp, dfname, dfcnt); (void) readfile(pp, dfname, (size_t)size); -- cgit v1.1