https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c16 --- Comment #16 from Vincent Untz <vuntz@suse.com> 2012-03-27 15:14:38 UTC --- (In reply to comment #15)
Yes, my point was that the validation function (_cph_cups_is_printer_name_valid_internal() that is?) must also check for '?', '+', '&', '=' and '%' characters. Otherwise you can inject variables or HTTP request stuff into the IPP request. Just encoding it is not enough, as cups will just decode it and see '?' etc. characters as separator?
I'm sorry, I don't understand: all the '?', '+', '&', '=' and '%' characters will now be escaped in the IPP request; so I fail to see how you can inject variables or HTTP request stuff. The result is that cups will not see those characters in the IPP request, but when cups will decode the string, it will see those characters as part of the unescaped printer name (ie, the one ending in the config file). Now, if you tell me that the non-escaped printer name should not contain '?', '+', '&', '=' and '%' characters, that's something else. Right now, we accept all printable characters except whitespaces, '/' and '#'. It's trivial to change that in _cph_cups_is_printer_name_valid_internal(). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.