From 1216300668307015a88efc6267a521eeab51e8e8 Mon Sep 17 00:00:00 2001
From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Date: Wed, 19 Feb 2014 19:56:56 +0000
Subject: [PATCH] Protect against HTML in the URL (STR #4356)
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11620 a1ca3aef-8c08-0410-bb20-df032aa958be
---
diff --git a/scheduler/client.c b/scheduler/client.c
index 23fb713..9bb2305 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -3316,6 +3316,14 @@ is_path_absolute(const char *path) /* I - Input path */
return (0);
/*
+ * Check for "<" or quotes in the path and reject since this is probably
+ * someone trying to inject HTML...
+ */
+
+ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
+ return (0);
+
+ /*
* Check for "/.." in the path...
*/
--
1.9.0