Move the checks for '/' a little sooner in the code which receives files

for a remote print job. This change comes from OpenBSD (who got it from Sebastian Krahmer of SuSE). In OpenBSD this avoids a tiny theoretical security issue, but that security issue does not exist in FreeBSD's lpr due to the changes which added 'ctl_renametf()' just before 4.4-release. This change is still worth doing in our version, but it isn't fixing a security issue. MFC after: 4 days
2001-12-05 02:07:20 +00:00 · 2001-12-05 02:07:20 +00:00 · 7cf2c478e4
commit 7cf2c478e4
parent dd58224e31
1 changed files with 8 additions and 8 deletions
--- a/usr.sbin/lpr/lpd/recvjob.c
+++ b/usr.sbin/lpr/lpd/recvjob.c
@ -194,12 +194,13 @@ readjob(struct printer *pp)
 			 */
 			strlcpy(cp + 6, from_host, sizeof(line)
 			    + (size_t)(line - cp - 6));
+			if (strchr(cp, '/')) {
+				frecverr("readjob: %s: illegal path name", cp);
+				/*NOTREACHED*/
+			}
 			strlcpy(tfname, cp, sizeof(tfname));
 			tfname[sizeof (tfname) - 1] = '\0';
 			tfname[0] = 't';
-			if (strchr(tfname, '/'))
-				frecverr("readjob: %s: illegal path name",
-				    tfname);
 			if (!chksize(size)) {
 				(void) write(STDOUT_FILENO, "\2", (size_t)1);
 				continue;
@ -225,16 +226,15 @@ readjob(struct printer *pp)
 				size = size * 10 + (*cp++ - '0');
 			if (*cp++ != ' ')
 				break;
+			if (strchr(cp, '/')) {
+				frecverr("readjob: %s: illegal path name", cp);
+				/*NOTREACHED*/
+			}
 			if (!chksize(size)) {
 				(void) write(STDOUT_FILENO, "\2", (size_t)1);
 				continue;
 			}
 			strlcpy(dfname, cp, sizeof(dfname));
-			if (strchr(dfname, '/')) {
-				frecverr("readjob: %s: illegal path name",
-					dfname);
-				/*NOTREACHED*/
-			}
 			dfcnt++;
 			trstat_init(pp, dfname, dfcnt);
 			(void) readfile(pp, dfname, (size_t)size);