diff -up cups-1.6.3/scheduler/client.c.CVE-2014-2856 cups-1.6.3/scheduler/client.c
--- cups-1.6.3/scheduler/client.c.CVE-2014-2856 2014-07-25 12:11:48.054960093 +0100
+++ cups-1.6.3/scheduler/client.c 2014-07-25 12:11:27.764854789 +0100
@@ -3686,6 +3686,14 @@ is_path_absolute(const char *path) /* I
return (0);
/*
+ * Check for "<" or quotes in the path and reject since this is probably
+ * someone trying to inject HTML...
+ */
+
+ if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
+ return (0);
+ /*
* Check for "/.." in the path...
*/