Blame SOURCES/cups-CVE-2014-2856.patch

c5086f
diff -up cups-1.6.3/scheduler/client.c.CVE-2014-2856 cups-1.6.3/scheduler/client.c
c5086f
--- cups-1.6.3/scheduler/client.c.CVE-2014-2856	2014-07-25 12:11:48.054960093 +0100
c5086f
+++ cups-1.6.3/scheduler/client.c	2014-07-25 12:11:27.764854789 +0100
c5086f
@@ -3686,6 +3686,14 @@ is_path_absolute(const char *path)	/* I
c5086f
     return (0);
c5086f
 
c5086f
  /*
c5086f
+  * Check for "<" or quotes in the path and reject since this is probably
c5086f
+  * someone trying to inject HTML...
c5086f
+  */
c5086f
+
c5086f
+  if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
c5086f
+    return (0);
c5086f
+
c5086f
+ /*
c5086f
   * Check for "/.." in the path...
c5086f
   */
c5086f