|
 |
c5086f |
diff -up cups-1.6.3/scheduler/client.c.CVE-2014-5029-5030-5031 cups-1.6.3/scheduler/client.c
|
|
|
c5086f |
--- cups-1.6.3/scheduler/client.c.CVE-2014-5029-5030-5031 2014-09-02 11:42:02.465900694 +0100
|
|
|
c5086f |
+++ cups-1.6.3/scheduler/client.c 2014-09-02 11:42:44.383119863 +0100
|
|
|
c5086f |
@@ -3180,7 +3180,7 @@ get_file(cupsd_client_t *con, /* I - C
|
|
|
c5086f |
* then fallback to the default one...
|
|
|
c5086f |
*/
|
|
|
c5086f |
|
|
|
c5086f |
- if ((status = stat(filename, filestats)) != 0 && language[0] &&
|
|
|
c5086f |
+ if ((status = lstat(filename, filestats)) != 0 && language[0] &&
|
|
|
c5086f |
strncmp(con->uri, "/icons/", 7) &&
|
|
|
c5086f |
strncmp(con->uri, "/ppd/", 5) &&
|
|
|
c5086f |
strncmp(con->uri, "/rss/", 5) &&
|
|
|
c5086f |
@@ -3278,13 +3278,13 @@ get_file(cupsd_client_t *con, /* I - C
|
|
|
c5086f |
plen = len - (ptr - filename);
|
|
|
c5086f |
|
|
|
c5086f |
strlcpy(ptr, "index.html", plen);
|
|
|
c5086f |
- status = stat(filename, filestats);
|
|
|
c5086f |
+ status = lstat(filename, filestats);
|
|
|
c5086f |
|
|
|
c5086f |
#ifdef HAVE_JAVA
|
|
|
c5086f |
if (status)
|
|
|
c5086f |
{
|
|
|
c5086f |
strlcpy(ptr, "index.class", plen);
|
|
|
c5086f |
- status = stat(filename, filestats);
|
|
|
c5086f |
+ status = lstat(filename, filestats);
|
|
|
c5086f |
}
|
|
|
c5086f |
#endif /* HAVE_JAVA */
|
|
|
c5086f |
|
|
|
c5086f |
@@ -3292,7 +3292,7 @@ get_file(cupsd_client_t *con, /* I - C
|
|
|
c5086f |
if (status)
|
|
|
c5086f |
{
|
|
|
c5086f |
strlcpy(ptr, "index.pl", plen);
|
|
|
c5086f |
- status = stat(filename, filestats);
|
|
|
c5086f |
+ status = lstat(filename, filestats);
|
|
|
c5086f |
}
|
|
|
c5086f |
#endif /* HAVE_PERL */
|
|
|
c5086f |
|
|
|
c5086f |
@@ -3300,7 +3300,7 @@ get_file(cupsd_client_t *con, /* I - C
|
|
|
c5086f |
if (status)
|
|
|
c5086f |
{
|
|
|
c5086f |
strlcpy(ptr, "index.php", plen);
|
|
|
c5086f |
- status = stat(filename, filestats);
|
|
|
c5086f |
+ status = lstat(filename, filestats);
|
|
|
c5086f |
}
|
|
|
c5086f |
#endif /* HAVE_PHP */
|
|
|
c5086f |
|
|
|
c5086f |
@@ -3308,18 +3308,39 @@ get_file(cupsd_client_t *con, /* I - C
|
|
|
c5086f |
if (status)
|
|
|
c5086f |
{
|
|
|
c5086f |
strlcpy(ptr, "index.pyc", plen);
|
|
|
c5086f |
- status = stat(filename, filestats);
|
|
|
c5086f |
+ status = lstat(filename, filestats);
|
|
|
c5086f |
}
|
|
|
c5086f |
|
|
|
c5086f |
if (status)
|
|
|
c5086f |
{
|
|
|
c5086f |
strlcpy(ptr, "index.py", plen);
|
|
|
c5086f |
- status = stat(filename, filestats);
|
|
|
c5086f |
+ status = lstat(filename, filestats);
|
|
|
c5086f |
}
|
|
|
c5086f |
#endif /* HAVE_PYTHON */
|
|
|
c5086f |
|
|
|
c5086f |
}
|
|
|
c5086f |
while (status && language[0]);
|
|
|
c5086f |
+
|
|
|
c5086f |
+ /*
|
|
|
c5086f |
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
|
|
|
c5086f |
+ */
|
|
|
c5086f |
+
|
|
|
c5086f |
+ if (!status && S_ISLNK(filestats->st_mode))
|
|
|
c5086f |
+ {
|
|
|
c5086f |
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
|
|
|
c5086f |
+ return (NULL);
|
|
|
c5086f |
+ }
|
|
|
c5086f |
+
|
|
|
c5086f |
+ /*
|
|
|
c5086f |
+ * Similarly, if the file/directory does not have world read permissions, do
|
|
|
c5086f |
+ * not allow access...
|
|
|
c5086f |
+ */
|
|
|
c5086f |
+
|
|
|
c5086f |
+ if (!status && !(filestats->st_mode & S_IROTH))
|
|
|
c5086f |
+ {
|
|
|
c5086f |
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
|
|
|
c5086f |
+ return (NULL);
|
|
|
c5086f |
+ }
|
|
|
c5086f |
}
|
|
|
c5086f |
|
|
|
c5086f |
cupsdLogMessage(CUPSD_LOG_DEBUG2,
|