diff -up cups-1.6.3/scheduler/client.c.CVE-2014-2856 cups-1.6.3/scheduler/client.c
--- cups-1.6.3/scheduler/client.c.CVE-2014-2856	2014-07-25 12:11:48.054960093 +0100
+++ cups-1.6.3/scheduler/client.c	2014-07-25 12:11:27.764854789 +0100
@@ -3686,6 +3686,14 @@ is_path_absolute(const char *path)	/* I
     return (0);
 
  /*
+  * Check for "<" or quotes in the path and reject since this is probably
+  * someone trying to inject HTML...
+  */
+
+  if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
+    return (0);
+
+ /*
   * Check for "/.." in the path...
   */