Skip to content

Commit

Permalink
Stop accepting attributes in collections (Issue #5630)
Browse files Browse the repository at this point in the history
  • Loading branch information
michaelrsweet committed Aug 7, 2019
1 parent f79dad5 commit 5754bcc
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 4 deletions.
4 changes: 3 additions & 1 deletion CHANGES.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
CHANGES - 2.3.0 - 2019-08-01
CHANGES - 2.3.0 - 2019-08-07
============================


Expand Down Expand Up @@ -26,6 +26,8 @@ Changes in CUPS v2.3.0
to a named group (Issue #5613)
- Added USB quirks rule for HP LaserJet 1015 (Issue #5617)
- Fixed some PPD parser issues (Issue #5623, Issue #5624)
- The IPP parser no longer allows invalid member attributes in collections
(Issue #5630)
- Fixed an issue with unsupported "sides" values in the IPP backend
(rdar://51775322)
- The scheduler would restart continuously when idle and printers were not
Expand Down
9 changes: 7 additions & 2 deletions cups/ipp.c
Original file line number Diff line number Diff line change
Expand Up @@ -3040,8 +3040,13 @@ ippReadIO(void *src, /* I - Data source */

DEBUG_printf(("2ippReadIO: name length=%d", n));

if (n == 0 && tag != IPP_TAG_MEMBERNAME &&
tag != IPP_TAG_END_COLLECTION)
if (n && parent)
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Invalid named IPP attribute in collection."), 1);
DEBUG_puts("1ippReadIO: bad attribute name in collection.");
return (IPP_STATE_ERROR);
}
else if (n == 0 && tag != IPP_TAG_MEMBERNAME && tag != IPP_TAG_END_COLLECTION)
{
/*
* More values for current attribute...
Expand Down
88 changes: 87 additions & 1 deletion cups/testipp.c
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,71 @@ static ipp_uchar_t collection[] = /* Collection buffer */
0x00, 0x00, /* No name */
0x00, 0x00, /* No value */

IPP_TAG_END /* end tag */
};
static ipp_uchar_t bad_collection[] = /* Collection buffer (bad encoding) */
{
0x01, 0x01, /* IPP version */
0x00, 0x02, /* Print-Job operation */
0x00, 0x00, 0x00, 0x01,
/* Request ID */

IPP_TAG_OPERATION,

IPP_TAG_CHARSET,
0x00, 0x12, /* Name length + name */
'a','t','t','r','i','b','u','t','e','s','-',
'c','h','a','r','s','e','t',
0x00, 0x05, /* Value length + value */
'u','t','f','-','8',

IPP_TAG_LANGUAGE,
0x00, 0x1b, /* Name length + name */
'a','t','t','r','i','b','u','t','e','s','-',
'n','a','t','u','r','a','l','-','l','a','n',
'g','u','a','g','e',
0x00, 0x02, /* Value length + value */
'e','n',

IPP_TAG_URI,
0x00, 0x0b, /* Name length + name */
'p','r','i','n','t','e','r','-','u','r','i',
0x00, 0x1c, /* Value length + value */
'i','p','p',':','/','/','l','o','c','a','l',
'h','o','s','t','/','p','r','i','n','t','e',
'r','s','/','f','o','o',

IPP_TAG_JOB, /* job group tag */

IPP_TAG_BEGIN_COLLECTION,
/* begCollection tag */
0x00, 0x09, /* Name length + name */
'm', 'e', 'd', 'i', 'a', '-', 'c', 'o', 'l',
0x00, 0x00, /* No value */
IPP_TAG_BEGIN_COLLECTION,
/* begCollection tag */
0x00, 0x0a, /* Name length + name */
'm', 'e', 'd', 'i', 'a', '-', 's', 'i', 'z', 'e',
0x00, 0x00, /* No value */
IPP_TAG_INTEGER, /* integer tag */
0x00, 0x0b, /* Name length + name */
'x', '-', 'd', 'i', 'm', 'e', 'n', 's', 'i', 'o', 'n',
0x00, 0x04, /* Value length + value */
0x00, 0x00, 0x54, 0x56,
IPP_TAG_INTEGER, /* integer tag */
0x00, 0x0b, /* Name length + name */
'y', '-', 'd', 'i', 'm', 'e', 'n', 's', 'i', 'o', 'n',
0x00, 0x04, /* Value length + value */
0x00, 0x00, 0x6d, 0x24,
IPP_TAG_END_COLLECTION,
/* endCollection tag */
0x00, 0x00, /* No name */
0x00, 0x00, /* No value */
IPP_TAG_END_COLLECTION,
/* endCollection tag */
0x00, 0x00, /* No name */
0x00, 0x00, /* No value */

IPP_TAG_END /* end tag */
};

Expand Down Expand Up @@ -586,12 +651,33 @@ main(int argc, /* I - Number of command-line arguments */

ippDelete(request);

/*
* Read the bad collection data and confirm we get an error...
*/

fputs("Read Bad Collection from Memory: ", stdout);

request = ippNew();
data.rpos = 0;
data.wused = sizeof(bad_collection);
data.wsize = sizeof(bad_collection);
data.wbuffer = bad_collection;

while ((state = ippReadIO(&data, (ipp_iocb_t)read_cb, 1, NULL, request)) != IPP_STATE_DATA)
if (state == IPP_STATE_ERROR)
break;

if (state != IPP_STATE_ERROR)
puts("FAIL (read successful)");
else
puts("PASS");

/*
* Read the mixed data and confirm we converted everything to rangeOfInteger
* values...
*/

printf("Read Mixed integer/rangeOfInteger from Memory: ");
fputs("Read Mixed integer/rangeOfInteger from Memory: ", stdout);

request = ippNew();
data.rpos = 0;
Expand Down

0 comments on commit 5754bcc

Please sign in to comment.