Fix RSS notifier.

Author: michaelrsweet

CHANGES.md

@@ -7,6 +7,8 @@ Changes in CUPS v2.4.17 (YYYY-MM-DD)
 
 - CVE-2026-27447: The scheduler treated local user and group names as case-
   insensitive.
+- CVE-2026-NNNNN: The RSS notifier could write outside the scheduler's RSS
+  directory.
 - The scheduler followed symbolic links when cleaning out its temporary
   directory (Issue #1448)
 - Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters.

notifier/rss.c

@@ -1,11 +1,12 @@
 /*
  * RSS notifier for CUPS.
  *
- * Copyright © 2020-2024 by OpenPrinting.
- * Copyright 2007-2015 by Apple Inc.
- * Copyright 2007 by Easy Software Products.
+ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2015 by Apple Inc.
+ * Copyright © 2007 by Easy Software Products.
  *
- * Licensed under Apache License v2.0.  See the file "LICENSE" for more information.
+ * Licensed under Apache License v2.0.  See the file "LICENSE" for more
+ * information.
  */
 
 /*
@@ -80,6 +81,7 @@ main(int  argc,				/* I - Number of command-line arguments */
   http_status_t	status;			/* HTTP GET/PUT status code */
   char		filename[1024],		/* Local filename */
 		newname[1024];		/* filename.N */
+  struct stat	fileinfo;		/* Local file information */
   cups_lang_t	*language;		/* Language information */
   ipp_attribute_t *printer_up_time,	/* Timestamp on event */
 		*notify_sequence_number,/* Sequence number */
@@ -111,9 +113,9 @@ main(int  argc,				/* I - Number of command-line arguments */
 
   if (httpSeparateURI(HTTP_URI_CODING_ALL, argv[1], scheme, sizeof(scheme),
                       username, sizeof(username), host, sizeof(host), &port,
-		      resource, sizeof(resource)) < HTTP_URI_OK)
+		      resource, sizeof(resource)) < HTTP_URI_OK || strstr(resource, "../") != NULL)
   {
-    fprintf(stderr, "ERROR: Bad RSS URI \"%s\"!\n", argv[1]);
+    fprintf(stderr, "ERROR: Bad RSS URI \"%s\".\n", argv[1]);
     return (1);
   }
 
@@ -209,6 +211,12 @@ main(int  argc,				/* I - Number of command-line arguments */
     snprintf(filename, sizeof(filename), "%s/rss%s", cachedir, resource);
     snprintf(newname, sizeof(newname), "%s.N", filename);
 
+    if (!lstat(filename, &fileinfo) && !S_ISREG(fileinfo.st_mode))
+    {
+      fprintf(stderr, "ERROR: Local RSS path \"%s\" is not a file.\n", filename);
+      return (1);
+    }
+
     httpAssembleURIf(HTTP_URI_CODING_ALL, baseurl, sizeof(baseurl), "http",
                      NULL, server_name, atoi(server_port), "/rss%s", resource);
   }

scheduler/ipp.c

@@ -1,7 +1,7 @@
 /*
  * IPP routines for the CUPS scheduler.
  *
- * Copyright © 2020-2025 by OpenPrinting
+ * Copyright © 2020-2026 by OpenPrinting
  * Copyright © 2007-2021 by Apple Inc.
  * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
  *
@@ -1997,6 +1997,12 @@ add_job_subscriptions(
 	                "notify-status-code", IPP_ATTRIBUTES);
 	  return;
 	}
+	else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
+	{
+          send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
+	  ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
+	  return;
+	}
       }
       else if (!strcmp(attr->name, "notify-pull-method") &&
                attr->value_tag == IPP_TAG_KEYWORD)
@@ -6067,6 +6073,12 @@ create_subscriptions(
 	                "notify-status-code", IPP_ATTRIBUTES);
 	  return;
 	}
+	else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
+	{
+	  send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
+	  ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
+	  return;
+	}
       }
       else if (!strcmp(attr->name, "notify-pull-method") &&
                attr->value_tag == IPP_TAG_KEYWORD)