Don't allow local certificates over the loopback interface, drop support for writing to plain files.

Author: michaelrsweet

cups/auth.c

@@ -1,7 +1,7 @@
 //
 // Authentication functions for CUPS.
 //
-// Copyright © 2020-2025 by OpenPrinting.
+// Copyright © 2020-2026 by OpenPrinting.
 // Copyright © 2007-2019 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products.
 //
@@ -707,7 +707,7 @@ cups_auth_scheme(const char *www_authenticate,	// I - Pointer into WWW-Authentic
 static bool				// O - `true` if authorized, `false` otherwise
 cups_do_local_auth(http_t *http)	// I - HTTP connection to server
 {
-#if !_WIN32 && !__EMX__
+#if !_WIN32 && !__EMX__ && defined(AF_LOCAL)
   int			pid;		// Current process ID
   FILE			*fp;		// Certificate file
   char			trc[16],	// Try Root Certificate parameter
@@ -729,7 +729,7 @@ cups_do_local_auth(http_t *http)	// I - HTTP connection to server
   DEBUG_printf("7cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"", (void *)http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname);
 
   // See if we are accessing localhost...
-  if (!httpAddrIsLocalhost(httpGetAddress(http)))
+  if (httpAddrGetFamily(httpGetAddress(http)) != AF_LOCAL)
   {
     DEBUG_puts("8cups_local_auth: Not a local connection, returning false.");
     return (false);
@@ -794,12 +794,11 @@ cups_do_local_auth(http_t *http)	// I - HTTP connection to server
   }
 #  endif // HAVE_AUTHORIZATION_H
 
-#  if defined(SO_PEERCRED) && defined(AF_LOCAL)
+#  if defined(SO_PEERCRED)
   // See if we can authenticate using the peer credentials provided over a
   // domain socket; if so, specify "PeerCred username" as the authentication
   // information...
-  if (http->hostaddr->addr.sa_family == AF_LOCAL &&
-      !getenv("GATEWAY_INTERFACE") &&	// Not via CGI programs...
+  if (!getenv("GATEWAY_INTERFACE") &&	// Not via CGI programs...
       cups_auth_find(www_auth, "PeerCred"))
   {
     // Verify that the current cupsGetUser() matches the current UID...
@@ -863,7 +862,7 @@ cups_do_local_auth(http_t *http)	// I - HTTP connection to server
       return (true);
     }
   }
-#endif // !_WIN32 && !__EMX__
+#endif // !_WIN32 && !__EMX__ && defined(AF_LOCAL)
 
   DEBUG_puts("8cups_do_local_auth: Returning false.");
 

doc/help/man-cups-files.conf.html

@@ -240,11 +240,15 @@ <h3 id="cups-files.conf-5.description.deprecated-directives">Deprecated Directiv
     <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>FileDevice Yes</strong><br>
 </p>
     <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>FileDevice No</strong><br>
+</p>
+    <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>FileDevice ^</strong><em>PATH-REGEX</em><br>
 Specifies whether the file pseudo-device can be used for new printer queues.
 The URI &quot;file:///dev/null&quot; is always allowed.
 File devices cannot be used with &quot;raw&quot; print queues - a PPD file is required.
-The specified file is overwritten for every print job.
-Writing to directories is not supported.
+The specified file must already exist and is opened for writing in exclusive mode.
+Creating new files or writing to directories is not supported.
+Specifying a value of &quot;Yes&quot; allows access to TTY devices of the form &quot;/dev/ttySOMETHING&quot;.
+Specifying a regular expression allows access to TTY devices whose paths match the specified regular expression.
 </p>
     <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>Printcap </strong><em>filename</em><br>
 Specifies a file that is filled with a list of local print queues.

man/cups-files.conf.5

@@ -1,14 +1,14 @@
 .\"
 .\" cups-files.conf man page for CUPS.
 .\"
-.\" Copyright © 2020-2025 by OpenPrinting.
+.\" Copyright © 2020-2026 by OpenPrinting.
 .\" Copyright © 2007-2019 by Apple Inc.
 .\" Copyright © 1997-2006 by Easy Software Products.
 .\"
 .\" Licensed under Apache License v2.0.  See the file "LICENSE" for more
 .\" information.
 .\"
-.TH cups-files.conf 5 "CUPS" "2025-10-08" "OpenPrinting"
+.TH cups-files.conf 5 "CUPS" "2026-03-19" "OpenPrinting"
 .SH NAME
 cups\-files.conf \- file and directory configuration file for cups
 .SH DESCRIPTION
@@ -266,11 +266,15 @@ The following directives are deprecated and will be removed from a future versio
 \fBFileDevice Yes\fR
 .TP 5
 \fBFileDevice No\fR
+.TP 5
+\fBFileDevice ^\fIPATH-REGEX\fR
 Specifies whether the file pseudo-device can be used for new printer queues.
 The URI "file:///dev/null" is always allowed.
 File devices cannot be used with "raw" print queues - a PPD file is required.
-The specified file is overwritten for every print job.
-Writing to directories is not supported.
+The specified file must already exist and is opened for writing in exclusive mode.
+Creating new files or writing to directories is not supported.
+Specifying a value of "Yes" allows access to TTY devices of the form "/dev/ttySOMETHING".
+Specifying a regular expression allows access to TTY devices whose paths match the specified regular expression.
 .\"#Printcap
 .TP 5
 \fBPrintcap \fIfilename\fR

scheduler/auth.c

@@ -382,7 +382,7 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
   }
 #ifdef HAVE_AUTHORIZATION_H
   else if (!strncmp(authorization, "AuthRef ", 8) &&
-           httpAddrLocalhost(httpGetAddress(con->http)))
+           httpAddrGetFamily(httpGetAddress(con->http)) == AF_LOCAL)
   {
     OSStatus		status;		/* Status */
     char		authdata[HTTP_MAX_VALUE];
@@ -463,7 +463,7 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
 #endif /* HAVE_AUTHORIZATION_H */
 #if defined(SO_PEERCRED) && defined(AF_LOCAL)
   else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
-           con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
+           httpAddrGetFamily(httpGetAddress(con->http)) == AF_LOCAL && con->best)
   {
    /*
     * Use peer credentials from domain socket connection...
@@ -553,7 +553,7 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
   }
 #endif /* SO_PEERCRED && AF_LOCAL */
   else if (!strncmp(authorization, "Local", 5) &&
-	   httpAddrLocalhost(httpGetAddress(con->http)))
+	   httpAddrGetFamily(httpGetAddress(con->http)) == AF_LOCAL)
   {
    /*
     * Get Local certificate authentication data...

scheduler/client.c

@@ -2194,7 +2194,7 @@ cupsdSendHeader(
       cupsCopyString(auth_str, "Negotiate", sizeof(auth_str));
     }
 
-    if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+    if (con->best && !con->is_browser && httpAddrGetFamily(httpGetAddress(con->http)) == AF_LOCAL)
     {
      /*
       * Add a "trc" (try root certification) parameter for local
@@ -2214,7 +2214,7 @@ cupsdSendHeader(
       auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str);
 
 #if defined(SO_PEERCRED) && defined(AF_LOCAL)
-      if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrGetFamily(httpGetAddress(con->http)) == AF_LOCAL)
+      if (PeerCred != CUPSD_PEERCRED_OFF)
       {
         cupsCopyString(auth_key, ", PeerCred", auth_size);
         auth_key += 10;

scheduler/conf.c

@@ -134,7 +134,6 @@ static const cupsd_var_t	cupsfiles_vars[] =
   { "DataDir",			&DataDir,		CUPSD_VARTYPE_STRING },
   { "DocumentRoot",		&DocumentRoot,		CUPSD_VARTYPE_STRING },
   { "ErrorLog",			&ErrorLog,		CUPSD_VARTYPE_STRING },
-  { "FileDevice",		&FileDevice,		CUPSD_VARTYPE_BOOLEAN },
   { "LogFilePerm",		&LogFilePerm,		CUPSD_VARTYPE_PERM },
   { "OAuthScopes",		&OAuthScopes,		CUPSD_VARTYPE_STRING },
   { "OAuthServer",		&OAuthServer,		CUPSD_VARTYPE_STRING },
@@ -574,6 +573,21 @@ cupsdReadConfiguration(void)
   old_remote_port = RemotePort;
   RemotePort      = 0;
 
+ /*
+  * FileDevice...
+  */
+
+  if (FileDevice)
+  {
+   /*
+    * Free file: device path matching regular expression...
+    */
+
+    regfree(FileDevice);
+    free(FileDevice);
+    FileDevice = NULL;
+  }
+
  /*
   * String options...
   */
@@ -741,7 +755,6 @@ cupsdReadConfiguration(void)
   JobKillDelay             = DEFAULT_TIMEOUT;
   JobRetryLimit            = 5;
   JobRetryInterval         = 300;
-  FileDevice               = FALSE;
   FilterLevel              = 0;
   FilterLimit              = 0;
   FilterNice               = 0;
@@ -3629,6 +3642,73 @@ read_cups_files_conf(cups_file_t *fp)	/* I - File to read from */
     {
       FatalErrors = parse_fatal_errors(value);
     }
+    else if (!_cups_strcasecmp(line, "FileDevice") && value)
+    {
+     /*
+      * FileDevice BOOLEAN
+      * FileDevice ^PATH-REGEX
+      */
+
+      int	r;			/* Regular expression status */
+      char	rerror[1024];		/* Regular expression error */
+
+      if (FileDevice)
+      {
+       /*
+        * Free existing regular expression...
+        */
+
+	regfree(FileDevice);
+	free(FileDevice);
+	FileDevice = NULL;
+      }
+
+      if (!_cups_strcasecmp(value, "false") || !_cups_strcasecmp(value, "no") || !_cups_strcasecmp(value, "off"))
+      {
+       /*
+        * Do nothing more, no file: device support beyond /dev/null...
+        */
+
+        continue;
+      }
+      else if (!_cups_strcasecmp(value, "on") || !_cups_strcasecmp(value, "true") || !_cups_strcasecmp(value, "yes"))
+      {
+       /*
+        * Enable file: device support for /dev/ttySOMETHING...
+        */
+
+        value = "^/dev/tty[A-Za-z0-9._]+$";
+      }
+      else if (*value != '^')
+      {
+	cupsdLogMessage(CUPSD_LOG_ERROR, "Unsupported FileDevice \"%s\" on line %d of %s.", value, linenum, CupsFilesFile);
+	if (FatalErrors & CUPSD_FATAL_CONFIG)
+	  return (0);
+      }
+
+     /*
+      * Try compiling the regular expression in "value"...
+      */
+
+      if ((FileDevice = calloc(1, sizeof(regex_t))) == NULL)
+      {
+	cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create FileDevice regular expression \"%s\" on line %d of %s.", value, linenum, CupsFilesFile);
+	if (FatalErrors & CUPSD_FATAL_CONFIG)
+	  return (0);
+      }
+
+      if ((r = regcomp(FileDevice, value, REG_EXTENDED | REG_NOSUB)) != 0)
+      {
+	regerror(r, FileDevice, rerror, sizeof(rerror));
+	free(FileDevice);
+	FileDevice = NULL;
+
+	cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to compile FileDevice regular expression \"%s\" on line %d of %s: %s", value, linenum, CupsFilesFile, rerror);
+
+	if (FatalErrors & CUPSD_FATAL_CONFIG)
+	  return (0);
+      }
+    }
     else if (!_cups_strcasecmp(line, "Group") && value)
     {
      /*

scheduler/conf.h

@@ -1,7 +1,7 @@
 /*
  * Configuration file definitions for the CUPS scheduler.
  *
- * Copyright © 2020-2025 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2018 by Apple Inc.
  * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
  *
@@ -203,11 +203,11 @@ VAR int			MaxClients		VALUE(100),
 					/* Do we do reverse lookups? */
 			Timeout			VALUE(DEFAULT_TIMEOUT),
 					/* Timeout during requests */
-			KeepAlive		VALUE(TRUE),
+			KeepAlive		VALUE(TRUE);
 					/* Support the Keep-Alive option? */
-			FileDevice		VALUE(FALSE),
+VAR regex_t		*FileDevice		VALUE(NULL);
 					/* Allow file: devices? */
-			FilterLimit		VALUE(0),
+VAR int			FilterLimit		VALUE(0),
 					/* Max filter cost at any time */
 			FilterLevel		VALUE(0),
 					/* Current filter level */

scheduler/ipp.c

@@ -2291,21 +2291,32 @@ add_printer(cupsd_client_t  *con,	/* I - Client connection */
       * See if the administrator has enabled file devices...
       */
 
-      if (!FileDevice && strcmp(resource, "/dev/null"))
+      if (strcmp(resource, "/dev/null"))
       {
-       /*
-        * File devices are disabled and the URL is not file:/dev/null...
-	*/
+        if (FileDevice && regexec(FileDevice, resource, /*nmatch*/0, /*pmatch*/NULL, /*eflags*/0))
+        {
+	 /*
+	  * File devices are enabled but the path is not allowed...
+	  */
 
-	send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE,
-	                _("File device URIs have been disabled. "
-	                  "To enable, see the FileDevice directive in "
-			  "\"%s/cups-files.conf\"."),
-			ServerRoot);
-	if (!modify)
-	  cupsdDeletePrinter(printer, 0);
+	  send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("File device URI \"%s\" is not allowed."), ippGetString(attr, 0, NULL));
+	  if (!modify)
+	    cupsdDeletePrinter(printer, 0);
 
-	return;
+	  return;
+        }
+        else if (!FileDevice)
+	{
+	 /*
+	  * File devices are disabled and the URL is not file:///dev/null...
+	  */
+
+	  send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("File device URIs have been disabled. To enable, see the FileDevice directive in \"%s/cups-files.conf\"."), ServerRoot);
+	  if (!modify)
+	    cupsdDeletePrinter(printer, 0);
+
+	  return;
+	}
       }
     }
     else
@@ -5483,7 +5494,7 @@ create_local_printer(
   * Require local access to create a local printer...
   */
 
-  if (!httpAddrLocalhost(httpGetAddress(con->http)))
+  if (httpAddrGetFamily(httpGetAddress(con->http)) != AF_LOCAL)
   {
     send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
     return;
@@ -5543,9 +5554,9 @@ create_local_printer(
 
   ptr = ippGetString(device_uri, 0, NULL);
 
-  if (!ptr || !ptr[0])
+  if (!ptr || !ptr[0] || (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7)))
   {
-    send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
+    send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
 
     return;
   }