diff -Nurad netatalk-2.0.3.orig/etc/papd/lp.c netatalk-2.0.3/etc/papd/lp.c --- netatalk-2.0.3.orig/etc/papd/lp.c 2009-01-13 12:40:35.000000000 +0100 +++ netatalk-2.0.3/etc/papd/lp.c 2009-01-13 12:41:08.000000000 +0100 @@ -212,10 +212,41 @@ #define is_var(a, b) (strncmp((a), (b), 2) == 0) +static size_t quote(char *dest, char *src, const size_t bsize, size_t len) { + size_t used = 0; + + while (len && used < bsize ) { + switch (*src) { + case '$': case ' ': case '\n' : case '\r': + case '\\': + case '"': + case ';': + case '&': + case '(': + case ')': + case '*': + case '#': + case '`': + if (used + 2 > bsize ) + return used; + *dest = '\\'; + dest++; + used++; + break; + } + *dest = *src; + src++; + dest++; + len--; + used++; + } + return used; +} + static char* pipexlate(char *src) { char *p, *q, *dest; - static char destbuf[MAXPATHLEN]; + static char destbuf[MAXPATHLEN + 1]; size_t destlen = MAXPATHLEN; int len = 0; @@ -224,13 +255,16 @@ if (!src) return NULL; - strncpy(dest, src, MAXPATHLEN); - if ((p = strchr(src, '%')) == NULL) /* nothing to do */ + memset(dest, 0, sizeof(destbuf)); + if ((p = strchr(src, '%')) == NULL) { /* nothing to do */ + strncpy(dest, src, sizeof(dest) - 1); return destbuf; + } /* first part of the path. just forward to the next variable. */ len = MIN((size_t)(p - src), destlen); if (len > 0) { + strncpy(dest, src, len); destlen -= len; dest += len; } @@ -246,17 +280,20 @@ q = lp.lp_created_for; } else if (is_var(p, "%%")) { q = "%"; - } else - q = p; + } /* copy the stuff over. if we don't understand something that we * should, just skip it over. */ if (q) { - len = MIN(p == q ? 2 : strlen(q), destlen); + len = MIN(strlen(q), destlen); + len = quote(dest, q, destlen, len); + } + else { + len = MIN(2, destlen); strncpy(dest, q, len); - dest += len; - destlen -= len; } + dest += len; + destlen -= len; /* stuff up to next $ */ src = p + 2;