File ipp-additional-changes-for-the-scheduler-to-substitute-d.patch of Package cups.13211

Index: cups-1.7.5/scheduler/ipp.c
===================================================================
--- cups-1.7.5.orig/scheduler/ipp.c
+++ cups-1.7.5/scheduler/ipp.c
@@ -155,6 +155,7 @@ cupsdProcessIPPRequest(
   ipp_attribute_t	*uri = NULL;	/* Printer or job URI attribute */
   ipp_attribute_t	*username;	/* requesting-user-name attr */
   int			sub_id;		/* Subscription ID */
+  int			valid = 1;	/* Valid request? */
 
 
   cupsdLogMessage(CUPSD_LOG_DEBUG2,
@@ -393,20 +394,55 @@ cupsdProcessIPPRequest(
       else
       {
        /*
-	* OK, all the checks pass so far; make sure requesting-user-name is
-	* not "root" from a remote host...
+	* OK, all the checks pass so far; validate "requesting-user-name"
+	* attribute value...
 	*/
 
-        if ((username = ippFindAttribute(con->request, "requesting-user-name",
-	                                 IPP_TAG_NAME)) != NULL)
-	{
-	 /*
-	  * Check for root user...
-	  */
-
-	  if (!strcmp(username->values[0].string.text, "root") &&
-	      _cups_strcasecmp(con->http.hostname, "localhost") &&
-	      strcmp(con->username, "root"))
+        if ((username = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_ZERO)) != NULL)
+        {
+         /*
+          * Validate "requesting-user-name"...
+          */
+
+          if (username->group_tag != IPP_TAG_OPERATION && StrictConformance)
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute in wrong group.", IPP_STATUS_ERROR_BAD_REQUEST, con->http.hostname);
+	    send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("\"requesting-user-name\" attribute in wrong group."));
+	    valid = 0;
+          }
+          else if (username->value_tag != IPP_TAG_NAME && username->value_tag != IPP_TAG_NAMELANG)
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with wrong syntax.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http.hostname);
+	    send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
+	    if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
+	      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+	    valid = 0;
+         }
+          else if (!ippValidateAttribute(username))
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with bad value.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http.hostname);
+
+            if (StrictConformance)
+            {
+             /*
+              * Throw an error...
+              */
+
+	      send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
+              if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
+                attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+	      valid = 0;
+	    }
+	    else
+	    {
+	     /*
+	      * Map bad "requesting-user-name" to 'anonymous'...
+	      */
+
+              ippSetString(con->request, &username, 0, "anonymous");
+	    }
+          }
+          else if (!strcmp(username->values[0].string.text, "root") && _cups_strcasecmp(con->http.hostname, "localhost") && strcmp(con->username, "root"))
 	  {
 	   /*
 	    * Remote unauthenticated user masquerading as local root...
@@ -426,6 +462,11 @@ cupsdProcessIPPRequest(
         * Then try processing the operation...
 	*/
 
+        if (valid)
+        {
+	 /*
+	  * Try processing the operation...
+	  */
         if (uri)
 	  cupsdLogMessage(CUPSD_LOG_DEBUG, "%s %s",
                 	  ippOpString(con->request->request.op.operation_id),
@@ -621,6 +662,7 @@ cupsdProcessIPPRequest(
 			      ippOpString(
 			          con->request->request.op.operation_id));
 	      break;
+	  }
 	}
       }
     }
@@ -1568,22 +1610,6 @@ add_job(cupsd_client_t  *con,		/* I - Cl
 
   attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
 
-  if (attr && !ippValidateAttribute(attr))
-  {
-    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
-
-    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
-      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
-
-    if (StrictConformance)
-      return (NULL);
-
-    /* Don't use invalid attribute */
-    ippDeleteAttribute(con->request, attr);
-
-    attr = ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "reqeusting-user-name", NULL, "anonymous");
-  }
-
   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
   {
     send_ipp_status(con, IPP_INTERNAL_ERROR,