File netatalk.papd.quote-vars.fixed.patch of Package netatalk

quote chars correctly
---
 etc/papd/lp.c |  214 ++++++++++++++++++++++++++++++++++------------------------
 1 file changed, 127 insertions(+), 87 deletions(-)

--- a/etc/papd/lp.c
+++ b/etc/papd/lp.c
@@ -211,99 +211,137 @@ static void lp_setup_comments (charset_t
 }
 
 #define is_var(a, b) (strncmp((a), (b), 2) == 0)
+enum quote_state {
+	NONE,
+	QUOTEDBL,
+	APOSTROPHE,
+};
 
-static size_t quote(char *dest, char *src, const size_t bsize, size_t len)
+static size_t quote_var(char *dest, size_t destlen, enum quote_state qs, const char *untrusted)
 {
-size_t used = 0;
+	char c = 0;
+	size_t len = 0;
 
-    while (len && used < bsize ) {
-        switch (*src) {
-          case '$':
-          case '\\':
-          case '"':
-          case '`':
-            if (used + 2 > bsize )
-              return used;
-            *dest = '\\';
-            dest++;
-            used++;
-            break;
-        }
-        *dest = *src;
-        src++;
-        dest++;
-        len--;
-        used++;
-    }
-    return used;
+	if (qs == NONE) {
+		*dest='\'';
+		dest++;
+		len++;
+		if (destlen > 1)
+			destlen--;
+	}
+	while (untrusted && (destlen - len) > 1 && (c = *untrusted)) {
+		if (c == '\'' && (qs == NONE || qs == APOSTROPHE)) {
+			/* man bash:
+			 * A single quote may not occur between single quotes,
+			 * even when preceded by a backslash.
+			 */
+			c = '_';
+		} else if (qs == QUOTEDBL) {
+			switch (c) {
+				/* subshells are escaped
+				 * no need to handle "& * # ' ; { } < >" */
+				case '"':
+				case '`':
+				case '$':
+				case '(':
+				case ')':
+				case '\\':
+				case '!':
+					*dest = '\\';
+					dest++;
+					len++;
+				default:
+					break;
+			}
+		} else if (c == '\\') {
+			*dest = '\\';
+			dest++;
+			len++;
+		}
+		*dest = c;
+		dest++;
+		len++;
+		untrusted++;
+	}
+	if (qs == NONE) {
+		*dest='\'';
+		dest++;
+		len++;
+	}
+	return len;
 }
 
-
-static char* pipexlate(char *src)
+static char *pipexlate(char *src)
 {
-    char *p, *q, *dest; 
-    static char destbuf[MAXPATHLEN +1];
-    size_t destlen = MAXPATHLEN;
-    int len = 0;
-   
-    dest = destbuf; 
-
-    if (!src)
-	return NULL;
-
-    memset(dest, 0, MAXPATHLEN +1);
-    if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
-        strncpy(dest, src, MAXPATHLEN);
-        return destbuf;
-    }
-    /* first part of the path. copy and forward to the next variable. */
-    len = MIN((size_t)(p - src), destlen);
-    if (len > 0) {
-        strncpy(dest, src, len);
-        destlen -= len;
-        dest += len;
-    }
-
-    while (p && destlen > 0) {
-        /* now figure out what the variable is */
-        q = NULL;
-        if (is_var(p, "%U")) {
-	    q = lp.lp_person;
-        } else if (is_var(p, "%C") || is_var(p, "%J") ) {
-            q = lp.lp_job;
-        } else if (is_var(p, "%F")) {
-            q =  lp.lp_created_for;
-        } else if (is_var(p, "%%")) {
-            q = "%";
-        } 
-
-        /* copy the stuff over. if we don't understand something that we
-         * should, just skip it over. */
-        if (q) {
-            len = MIN(strlen(q), destlen);
-            len = quote(dest, q, destlen, len);
-        }
-        else {
-            len = MIN(2, destlen);
-            strncpy(dest, q, len);
-        }
-        dest += len;
-        destlen -= len;
-
-        /* stuff up to next % */
-        src = p + 2;
-        p = strchr(src, '%');
-        len = p ? MIN((size_t)(p - src), destlen) : destlen;
-        if (len > 0) {
-            strncpy(dest, src, len);
-            dest += len;
-            destlen -= len;
-        }
-    }
-    return destbuf;
+	char *dest, *p;
+	char c, *untrusted;
+	static char destbuf[MAXPATHLEN];
+	size_t destlen, vlen;
+	enum quote_state qs;
+
+	if (!src)
+		return NULL;
+
+	p = src;
+	dest = destbuf;
+	destlen = sizeof(destbuf) - 1;
+	qs = NONE;
+
+	while (destlen && (c = *src)) {
+		untrusted = NULL;
+		if (c == '%') {
+			switch (src[1]) {
+				/* %U */
+				case 'U':
+					untrusted = lp.lp_person;
+					break;
+				/* %C/%J */
+				case 'C':
+				case 'J':
+					untrusted = lp.lp_job;
+					break;
+				/* %F */
+				case 'F':
+					untrusted =  lp.lp_created_for;
+					break;
+				/* %% */
+				case '%':
+					src++; /* forward to the % and continue copying */
+				/* Unhandled variable, just copy */
+				default:
+				break;
+			}
+		}
+		/* expand variables */
+		if (untrusted) {
+			vlen = quote_var(dest, destlen, qs, untrusted);
+			src += 2;
+			dest += vlen;
+			destlen -= vlen;
+			continue;
+		}
+		if (c == '\'') {
+			if (qs == NONE) {
+				qs = APOSTROPHE;
+			} else if (qs == APOSTROPHE) {
+				qs = NONE;
+			}
+		} else if (c == '"') {
+			if (qs == NONE) {
+				qs = QUOTEDBL;
+			} else if (qs == QUOTEDBL) {
+				qs = NONE;
+			}
+		}
+		*dest = c;
+		src++;
+		dest++;
+		destlen--;
+	}
+	*dest = '\0';
+	return destbuf;
 }
 
-
 void lp_person( person )
     char	*person;
 {
@@ -570,6 +608,7 @@ int lp_open( out, sat )
     }
 
     if ( lp.lp_flags & LP_PIPE ) {
+        char *pipe_cmd;
 
 	/* go right to program */
 	if (lp.lp_person != NULL) {
@@ -583,12 +622,13 @@ int lp_open( out, sat )
 	}
 
 	lp_setup_comments(CH_UNIX);
-	if (( lp.lp_stream = popen( pipexlate(printer->p_printer), "w" )) == NULL ) {
+	pipe_cmd = pipexlate(printer->p_printer);
+	if ((lp.lp_stream = popen(pipe_cmd, "w")) == NULL) {
 	    LOG(log_error, logtype_papd, "lp_open popen %s: %m", printer->p_printer );
 	    spoolerror( out, NULL );
 	    return( -1 );
 	}
-        LOG(log_debug, logtype_papd, "lp_open: opened %s",  pipexlate(printer->p_printer) );
+        LOG(log_debug, logtype_papd, "lp_open: opened %s", pipe_cmd);
     } else {
 	sprintf( name, "df%c%03d%s", lp.lp_letter++, lp.lp_seq, hostname );