source: trunk/third/lprng/doc/LPRng-HOWTO-19.html @ 13098

Revision 13098, 3.1 KB checked in by danw, 25 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r13097, which included commits to RCS files with non-trunk default branches.
Line 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
2<HTML>
3<HEAD>
4 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
5 <TITLE> LPRng-HOWTO: Defective RFC1179 Implementations</TITLE>
6 <LINK HREF="LPRng-HOWTO-20.html" REL=next>
7 <LINK HREF="LPRng-HOWTO-18.html" REL=previous>
8 <LINK HREF="LPRng-HOWTO.html#toc19" REL=contents>
9</HEAD>
10<BODY>
11<A HREF="LPRng-HOWTO-20.html">Next</A>
12<A HREF="LPRng-HOWTO-18.html">Previous</A>
13<A HREF="LPRng-HOWTO.html#toc19">Contents</A>
14<HR>
15<H2><A NAME="s19">19. Defective RFC1179 Implementations</A></H2>
16
17<P>Most printer (or print server box) manufacturers totally ignore the
18details of the RFC1179 protocol and simply accept the data files for printing,
19disregarding the control file <B>until they need to print a banner
20or provide status information</B>.
21<P>At this point,
22you suddenly discover all sorts of little details
23that cause horrible problems.
24For example,
25the use of non-ASCII characters (i.e. - values are 128-255) in the
26J (job) line of a control file has been known to crash one network
27interface card in such a manner that a power-up is needed to restart
28the printer.
29<P>Also,
30if you send one particular RFC1179 compatible print spooler a
31control file with a character whose value is 255 (i.e. 0xFF),
32the job will never get printed,
33and there is a mysterious diagnostic on the console:
34<BLOCKQUOTE><CODE>
35<PRE>
36unexpected end of input
37</PRE>
38</CODE></BLOCKQUOTE>
39<P>This is due to the fact that the 0xFF eight bit value is getting sign
40extended to a 16 bit value 0xFFFF,
41which just turns out to be -1, or the error indication from a read.
42<H2><A NAME="ss19.1">19.1 OS2 Print Spoolers</A>
43</H2>
44
45<P>For various reasons,  some versions of the OS/2 <CODE>lpd</CODE>
46print spooler have decided to make the control file and data file names
47have different formats.
48<P>In addition,
49the OS/2 spooler does not follow RFC1179 correctly,  and truncates
50the data and job file protocol exchange.
51<H2><A NAME="ss19.2">19.2 Serious Security Loophole</A>
52</H2>
53
54<P>There is the subtle and nasty problem with some print filters
55that are not
56<EM>meta-char-escape</EM> proof.
57For example,
58suppose that a user decided to spool a job as follows:
59<BLOCKQUOTE><CODE>
60<PRE>
61lpr '-J; rm -rf /*;' /tmp/a
62</PRE>
63</CODE></BLOCKQUOTE>
64<P>This would create a job file with the line:
65<BLOCKQUOTE><CODE>
66<PRE>
67J `rm /etc/passwd; echo Job;`
68</PRE>
69</CODE></BLOCKQUOTE>
70<P>The job line ends up getting passed to a print filter:
71<BLOCKQUOTE><CODE>
72<PRE>
73pr:sd=/...
74  :if=/usr/local/hack
75    ... invoked as:
76    /usr/local/hack '-J; rm -rf /*;'
77
78/usr/local/hack is:
79
80#!/bin/sh
81while [ -n "$1" ] ; do
82        case "$1" in
83        -J  )  shift; args="$args -M$1";;
84        esac;
85        shift;
86done;
87# reformat the command line
88eval /usr/local/realfilter $args
89
90^^^^
91</PRE>
92</CODE></BLOCKQUOTE>
93<P>The observant reader will notice that the above line gets expanded to:
94<BLOCKQUOTE><CODE>
95<PRE>
96eval /usr/local/realfilter -MJ; rm -rf /*;
97</PRE>
98</CODE></BLOCKQUOTE>
99<P>
100<HR>
101<A HREF="LPRng-HOWTO-20.html">Next</A>
102<A HREF="LPRng-HOWTO-18.html">Previous</A>
103<A HREF="LPRng-HOWTO.html#toc19">Contents</A>
104</BODY>
105</HTML>
Note: See TracBrowser for help on using the repository browser.