1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> |
---|
2 | <HTML> |
---|
3 | <HEAD> |
---|
4 | <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> |
---|
5 | <TITLE> LPRng-HOWTO: Defective RFC1179 Implementations</TITLE> |
---|
6 | <LINK HREF="LPRng-HOWTO-20.html" REL=next> |
---|
7 | <LINK HREF="LPRng-HOWTO-18.html" REL=previous> |
---|
8 | <LINK HREF="LPRng-HOWTO.html#toc19" REL=contents> |
---|
9 | </HEAD> |
---|
10 | <BODY> |
---|
11 | <A HREF="LPRng-HOWTO-20.html">Next</A> |
---|
12 | <A HREF="LPRng-HOWTO-18.html">Previous</A> |
---|
13 | <A HREF="LPRng-HOWTO.html#toc19">Contents</A> |
---|
14 | <HR> |
---|
15 | <H2><A NAME="s19">19. Defective RFC1179 Implementations</A></H2> |
---|
16 | |
---|
17 | <P>Most printer (or print server box) manufacturers totally ignore the |
---|
18 | details of the RFC1179 protocol and simply accept the data files for printing, |
---|
19 | disregarding the control file <B>until they need to print a banner |
---|
20 | or provide status information</B>. |
---|
21 | <P>At this point, |
---|
22 | you suddenly discover all sorts of little details |
---|
23 | that cause horrible problems. |
---|
24 | For example, |
---|
25 | the use of non-ASCII characters (i.e. - values are 128-255) in the |
---|
26 | J (job) line of a control file has been known to crash one network |
---|
27 | interface card in such a manner that a power-up is needed to restart |
---|
28 | the printer. |
---|
29 | <P>Also, |
---|
30 | if you send one particular RFC1179 compatible print spooler a |
---|
31 | control file with a character whose value is 255 (i.e. 0xFF), |
---|
32 | the job will never get printed, |
---|
33 | and there is a mysterious diagnostic on the console: |
---|
34 | <BLOCKQUOTE><CODE> |
---|
35 | <PRE> |
---|
36 | unexpected end of input |
---|
37 | </PRE> |
---|
38 | </CODE></BLOCKQUOTE> |
---|
39 | <P>This is due to the fact that the 0xFF eight bit value is getting sign |
---|
40 | extended to a 16 bit value 0xFFFF, |
---|
41 | which just turns out to be -1, or the error indication from a read. |
---|
42 | <H2><A NAME="ss19.1">19.1 OS2 Print Spoolers</A> |
---|
43 | </H2> |
---|
44 | |
---|
45 | <P>For various reasons, some versions of the OS/2 <CODE>lpd</CODE> |
---|
46 | print spooler have decided to make the control file and data file names |
---|
47 | have different formats. |
---|
48 | <P>In addition, |
---|
49 | the OS/2 spooler does not follow RFC1179 correctly, and truncates |
---|
50 | the data and job file protocol exchange. |
---|
51 | <H2><A NAME="ss19.2">19.2 Serious Security Loophole</A> |
---|
52 | </H2> |
---|
53 | |
---|
54 | <P>There is the subtle and nasty problem with some print filters |
---|
55 | that are not |
---|
56 | <EM>meta-char-escape</EM> proof. |
---|
57 | For example, |
---|
58 | suppose that a user decided to spool a job as follows: |
---|
59 | <BLOCKQUOTE><CODE> |
---|
60 | <PRE> |
---|
61 | lpr '-J; rm -rf /*;' /tmp/a |
---|
62 | </PRE> |
---|
63 | </CODE></BLOCKQUOTE> |
---|
64 | <P>This would create a job file with the line: |
---|
65 | <BLOCKQUOTE><CODE> |
---|
66 | <PRE> |
---|
67 | J `rm /etc/passwd; echo Job;` |
---|
68 | </PRE> |
---|
69 | </CODE></BLOCKQUOTE> |
---|
70 | <P>The job line ends up getting passed to a print filter: |
---|
71 | <BLOCKQUOTE><CODE> |
---|
72 | <PRE> |
---|
73 | pr:sd=/... |
---|
74 | :if=/usr/local/hack |
---|
75 | ... invoked as: |
---|
76 | /usr/local/hack '-J; rm -rf /*;' |
---|
77 | |
---|
78 | /usr/local/hack is: |
---|
79 | |
---|
80 | #!/bin/sh |
---|
81 | while [ -n "$1" ] ; do |
---|
82 | case "$1" in |
---|
83 | -J ) shift; args="$args -M$1";; |
---|
84 | esac; |
---|
85 | shift; |
---|
86 | done; |
---|
87 | # reformat the command line |
---|
88 | eval /usr/local/realfilter $args |
---|
89 | |
---|
90 | ^^^^ |
---|
91 | </PRE> |
---|
92 | </CODE></BLOCKQUOTE> |
---|
93 | <P>The observant reader will notice that the above line gets expanded to: |
---|
94 | <BLOCKQUOTE><CODE> |
---|
95 | <PRE> |
---|
96 | eval /usr/local/realfilter -MJ; rm -rf /*; |
---|
97 | </PRE> |
---|
98 | </CODE></BLOCKQUOTE> |
---|
99 | <P> |
---|
100 | <HR> |
---|
101 | <A HREF="LPRng-HOWTO-20.html">Next</A> |
---|
102 | <A HREF="LPRng-HOWTO-18.html">Previous</A> |
---|
103 | <A HREF="LPRng-HOWTO.html#toc19">Contents</A> |
---|
104 | </BODY> |
---|
105 | </HTML> |
---|