Updated cupsFileGetConf and cupsFilePutConf to escape more characters.

Author: michaelrsweet

CHANGES.md

@@ -8,6 +8,7 @@ v3.0.1 - YYYY-MM-DD
   embedded platforms (Issue #141)
 - Updated `httpAddrLookup` to return a numeric address when the resolver
   returns "localhost" for a non-loopback address.
+- Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters.
 - Fixed a bug when the `ippFindXxx` and `ippSetXxx` functions were mixed
   (Issue #138)
 

cups/file.c

@@ -6,7 +6,7 @@
 // our own file functions allows us to provide transparent support of
 // different line endings, gzip'd print files, etc.
 //
-// Copyright © 2021-2025 by OpenPrinting.
+// Copyright © 2021-2026 by OpenPrinting.
 // Copyright © 2007-2019 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products, all rights reserved.
 //
@@ -325,8 +325,7 @@ cupsFileGetConf(cups_file_t *fp,	// I  - CUPS file
 
 
   // Range check input...
-  if (!fp || (fp->mode != 'r' && fp->mode != 's') ||
-      !buf || buflen < 2 || !value)
+  if (!fp || (fp->mode != 'r' && fp->mode != 's') || !buf || buflen < 2 || !value)
   {
     if (value)
       *value = NULL;
@@ -341,31 +340,33 @@ cupsFileGetConf(cups_file_t *fp,	// I  - CUPS file
   {
     (*linenum) ++;
 
-    // Strip any comments...
-    if ((ptr = strchr(buf, '#')) != NULL)
+    // Handle escaped characters and strip any comments...
+    for (ptr = buf; *ptr; ptr ++)
     {
-      if (ptr > buf && ptr[-1] == '\\')
+      if (*ptr == '#')
       {
-        // Unquote the #...
-	_cups_strcpy(ptr - 1, ptr);
+        // Strip comment text...
+        *ptr = '\0';
+        break;
       }
-      else
+      else if (*ptr == '\\' && (ptr[1] == '\\' || ptr[1] == '#' || ptr[1] == 'n' || ptr[1] == 'r'))
       {
-        // Strip the comment and any trailing whitespace...
-	while (ptr > buf)
-	{
-	  if (!_cups_isspace(ptr[-1]))
-	    break;
-
-	  ptr --;
-	}
+	// \\, \#, \n, or \r, remove backslash and update the escaped char as needed...
+	_cups_strcpy(ptr, ptr + 1);
 
-	*ptr = '\0';
+	if (*ptr == 'n')
+	  *ptr = '\n';
+	else if (*ptr == 'r')
+	  *ptr = '\r';
       }
     }
 
     // Strip leading whitespace...
-    for (ptr = buf; _cups_isspace(*ptr); ptr ++);
+    for (ptr = buf; *ptr; ptr ++)
+    {
+      if (!_cups_isspace(*ptr))
+        break;
+    }
 
     if (ptr > buf)
       _cups_strcpy(buf, ptr);
@@ -993,43 +994,72 @@ cupsFilePutChar(cups_file_t *fp,	// I - CUPS file
 //
 // 'cupsFilePutConf()' - Write a configuration line.
 //
-// This function handles any comment escaping of the value.
+// This function handles any escaping of the value.
 //
 
 bool					// O - `true` on success, `false` on error
 cupsFilePutConf(cups_file_t *fp,	// I - CUPS file
-                const char *directive,	// I - Directive
-		const char *value)	// I - Value
+                const char  *directive,	// I - Directive
+		const char  *value)	// I - Value
 {
-  const char	*ptr;			// Pointer into value
-
-
   if (!fp || !directive || !*directive)
     return (false);
 
   if (!cupsFilePuts(fp, directive))
     return (false);
 
-  if (!cupsFilePutChar(fp, ' '))
-    return (false);
-
   if (value && *value)
   {
-    if ((ptr = strchr(value, '#')) != NULL)
+    const char	*start,			// Start of current fragment
+		*ptr;			// Pointer into value
+
+    if (!cupsFilePutChar(fp, ' '))
+      return (false);
+
+    for (start = ptr = value; *ptr; ptr ++)
     {
-      // Need to quote the first # in the info string...
-      if (!cupsFileWrite(fp, value, (size_t)(ptr - value)))
-        return (false);
+      if (strchr("#\\\n\r", *ptr) != NULL)
+      {
+        // Character that needs to be escaped...
+        if (ptr > start)
+        {
+          // Write unescaped portion...
+	  if (!cupsFileWrite(fp, start, (size_t)(ptr - start)))
+	    return (false);
+        }
 
-      if (!cupsFilePutChar(fp, '\\'))
-        return (false);
+        start = ptr + 1;
 
-      if (!cupsFilePuts(fp, ptr))
-        return (false);
+        if (*ptr == '\\')
+        {
+          // "\" (for escaping)
+          if (!cupsFilePuts(fp, "\\\\"))
+            return (false);
+        }
+        else if (*ptr == '#')
+        {
+          // "#" (for comment)
+          if (!cupsFilePuts(fp, "\\#"))
+            return (false);
+        }
+        else if (*ptr == '\n')
+        {
+          // LF
+          if (!cupsFilePuts(fp, "\\n"))
+            return (false);
+        }
+        else if (!cupsFilePuts(fp, "\\r"))
+        {
+	  return (false);
+	}
+      }
     }
-    else if (!cupsFilePuts(fp, value))
+
+    if (ptr > start)
     {
-      return (false);
+      // Write remaining unescaped portion...
+      if (!cupsFileWrite(fp, start, (size_t)(ptr - start)))
+	return (false);
     }
   }
 

cups/testfile.c

@@ -1,7 +1,7 @@
 //
 // File/directory test program for CUPS.
 //
-// Copyright © 2021-2023 by OpenPrinting.
+// Copyright © 2021-2026 by OpenPrinting.
 // Copyright © 2007-2018 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products.
 //
@@ -491,6 +491,17 @@ read_write_tests(bool compression)	// I - Use compression?
   off_t		length;			// Length of file
   static const char *partial_line = "partial line";
 					// Partial line
+  static const char * const values[] =	// cupsFileGet/PutConf values
+  {
+    "simple",
+    "'single-quoted value'",
+    "\"double-quoted value\"",
+    "value with # comment",
+    "value with \n newline",
+    "value with \r carriage return",
+    "value with \\ backslash",
+    "pathological\r\nvalue\\#with comment"
+  };
 
 
   // No errors so far...
@@ -553,6 +564,24 @@ read_write_tests(bool compression)	// I - Use compression?
       status ++;
     }
 
+    // cupsFilePutConf()
+    testBegin("cupsFilePutConf()");
+    for (i = 0; i < (int)(sizeof(values) / sizeof(values[0])); i ++)
+    {
+      if (!cupsFilePutConf(fp, "TestConf", values[i]))
+        break;
+    }
+
+    if (i >= (int)(sizeof(values) / sizeof(values[0])))
+    {
+      testEnd(true);
+    }
+    else
+    {
+      testEndMessage(false, "%s", strerror(errno));
+      status ++;
+    }
+
     // cupsFilePutChar()
     testBegin("cupsFilePutChar()");
 
@@ -607,13 +636,13 @@ read_write_tests(bool compression)	// I - Use compression?
     // cupsFileTell()
     testBegin("cupsFileTell()");
 
-    if ((length = cupsFileTell(fp)) == 81933283)
+    if ((length = cupsFileTell(fp)) == 81933542)
     {
       testEnd(true);
     }
     else
     {
-      testEndMessage(false, "" CUPS_LLFMT " instead of 81933283", CUPS_LLCAST length);
+      testEndMessage(false, "" CUPS_LLFMT " instead of 81933542", CUPS_LLCAST length);
       status ++;
     }
 
@@ -682,7 +711,7 @@ read_write_tests(bool compression)	// I - Use compression?
     // cupsFileGetConf()
     linenum = 1;
 
-    testBegin("cupsFileGetConf()");
+    testBegin("cupsFileGetConf(TestLine)");
 
     for (i = 0, value = NULL; i < 1000; i ++)
     {
@@ -709,6 +738,27 @@ read_write_tests(bool compression)	// I - Use compression?
       status ++;
     }
 
+    testBegin("cupsFileGetConf(TestConf)");
+
+    for (i = 0; i < (int)(sizeof(values) / sizeof(values[0])); i ++)
+    {
+      if (!cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))
+      {
+        testEndMessage(false, "%s", strerror(errno));
+        status ++;
+        break;
+      }
+      else if (_cups_strcasecmp(line, "TestConf") || !value || strcmp(value, values[i]))
+      {
+        testEndMessage(false, "Expected 'TestConf %s', got '%s %s'", values[i], line, value);
+        status ++;
+        break;
+      }
+    }
+
+    if (i >= (int)(sizeof(values) / sizeof(values[0])))
+      testEnd(true);
+
     // cupsFileGetChar()
     testBegin("cupsFileGetChar()");
 
@@ -788,13 +838,13 @@ read_write_tests(bool compression)	// I - Use compression?
     // cupsFileTell()
     testBegin("cupsFileTell()");
 
-    if ((length = cupsFileTell(fp)) == 81933283)
+    if ((length = cupsFileTell(fp)) == 81933542)
     {
       testEnd(true);
     }
     else
     {
-      testEndMessage(false, "" CUPS_LLFMT " instead of 81933283", CUPS_LLCAST length);
+      testEndMessage(false, "" CUPS_LLFMT " instead of 81933542", CUPS_LLCAST length);
       status ++;
     }