Robert Marcano via devel wrote: > The admin can implement CUPS > authentication but an ipp://localhost:60000 open port entirely open to > anyone on the local machine to submit print jobs directly bypassing CUPS.
In that case it's also accessible to all the untrusted Javascript junk that regularly runs in the user's browser. Because IPP is built on HTTP, a Javascript program can tell the browser to send an IPP request. What has been done to secure those "virtual printer devices" against DNS rebinding attacks? https://en.wikipedia.org/wiki/DNS_rebinding Considering the attitude to security I've seen from CUPS before, I won't be surprised if they just assume that someone else will protect them from DNS rebinding attacks. Björn Persson
pgpUOI2iQT6TU.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
