diff -up cups-1.3.7/cgi-bin/admin.c.CVE-2008-5184 cups-1.3.7/cgi-bin/admin.c --- cups-1.3.7/cgi-bin/admin.c.CVE-2008-5184 2008-02-13 01:15:29.000000000 +0000 +++ cups-1.3.7/cgi-bin/admin.c 2008-12-01 16:30:16.000000000 +0000 @@ -309,6 +309,16 @@ do_add_rss_subscription(http_t *http) /* } /* + * Make sure we have a username... + */ + + if ((user = getenv("REMOTE_USER")) == NULL) + { + puts("Status: 401\n"); + exit(0); + } + + /* * Validate the subscription name... */ @@ -352,9 +362,6 @@ do_add_rss_subscription(http_t *http) /* ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, printer_uri); - if ((user = getenv("REMOTE_USER")) == NULL) - user = "guest"; - ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, user); @@ -1269,6 +1276,16 @@ do_cancel_subscription(http_t *http)/* I } /* + * Require a username... + */ + + if ((user = getenv("REMOTE_USER")) == NULL) + { + puts("Status: 401\n"); + exit(0); + } + + /* * Cancel the subscription... */ @@ -1279,9 +1296,6 @@ do_cancel_subscription(http_t *http)/* I ippAddInteger(request, IPP_TAG_OPERATION, IPP_TAG_INTEGER, "notify-subscription-id", id); - if ((user = getenv("REMOTE_USER")) == NULL) - user = "guest"; - ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, user);