-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication problem in libcups functions used by pycups #5288
Comments
@jpl166 I'm not aware of any specific changes in this area between 2.2.3 and 2.2.6... Can you reproduce this with a C program and not the pycups API? |
I'm a sysadmin, not a programmer. I wouldn't know where to begin. I know enough about how things work to read the code and make some sense of it, but not enough to functionally write my own, unfortunately. |
I also did open this ticket with the pycups folks as well as here, because it's certainly possible that they're mangling the http_t struct contents between consecutive calls from Python - there's plenty of room in what the Python is doing that I have little or no visibility into. But presuming that they're calling with the same, unaltered contents of that one variable, it seems like something isn't handing the "No, you aren't authorized, gimme a username and password" challenge correctly. And that seems to be in libcups. I think. I wish I could send you the network trace contents, it's really obvious that the two consecutive IPP calls are different in what they're sending for authentication... but that would involve giving you the base64 encoded username and password functionally in plaintext. |
Hi Mike, |
cupsEnumDests uses the cupsServer setting to determine which server to use, so it should just work. That said, I think we can use a more efficient path (call cupsGetNamedDest instead of cupsEnumDests) for the legacy print APIs - that will use the supplied http_t * and only use cupsEnumDests if the queue does not already exist and the server is local. |
Hmm... when I find definition cupsEnumDests(), I see it calls internal function cups_enum_dests() with parameter CUPS_HTTP_DEFAULT, which is preproccesor's define set to (http_t *)0. |
@zdohnal That's why I'm suggesting that I change the legacy print APIs to use cupsGetNamedDest so that the http_t * is used. |
I wish I'd kept the copy of the debug logs from when I was nailing this down. These are all production servers on my part, it's going to take a bit of doing. |
Well, I'm going to close this as fixed - please let me know if you find out otherwise... |
Hi Mike, |
FYI: Excerpts from the customer issue:
The customer also reported that |
We have two environments, one which works, one which does not. We're authenticating everything about printing using CUPS 2.2.3 or 2.2.6, and using pycups 1.9.73 to drive. The system works using CUPS 2.2.3 but not 2.2.6.
Digging through the network trace, when we issue a getPrinters in pycups, which calls cupsDoRequest under the covers, I see it pass "Authorization: Basic username:password" (base64 encoded, of course) and the printer list comes back. Then the test script does a printFile, which calls cupsPrintFile2, sending it the same http connection struct, and what goes out on the wire is "Authorization: Basic username:" with no password. This obviously fails hard, since we're requiring valid authentication.
Both servers are FreeBSD 11.1.
We've put in place a bit of a hack workaround by blocking most access to the 2.2.6 server and running without authentication, which works fine. It's not really acceptable in our environment long-term, though.
Our test script:
import cups
cups.setServer("server name")
cups.setEncryption(3)
cups.setPort(631)
def tom(p):
return "password"
cups.setUser("user")
cups.setPasswordCB(tom)
c = cups.Connection()
c.getPrinters()
c.printFile('PRINTER','FILE',"Tom Test",{'document-format':'application/vnd.cups-raw'})
The text was updated successfully, but these errors were encountered: