is this just a dupe of  issue 884884  ?

Oh sorry I didn't notice that one, I don't think I have access to view it

Added you on the other bug - please mark duplicate if appropriate.

Let's keep this bug for the immediate chain-breaking fix (like with the attached patch) and  issue 884884  for the long-term fix.

CL is in flight.

We can actually Blacklist cupsPreFilter completely.  The PPDs we're using don't use it at all.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/cups/+/6c955eeada8b9bde9adfe5729bb792781f904634

commit 6c955eeada8b9bde9adfe5729bb792781f904634
Author: David Valleau <valleau@chromium.org>
Date: Fri Sep 21 20:34:11 2018

cupstestppd: adding path restriction for cupsPreFilter

This patch should prevent users from being able to add PPDs which define
a cupsPreFilter which includes any path information. Any printers which
had already been configured using such a PPD should fail when attempting
to create a new print job.

BUG= chromium:885296 
TEST=Tested manually on chromebook

Change-Id: I0f454401cfb58bc2e390debe959675c18aa29277
Reviewed-on: https://chromium-review.googlesource.com/1231983
Commit-Ready: David Valleau <valleau@chromium.org>
Tested-by: David Valleau <valleau@chromium.org>
Reviewed-by: Sean Kau <skau@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[modify] https://crrev.com/6c955eeada8b9bde9adfe5729bb792781f904634/systemv/cupstestppd.c

It looks like David is trying to merge this to M-69 and M-70. But isn't M-69 finished? Anyway, requesting approval, since he's trying to get code reviews for it.

This bug requires manual review: M70 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

If it's not possible to merge this change into m69 then I'll just cherry-pick our changes back to m70.

I only tried to merge into m69 since all of the bugs were labeled with Target-69.

Merge approved, M70... per chat with geohsu@. Once verified, I'll approve for M69.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We are running out of time to have this included in M69. What is the latest on this in M70? Is M69 still a consideration?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/cups/+/c6a0fea051ac1488f5ce3373e35007ac166cf8e8

commit c6a0fea051ac1488f5ce3373e35007ac166cf8e8
Author: David Valleau <valleau@chromium.org>
Date: Wed Sep 26 13:09:58 2018

cupstestppd: adding path restriction for cupsPreFilter

This patch should prevent users from being able to add PPDs which define
a cupsPreFilter which includes any path information. Any printers which
had already been configured using such a PPD should fail when attempting
to create a new print job.

BUG= chromium:885296 
TEST=Tested manually on chromebook

Change-Id: I0f454401cfb58bc2e390debe959675c18aa29277
Reviewed-on: https://chromium-review.googlesource.com/1231983
Commit-Ready: David Valleau <valleau@chromium.org>
Tested-by: David Valleau <valleau@chromium.org>
Reviewed-by: Sean Kau <skau@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
(cherry picked from commit 6c955eeada8b9bde9adfe5729bb792781f904634)

[modify] https://crrev.com/c6a0fea051ac1488f5ce3373e35007ac166cf8e8/systemv/cupstestppd.c

As of today the change to add path restriction has landed in M70.

I have another change currently in flight for M69 (http://crrev.com/c/1240211) which I have tested on my device and verified that it works correctly.

M69 went to stable 3 weeks ago (Sep 11).  Is there going to be another push?  M70 goes to stable at the end of the month.  cindyb@, thoughts?

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

@David: you gotta s/Merge-Approved/Merge-Merged/ when you land your changes.

Personally, I'd recommend just skipping M69 for all this stuff at this point. +Matthias

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/657975052a4a5527a8254aabb9b5ea1a61d05910

commit 657975052a4a5527a8254aabb9b5ea1a61d05910
Author: David Valleau <valleau@chromium.org>
Date: Fri Oct 05 22:43:56 2018

Adding checks for invalid cupsFilter and cupsPreFilter values

BUG= chromium:885296 
TEST=Ran tests on chromebook

Change-Id: Iaec12aa752e8fbd342dc39801836661e5b10f4e0
Reviewed-on: https://chromium-review.googlesource.com/1260047
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: David Valleau <valleau@chromium.org>
Reviewed-by: Sean Kau <skau@chromium.org>

[modify] https://crrev.com/657975052a4a5527a8254aabb9b5ea1a61d05910/client/site_tests/platform_DebugDaemonCupsAddPrinters/platform_DebugDaemonCupsAddPrinters.py
[add] https://crrev.com/657975052a4a5527a8254aabb9b5ea1a61d05910/client/site_tests/platform_DebugDaemonCupsAddPrinters/src/InvalidCupsPreFilter.ppd.gz
[add] https://crrev.com/657975052a4a5527a8254aabb9b5ea1a61d05910/client/site_tests/platform_DebugDaemonCupsAddPrinters/src/InvalidCupsFilter.ppd.gz
[add] https://crrev.com/657975052a4a5527a8254aabb9b5ea1a61d05910/client/site_tests/platform_DebugDaemonCupsAddPrinters/src/MissingMagicNumber.ppd.gz

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot