Don't allow resolver to return 'localhost' for a non-loopback address.

Author: michaelrsweet

CHANGES.md

@@ -90,6 +90,8 @@ v2.5b1 - YYYY-MM-DD
   supported document formats for a printer (Issue #1392)
 - Updated the scheduler to hold password/PIN jobs for 15 seconds before
   releasing to the printer (Issue #1456)
+- Updated `httpAddrLookup` to return a numeric address when the resolver
+  returns "localhost" for a non-loopback address.
 - Deprecated the "page-border" Job Template attribute (Issue #1020)
 - Removed the `cups-config` utility (use `pkg-config` instead)
 - Fixed use-after-free in `cupsdAcceptClient()` when we log warning during error

cups/http-addr.c

@@ -1,7 +1,7 @@
 //
 // HTTP address routines for CUPS.
 //
-// Copyright © 2023-2025 by OpenPrinting.
+// Copyright © 2023-2026 by OpenPrinting.
 // Copyright © 2007-2021 by Apple Inc.
 // Copyright © 1997-2006 by Easy Software Products, all rights reserved.
 //
@@ -373,7 +373,7 @@ httpAddrLookup(
 #endif // AF_LOCAL
 
   // Optimize lookups for localhost/loopback addresses...
-  if (httpAddrLocalhost(addr))
+  if (httpAddrIsLocalhost(addr))
   {
     cupsCopyString(name, "localhost", (size_t)namelen);
     return (name);
@@ -401,12 +401,12 @@ httpAddrLookup(
   //
   // FWIW, I think this is really a bug in the implementation of
   // getnameinfo(), but falling back on httpAddrString() is easy to do...
-  if ((error = getnameinfo(&addr->addr, (socklen_t)httpAddrLength(addr), name, (socklen_t)namelen, NULL, 0, 0)) != 0)
+  if ((error = getnameinfo(&addr->addr, (socklen_t)httpAddrLength(addr), name, (socklen_t)namelen, NULL, 0, 0)) != 0 || !strcasecmp(name, "localhost"))
   {
     if (error == EAI_FAIL)
       cg->need_res_init = 1;
 
-    return (httpAddrGetString(addr, name, (size_t)namelen));
+    httpAddrGetString(addr, name, (size_t)namelen);
   }
 
   DEBUG_printf("1httpAddrLookup: returning \"%s\"...", name);