[poppler] pdftohtml lets you run random shell commands
Albert Astals Cid
aacid at kde.org
Wed Apr 18 15:48:46 PDT 2012
You can do
pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil
and voila, you'll get your /etc/passwd printed on screen
Definitely not nice.
This is because we are using plain system() to run the gs command and it's easy to inject stuff there
The poors man solution is trying to escape the strings but it's really impossible.
The real solution is moving to a fork+exec solution (path attached).
The problem with that is that we loose support for platforms with system() and without fork+exec (Windows).
So here comes my question, anyone with Windows experience can implement a path for my patch that works fine?
Another solution would be just killing the gs invokation from pdftohtml since i don't really see it's point.
Comments?
Cheers,
Albert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: system-exec.patch
Type: text/x-patch
Size: 5696 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20120419/7fbf11b7/attachment.bin>
More information about the poppler
mailing list