[poppler] pdftohtml lets you run random shell commands
Ihar `Philips` Filipau
thephilips at gmail.com
Thu Apr 19 04:51:03 PDT 2012
Found it out myself. Did RTFM so to say.
The patch with shellEscape() function is attached.
Regression tested with following devices:
-dev jpeg (OK)
-dev png16m (OK)
-dev "'jpeg'" (OK, gs failed with "Unknown device")
-dev "\"'jpeg'\"" (OK, gs failed with "Unknown device")
-dev "png16m;rm -rf /dev" (OK, gs failed with "Unknown device", ran as
a user, so there were no danger in the rm command)
On 4/19/12, Ihar `Philips` Filipau <thephilips at gmail.com> wrote:
> Throw at me some valid values for the -dev parameter - I'm trying to
> test the shellEscape function.
> It appears that wrapping in single quotes as I thought is the way to
> go - but with a special trick on who to escape single quote itself.
> On 4/19/12, Ihar `Philips` Filipau <thephilips at gmail.com> wrote:
>> On 4/19/12, Albert Astals Cid <aacid at kde.org> wrote:
>>> --- El jue, 19/4/12, Ihar `Philips` Filipau <thephilips at gmail.com>
>>> And now realize the pdftohtml can be called from a webservice.
Don't walk behind me, I may not lead.
Don't walk in front of me, I may not follow.
Just walk beside me and be my friend.
-- Albert Camus (attributed to)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1711 bytes
Desc: not available
More information about the poppler