[poppler] pdftohtml lets you run random shell commands
Ihar `Philips` Filipau
thephilips at gmail.com
Thu Apr 19 09:47:53 PDT 2012
On 4/19/12, Albert Astals Cid <aacid at kde.org> wrote:
>
> So you say "NEVER EVER exposing anything to raw unfiltered user input" and
> at the same time argue we can do it and it's fine?
>
Sorry for the poor wording: front-end may not expose anything of the
back-end to raw unfiltered user input. What I wanted to say, in the
hypothetical scenario of pdftohtml running in the back-end, it will
never see any invalid device name.
But if you consider pdftohtml to be a front-end to gs, then, yes, you are right.
More information about the poppler
mailing list