[poppler] pdftohtml lets you run random shell commands
Fabio D'Urso
fabiodurso at hotmail.it
Thu Apr 19 10:58:28 PDT 2012
On Thursday, April 19, 2012 07:03:01 PM Albert Astals Cid wrote:
> El Dijous, 19 d'abril de 2012, a les 18:55:56, Ihar `Philips` Filipau va
> escriure:
> > What about going defensive and simply rejecting any device name which
> > isn't alphanumeric? All gs device names are alphanumeric, quote from
> Problem is not only in the device name, the extension can be user injected
> too (it's 5 chars max in length but a rm fits there :D)
... and filenames too
pdftohtml file.pdf 'x"; touch hello1 #.html' -c -dev png
pdftohtml 'x"; touch hello2 #.pdf' -c -dev png
Fabio
More information about the poppler
mailing list