[poppler] pdftohtml lets you run random shell commands
Albert Astals Cid
aacid at kde.org
Thu May 10 13:29:43 PDT 2012
El Dijous, 19 d'abril de 2012, a les 00:48:46, Albert Astals Cid va escriure:
> You can do
> pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil
> and voila, you'll get your /etc/passwd printed on screen
>
> Definitely not nice.
>
> This is because we are using plain system() to run the gs command and it's
> easy to inject stuff there
>
> The poors man solution is trying to escape the strings but it's really
> impossible.
>
> The real solution is moving to a fork+exec solution (path attached).
>
> The problem with that is that we loose support for platforms with system()
> and without fork+exec (Windows).
>
> So here comes my question, anyone with Windows experience can implement a
> path for my patch that works fine?
>
> Another solution would be just killing the gs invokation from pdftohtml
> since i don't really see it's point.
>
> Comments?
Summary:
In 0.20.0 the injection is still possible
In 0.22 I've removed the option to invoke gs altogether, so this problem gone
If anyone was using the gs invokation for something the regular splash based
code can't achieve you have around 6 months until 0.22 to fix the regression
in functionality.
Cheers,
Albert
>
> Cheers,
> Albert
More information about the poppler
mailing list