[poppler] pdftohtml lets you run random shell commands

Albert Astals Cid aacid at kde.org
Wed Apr 18 15:48:46 PDT 2012


You can do 
 pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil
and voila, you'll get your /etc/passwd printed on screen

Definitely not nice.

This is because we are using plain system() to run the gs command and it's easy to inject stuff there

The poors man solution is trying to escape the strings but it's really impossible.

The real solution is moving to a fork+exec solution (path attached).

The problem with that is that we loose support for platforms with system() and without fork+exec (Windows).

So here comes my question, anyone with Windows experience can implement a path for my patch that works fine?

Another solution would be just killing the gs invokation from pdftohtml since i don't really see it's point.

Comments?

Cheers,
  Albert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: system-exec.patch
Type: text/x-patch
Size: 5696 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20120419/7fbf11b7/attachment.bin>


More information about the poppler mailing list