[poppler] pdftohtml lets you run random shell commands
suzuki toshiya
mpsuzuki at hiroshima-u.ac.jp
Wed Apr 18 16:24:47 PDT 2012
Although I'm not experienced developer of Windows, I will check.B
ut my reply would be in next week (because now I'm out of my office).
Anyway, I prefer the removal of Ghostscript dependency...
Regards,
mpsuzuki
Albert Astals Cid wrote:
> You can do
> pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil
> and voila, you'll get your /etc/passwd printed on screen
>
> Definitely not nice.
>
> This is because we are using plain system() to run the gs command and it's easy to inject stuff there
>
> The poors man solution is trying to escape the strings but it's really impossible.
>
> The real solution is moving to a fork+exec solution (path attached).
>
> The problem with that is that we loose support for platforms with system() and without fork+exec (Windows).
>
> So here comes my question, anyone with Windows experience can implement a path for my patch that works fine?
>
> Another solution would be just killing the gs invokation from pdftohtml since i don't really see it's point.
>
> Comments?
>
> Cheers,
> Albert
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler
More information about the poppler
mailing list