[poppler] pdftohtml lets you run random shell commands

suzuki toshiya mpsuzuki at hiroshima-u.ac.jp
Wed Apr 18 16:24:47 PDT 2012

Although I'm not experienced developer of Windows, I will check.B
ut my reply would be in next week (because now I'm out of my office).
Anyway, I prefer the removal of Ghostscript dependency...


Albert Astals Cid wrote:
> You can do 
>  pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil
> and voila, you'll get your /etc/passwd printed on screen
> Definitely not nice.
> This is because we are using plain system() to run the gs command and it's easy to inject stuff there
> The poors man solution is trying to escape the strings but it's really impossible.
> The real solution is moving to a fork+exec solution (path attached).
> The problem with that is that we loose support for platforms with system() and without fork+exec (Windows).
> So here comes my question, anyone with Windows experience can implement a path for my patch that works fine?
> Another solution would be just killing the gs invokation from pdftohtml since i don't really see it's point.
> Comments?
> Cheers,
>   Albert
> ------------------------------------------------------------------------
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler

More information about the poppler mailing list