[poppler] pdftohtml lets you run random shell commands

suzuki toshiya mpsuzuki at hiroshima-u.ac.jp
Wed Apr 18 16:37:33 PDT 2012

Ahh, indeed, I think you say that "pdftohtml is dangerous as find or xargs
commands that can invoke any other command, but these are security issue?".

Ihar `Philips` Filipau wrote:
> On 4/19/12, Albert Astals Cid <aacid at kde.org> wrote:
>> You can do
>>  pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil
>> and voila, you'll get your /etc/passwd printed on screen
>> Definitely not nice.
>> This is because we are using plain system() to run the gs command and it's
>> easy to inject stuff there
> My 0.02€
> So what? User already can print /etc/passwd.
> The problem of system() call is only relevant when the command is
> installed suid-root(*). And pretty much all systems install only
> required minimum of commands as suid-root. ((*) Or user convinces
> admin to run something as root in his own terminal - but you can't
> really do anything against idiot admins.)
>> The real solution is moving to a fork+exec solution (path attached).
> You use execvp() - that doesn't improve anything: the 'p' letter in
> execvp() stands for "path resolution", meaning that user can still add
> its own wrapper for "gs" command, adjust the $PATH and circumvent
> whatever you intended to prevent with the patch.
> IOW, the exec*p*() functions are as insecure as the system() - unless
> of course you use absolute path for "gs" (what I gather would cause
> troubles for portability).
> Simpler /fix/ would be to make the programs not runnable by root -
> `geteuid() != 0`. That would also cover the case of idiot admins. :)
> Otherwise, in the patch, if one would replace the kinky va_list stuff
> with a GooList() of `char *` (iow, pack the command line onto the list
> (and add an accessor for the GooList::data)) the change would easily
> come off as a clean up. ;)
>> The problem with that is that we loose support for platforms with system()
>> and without fork+exec (Windows).
> The problem doesn't exist on Windows, since it doesn't have anything
> like suid. It's either user or Administrator(**). And if user can run
> a program as an administrator, then all bets are off. (The same case
> as an idiot *nix admin.)
> (**) Win Vista/7 have something similar, but UAC would bark at it. So
> it doesn't change the parity.
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler

More information about the poppler mailing list