[poppler] pdftohtml lets you run random shell commands

Thu Apr 19 03:39:00 PDT 2012

On 4/19/12, Albert Astals Cid <aacid at kde.org> wrote:
> --- El jue, 19/4/12, Ihar `Philips` Filipau <thephilips at gmail.com> escribió:
>
> And now realize the pdftohtml can be called from a webservice.
>

Get real, man.

In that case, a user or a random person off a street will NEVER ever
have a possibility to supply random string to a command to be ran on
the server.

This is the same as the SQL injections and should be handled by
webservice the same way - by NEVER EVER exposing anything to raw
unfiltered user input.

>
> Now let's be serious, the world is full of people that don't have a clue,
> and those people usually copy and paste from the interwebs, now imagine that
> I run an obscure command line of pdftohtml i found in a forum that says
> it'll work better because it does magic and it ends up removing all the
> files in my home folder. I'd call that unexpected behaviour
>

There are lots of ways - and on forums the text coloring is most
popular among them - of how one can sneak a stealthy command into
something innocently looking. That's why on all *nix forums there is a
merciless ban hammer against such jokers. (I'm an old time Perl coder
and there was this period of time on Perl forums too.)

And btw, the same way, one can simply append invisible "; rm -rf *" to
the end of pdftothml invocation. And there is nothing you can do about
it.

Overall, I think you are overreacting. I'm perfectly aware of what I'm
talking about, actually developing and maintaining software running as
a back-end for a B2B webservice of sorts. (And I did develop
webservices in past too.) And I do have two suid-root tools under my
responsibility, so this problems are rather closer to me than you
think.

But then again, I said from the beginning, I do not mind the change
(esp. if it would reuse some list or even a fixed size array instead
of va_list), since it cleans up the main() of pdftohtml. If you wish I
can experiment with escaping the string too (I have some spare time
right now). Theoretically, for system() it should suffice to escape
every single quote and wrap the string in the single quotes.