[poppler] pdftohtml lets you run random shell commands

Ihar `Philips` Filipau thephilips at gmail.com
Thu Apr 19 04:51:03 PDT 2012


Found it out myself. Did RTFM so to say.

The patch with shellEscape() function is attached.

Regression tested with following devices:
-dev jpeg (OK)
-dev png16m (OK)
-dev "'jpeg'" (OK, gs failed with "Unknown device")
-dev "\"'jpeg'\"" (OK, gs failed with "Unknown device")
-dev "png16m;rm -rf /dev" (OK, gs failed with "Unknown device", ran as
a user, so there were no danger in the rm command)

On 4/19/12, Ihar `Philips` Filipau <thephilips at gmail.com> wrote:
> Hi!
> Throw at me some valid values for the -dev parameter - I'm trying to
> test the shellEscape function.
> It appears that wrapping in single quotes as I thought is the way to
> go - but with a special trick on who to escape single quote itself.
> On 4/19/12, Ihar `Philips` Filipau <thephilips at gmail.com> wrote:
>> On 4/19/12, Albert Astals Cid <aacid at kde.org> wrote:
>>> --- El jue, 19/4/12, Ihar `Philips` Filipau <thephilips at gmail.com>
>>> escribió:
>>> And now realize the pdftohtml can be called from a webservice.

Don't walk behind me, I may not lead.
Don't walk in front of me, I may not follow.
Just walk beside me and be my friend.
    -- Albert Camus (attributed to)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdftohtml-shell-escape-gs-dev-003.diff
Type: application/octet-stream
Size: 1711 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20120419/ddeb3f3c/attachment-0001.obj>

More information about the poppler mailing list