[poppler] pdftohtml lets you run random shell commands

Albert Astals Cid aacid at kde.org
Thu Apr 19 09:29:35 PDT 2012


El Dijous, 19 d'abril de 2012, a les 13:51:03, Ihar `Philips` Filipau va 
escriure:
> Hi!
> 
> Found it out myself. Did RTFM so to say.
> 
> The patch with shellEscape() function is attached.
> 
> Regression tested with following devices:
> -dev jpeg (OK)
> -dev png16m (OK)
> -dev "'jpeg'" (OK, gs failed with "Unknown device")
> -dev "\"'jpeg'\"" (OK, gs failed with "Unknown device")
> -dev "png16m;rm -rf /dev" (OK, gs failed with "Unknown device", ran as
> a user, so there were no danger in the rm command)

Shell escaping depends on the specifics of the particular shell you are using, 
i.e. there is no way to make sure you are escaping correctly for all shells.

Using exec fixes the problem correctly since it guarantees you are only 
executing the gs binary.

Albert

> 
> On 4/19/12, Ihar `Philips` Filipau <thephilips at gmail.com> wrote:
> > Hi!
> > 
> > Throw at me some valid values for the -dev parameter - I'm trying to
> > test the shellEscape function.
> > 
> > It appears that wrapping in single quotes as I thought is the way to
> > go - but with a special trick on who to escape single quote itself.
> > 
> > On 4/19/12, Ihar `Philips` Filipau <thephilips at gmail.com> wrote:
> >> On 4/19/12, Albert Astals Cid <aacid at kde.org> wrote:
> >>> --- El jue, 19/4/12, Ihar `Philips` Filipau <thephilips at gmail.com>
> >>> escribió:
> >>> 
> >>> And now realize the pdftohtml can be called from a webservice.


More information about the poppler mailing list