[poppler] pdftohtml lets you run random shell commands

Albert Astals Cid aacid at kde.org
Thu Apr 19 11:28:01 PDT 2012


El Dijous, 19 d'abril de 2012, a les 19:58:28, Fabio D'Urso va escriure:
> On Thursday, April 19, 2012 07:03:01 PM Albert Astals Cid wrote:
> > El Dijous, 19 d'abril de 2012, a les 18:55:56, Ihar `Philips` Filipau va
> > 
> > escriure:
> > > What about going defensive and simply rejecting any device name which
> > > isn't alphanumeric? All gs device names are alphanumeric, quote from
> > 
> > Problem is not only in the device name, the extension can be user injected
> > too (it's 5 chars max in length but a rm fits there :D)
> 
> ... and filenames too
> 
> pdftohtml file.pdf 'x"; touch hello1 #.html' -c -dev png
> pdftohtml 'x"; touch hello2 #.pdf' -c -dev png

That is a problem, since we can't limit the characters to only alfanumeric for 
filenames :D

Albert 


> Fabio
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler


More information about the poppler mailing list