[poppler] pdftohtml lets you run random shell commands
Albert Astals Cid
aacid at kde.org
Thu Apr 19 11:28:01 PDT 2012
El Dijous, 19 d'abril de 2012, a les 19:58:28, Fabio D'Urso va escriure:
> On Thursday, April 19, 2012 07:03:01 PM Albert Astals Cid wrote:
> > El Dijous, 19 d'abril de 2012, a les 18:55:56, Ihar `Philips` Filipau va
> >
> > escriure:
> > > What about going defensive and simply rejecting any device name which
> > > isn't alphanumeric? All gs device names are alphanumeric, quote from
> >
> > Problem is not only in the device name, the extension can be user injected
> > too (it's 5 chars max in length but a rm fits there :D)
>
> ... and filenames too
>
> pdftohtml file.pdf 'x"; touch hello1 #.html' -c -dev png
> pdftohtml 'x"; touch hello2 #.pdf' -c -dev png
That is a problem, since we can't limit the characters to only alfanumeric for
filenames :D
Albert
> Fabio
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler
More information about the poppler
mailing list