[poppler] pdftohtml lets you run random shell commands

Ihar `Philips` Filipau thephilips at gmail.com
Thu Apr 19 12:08:33 PDT 2012

On 4/19/12, Albert Astals Cid <aacid at kde.org> wrote:
>> > > What about going defensive and simply rejecting any device name which
>> > > isn't alphanumeric? All gs device names are alphanumeric, quote from
>> >
>> > Problem is not only in the device name, the extension can be user
>> > injected
>> > too (it's 5 chars max in length but a rm fits there :D)
>> ... and filenames too
>> pdftohtml file.pdf 'x"; touch hello1 #.html' -c -dev png
>> pdftohtml 'x"; touch hello2 #.pdf' -c -dev png
> That is a problem, since we can't limit the characters to only alfanumeric
> for filenames :D


Well, shell escape then? As it turned out, on Windows one can simply
use double quote around the parameters - double quotes are illegal
characters for files names there. cmd.exe on my WinXP and Win7 handle
them as expected (e.g. `dir "_vim""rc"` is the same as `dir "_vimrc"`
is the same as `dir _vimrc`). (IOW, on *nix shell escape as in
previous patch, on Windows - simply wrap in double quotes.)

Actually shell escaping can be seen as an independent fix: the gs
command line generation already tries to wrap the file names using
double quotes. And with the knowledge of how it works on Windows, the
choice of the double quotes doesn't seem to be arbitrary. E.g. from
debug output (my backslashes; bad device name is quoted as per my
previous shell quote patch):

gs -sDEVICE='"'\''jpeg'\''"' -dBATCH -dNOPROMPT \
-dNOPAUSE -r108 -sOutputFile="Der Mond%03d.jpeg" \
-g892x1263 -q "Der Mond.ps"

More information about the poppler mailing list