[poppler] pdftohtml lets you run random shell commands
Adrian Johnson
ajohnson at redneon.com
Fri Apr 20 03:31:05 PDT 2012
On 19/04/12 08:18, Albert Astals Cid wrote:
> You can do pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#'
> /path/to/some/pdf/fil and voila, you'll get your /etc/passwd printed
> on screen
>
> Definitely not nice.
>
> This is because we are using plain system() to run the gs command and
> it's easy to inject stuff there
>
> The poors man solution is trying to escape the strings but it's
> really impossible.
>
> The real solution is moving to a fork+exec solution (path attached).
>
> The problem with that is that we loose support for platforms with
> system() and without fork+exec (Windows).
>
> So here comes my question, anyone with Windows experience can
> implement a path for my patch that works fine?
>
> Another solution would be just killing the gs invokation from
> pdftohtml since i don't really see it's point.
>
> Comments?
I'm for option 3 - kill it off.
More information about the poppler
mailing list