[poppler] pdftohtml lets you run random shell commands

Adrian Johnson ajohnson at redneon.com
Fri Apr 20 03:31:05 PDT 2012


On 19/04/12 08:18, Albert Astals Cid wrote:
> You can do pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#'
> /path/to/some/pdf/fil and voila, you'll get your /etc/passwd printed
> on screen
> 
> Definitely not nice.
> 
> This is because we are using plain system() to run the gs command and
> it's easy to inject stuff there
> 
> The poors man solution is trying to escape the strings but it's
> really impossible.
> 
> The real solution is moving to a fork+exec solution (path attached).
> 
> The problem with that is that we loose support for platforms with
> system() and without fork+exec (Windows).
> 
> So here comes my question, anyone with Windows experience can
> implement a path for my patch that works fine?
> 
> Another solution would be just killing the gs invokation from
> pdftohtml since i don't really see it's point.
> 
> Comments?

I'm for option 3 - kill it off.


More information about the poppler mailing list