[poppler] pdftohtml lets you run random shell commands

Fabio D'Urso fabiodurso at hotmail.it
Mon Apr 23 07:59:25 PDT 2012


On Saturday, April 21, 2012 12:57:09 PM Fabio D'Urso wrote:
> On Thursday, April 19, 2012 09:44:41 PM Ihar `Philips` Filipau wrote:
> > On 4/19/12, Ihar `Philips` Filipau <thephilips at gmail.com> wrote:
> > > Here is a patch which extends shell escape to cover: device name,
> > > output file name, ps file name. Win32 part was /tested/ on *nix with
> > > my eyes. And as it turned out (live and learn) cmd.exe has a command
> > > separator - &, accidentally a valid file name character - and it too
> > > has to be escaped. Guess what's escape character? 3... 2... 1... Wrong
> > > - it's '^', which itself has to be escaped too.
> > > 
> > > Have fun.
> 
> The Unix part seems to be ok, I still have a doubt about the win32 part:
>  pdftohtml -c -dev """ | calc | echo """ file.pdf
>
> [...]
> But I don't have a machine to test it at hand.

Just tested it. It still opens the calculator.

It seems that doubling doublequotes is the proper way to escape doublequotes:
From http://technet.microsoft.com/en-us/library/cc723564.aspx:
 < If a double-quoted argument itself contains a double quote character,
 the double quote must be doubled. For example, enter "Quoted" Argument
 as """Quoted"" Argument". >

According to the same document, characters & | ( ) < > ^ shouldn't be escaped 
if they are already between doublequotes.

I'm attaching a patch on top of Ihar Philips Filipau's one that fixes the 
above issues (tested on win32).

Fabio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pdftohtml-Fix-in-shellEscape-win32-only.patch
Type: text/x-patch
Size: 894 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20120423/9e6e603e/attachment.bin>


More information about the poppler mailing list