[poppler] pdftohtml lets you run random shell commands

Albert Astals Cid aacid at kde.org
Thu May 10 13:29:43 PDT 2012


El Dijous, 19 d'abril de 2012, a les 00:48:46, Albert Astals Cid va escriure:
> You can do
>  pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil
> and voila, you'll get your /etc/passwd printed on screen
> 
> Definitely not nice.
> 
> This is because we are using plain system() to run the gs command and it's
> easy to inject stuff there
> 
> The poors man solution is trying to escape the strings but it's really
> impossible.
> 
> The real solution is moving to a fork+exec solution (path attached).
> 
> The problem with that is that we loose support for platforms with system()
> and without fork+exec (Windows).
> 
> So here comes my question, anyone with Windows experience can implement a
> path for my patch that works fine?
> 
> Another solution would be just killing the gs invokation from pdftohtml
> since i don't really see it's point.
> 
> Comments?

Summary:
 In 0.20.0 the injection is still possible
 In 0.22 I've removed the option to invoke gs altogether, so this problem gone

If anyone was using the gs invokation for something the regular splash based 
code can't achieve you have around 6 months until 0.22 to fix the regression 
in functionality.

Cheers,
  Albert

> 
> Cheers,
>   Albert


More information about the poppler mailing list