[
https://issues.apache.org/jira/browse/PDFBOX-5913?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903300#comment-17903300
]
ASF subversion and git services commented on PDFBOX-5913:
---------------------------------------------------------
Commit 1922316 from Tilman Hausherr in branch 'pdfbox/branches/2.0'
[ https://svn.apache.org/r1922316 ]
PDFBOX-5913: don't spawn a cmd / command subprocess to get windir, as suggested
by Jakob Heher
> FontBox spawns a `cmd` subprocess to read an environment variable (on Windows)
> ------------------------------------------------------------------------------
>
> Key: PDFBOX-5913
> URL: https://issues.apache.org/jira/browse/PDFBOX-5913
> Project: PDFBox
> Issue Type: Bug
> Components: FontBox
> Affects Versions: 2.0.32, 3.0.3 PDFBox
> Environment: Windows
> Reporter: Jakob Heher
> Priority: Major
> Fix For: 2.0.33, 3.0.4 PDFBox, 4.0.0
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> FontBox's
> [`WindowsFontDirFinder`|https://github.com/apache/pdfbox/blob/trunk/fontbox/src/main/java/org/apache/fontbox/util/autodetect/WindowsFontDirFinder.java#L43]
> spawns a `cmd` subprocess to read the value of the `windir` environment
> variable.
> (It is unclear to me why it does not simply use `getenv("windir")`. Without
> further understanding of the context, that would be my suggested fix.)
> Either way, this can (and does) cause false positives in aggressive endpoint
> security configurations, which use "spawns a shell subprocess" as an
> indicator of process compromise.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
