On 4/19/12, Albert Astals Cid <[email protected]> wrote: > You can do > pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil > and voila, you'll get your /etc/passwd printed on screen > > Definitely not nice. > > This is because we are using plain system() to run the gs command and it's > easy to inject stuff there >
My 0.02€ So what? User already can print /etc/passwd. The problem of system() call is only relevant when the command is installed suid-root(*). And pretty much all systems install only required minimum of commands as suid-root. ((*) Or user convinces admin to run something as root in his own terminal - but you can't really do anything against idiot admins.) > The real solution is moving to a fork+exec solution (path attached). You use execvp() - that doesn't improve anything: the 'p' letter in execvp() stands for "path resolution", meaning that user can still add its own wrapper for "gs" command, adjust the $PATH and circumvent whatever you intended to prevent with the patch. IOW, the exec*p*() functions are as insecure as the system() - unless of course you use absolute path for "gs" (what I gather would cause troubles for portability). Simpler /fix/ would be to make the programs not runnable by root - `geteuid() != 0`. That would also cover the case of idiot admins. :) Otherwise, in the patch, if one would replace the kinky va_list stuff with a GooList() of `char *` (iow, pack the command line onto the list (and add an accessor for the GooList::data)) the change would easily come off as a clean up. ;) > The problem with that is that we loose support for platforms with system() > and without fork+exec (Windows). The problem doesn't exist on Windows, since it doesn't have anything like suid. It's either user or Administrator(**). And if user can run a program as an administrator, then all bets are off. (The same case as an idiot *nix admin.) (**) Win Vista/7 have something similar, but UAC would bark at it. So it doesn't change the parity. _______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
