Re: [poppler] pdftohtml lets you run random shell commands

Wed, 18 Apr 2012 16:37:45 -0700 

Ahh, indeed, I think you say that "pdftohtml is dangerous as find or xargs
commands that can invoke any other command, but these are security issue?".
Umm.

Ihar `Philips` Filipau wrote:

On 4/19/12, Albert Astals Cid <[email protected]> wrote:

You can do
 pdftohtml -c -dev 'jpeg /dev/null;cat /etc/passwd;#' /path/to/some/pdf/fil
and voila, you'll get your /etc/passwd printed on screen

Definitely not nice.

This is because we are using plain system() to run the gs command and it's
easy to inject stuff there



My 0.02€

So what? User already can print /etc/passwd.

The problem of system() call is only relevant when the command is
installed suid-root(*). And pretty much all systems install only
required minimum of commands as suid-root. ((*) Or user convinces
admin to run something as root in his own terminal - but you can't
really do anything against idiot admins.)


The real solution is moving to a fork+exec solution (path attached).


You use execvp() - that doesn't improve anything: the 'p' letter in
execvp() stands for "path resolution", meaning that user can still add
its own wrapper for "gs" command, adjust the $PATH and circumvent
whatever you intended to prevent with the patch.

IOW, the exec*p*() functions are as insecure as the system() - unless
of course you use absolute path for "gs" (what I gather would cause
troubles for portability).

Simpler /fix/ would be to make the programs not runnable by root -
`geteuid() != 0`. That would also cover the case of idiot admins. :)

Otherwise, in the patch, if one would replace the kinky va_list stuff
with a GooList() of `char *` (iow, pack the command line onto the list
(and add an accessor for the GooList::data)) the change would easily
come off as a clean up. ;)


The problem with that is that we loose support for platforms with system()
and without fork+exec (Windows).


The problem doesn't exist on Windows, since it doesn't have anything
like suid. It's either user or Administrator(**). And if user can run
a program as an administrator, then all bets are off. (The same case
as an idiot *nix admin.)

(**) Win Vista/7 have something similar, but UAC would bark at it. So
it doesn't change the parity.
_______________________________________________
poppler mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/poppler


_______________________________________________
poppler mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/poppler

Reply via email to