--- El jue, 19/4/12, Ihar `Philips` Filipau escribió: > On 4/19/12, Albert Astals Cid <[email protected]> > wrote: > > You can do > > pdftohtml -c -dev 'jpeg /dev/null;cat > /etc/passwd;#' /path/to/some/pdf/fil > > and voila, you'll get your /etc/passwd printed on > screen > > > > Definitely not nice. > > > > This is because we are using plain system() to run the > gs command and it's > > easy to inject stuff there > > > > My 0.02€ > > So what? User already can print /etc/passwd.
Now convert that in a rm -rf * And now realize the pdftohtml can be called from a webservice. Does it sound more critical to you now? It does for me Albert > > The problem of system() call is only relevant when the > command is > installed suid-root(*). And pretty much all systems install > only > required minimum of commands as suid-root. ((*) Or user > convinces > admin to run something as root in his own terminal - but you > can't > really do anything against idiot admins.) > > > The real solution is moving to a fork+exec solution > (path attached). > > You use execvp() - that doesn't improve anything: the 'p' > letter in > execvp() stands for "path resolution", meaning that user can > still add > its own wrapper for "gs" command, adjust the $PATH and > circumvent > whatever you intended to prevent with the patch. > > IOW, the exec*p*() functions are as insecure as the system() > - unless > of course you use absolute path for "gs" (what I gather > would cause > troubles for portability). > > Simpler /fix/ would be to make the programs not runnable by > root - > `geteuid() != 0`. That would also cover the case of idiot > admins. :) > > Otherwise, in the patch, if one would replace the kinky > va_list stuff > with a GooList() of `char *` (iow, pack the command line > onto the list > (and add an accessor for the GooList::data)) the change > would easily > come off as a clean up. ;) > > > The problem with that is that we loose support for > platforms with system() > > and without fork+exec (Windows). > > The problem doesn't exist on Windows, since it doesn't have > anything > like suid. It's either user or Administrator(**). And if > user can run > a program as an administrator, then all bets are off. (The > same case > as an idiot *nix admin.) > > (**) Win Vista/7 have something similar, but UAC would bark > at it. So > it doesn't change the parity. > _______________________________________________ > poppler mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/poppler > _______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
