El Dijous, 19 d'abril de 2012, a les 12:39:00, Ihar `Philips` Filipau va escriure: > On 4/19/12, Albert Astals Cid <[email protected]> wrote: > > --- El jue, 19/4/12, Ihar `Philips` Filipau <[email protected]> > > escribió: > > > > And now realize the pdftohtml can be called from a webservice. > > Get real, man. > > In that case, a user or a random person off a street will NEVER ever > have a possibility to supply random string to a command to be ran on > the server. > > This is the same as the SQL injections and should be handled by > webservice the same way - by NEVER EVER exposing anything to raw > unfiltered user input.
So you say "NEVER EVER exposing anything to raw unfiltered user input" and at the same time argue we can do it and it's fine? Albert > > > Now let's be serious, the world is full of people that don't have a clue, > > and those people usually copy and paste from the interwebs, now imagine > > that I run an obscure command line of pdftohtml i found in a forum that > > says it'll work better because it does magic and it ends up removing all > > the files in my home folder. I'd call that unexpected behaviour > > There are lots of ways - and on forums the text coloring is most > popular among them - of how one can sneak a stealthy command into > something innocently looking. That's why on all *nix forums there is a > merciless ban hammer against such jokers. (I'm an old time Perl coder > and there was this period of time on Perl forums too.) > > And btw, the same way, one can simply append invisible "; rm -rf *" to > the end of pdftothml invocation. And there is nothing you can do about > it. > > Overall, I think you are overreacting. I'm perfectly aware of what I'm > talking about, actually developing and maintaining software running as > a back-end for a B2B webservice of sorts. (And I did develop > webservices in past too.) And I do have two suid-root tools under my > responsibility, so this problems are rather closer to me than you > think. > > But then again, I said from the beginning, I do not mind the change > (esp. if it would reuse some list or even a fixed size array instead > of va_list), since it cleans up the main() of pdftohtml. If you wish I > can experiment with escaping the string too (I have some spare time > right now). Theoretically, for system() it should suffice to escape > every single quote and wrap the string in the single quotes. > _______________________________________________ > poppler mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/poppler _______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
