Re: pdf-code injection?

Tue, 19 Oct 2021 10:11:36 -0700 

Hi,
No because the text is just text, delimiters like ")" are escaped when used in showText. There is no "PDF injection" this way. "Little Bobby Tables" won't be successful. 

Tilman

Am 19.10.2021 um 14:10 schrieb Knüppel, Pascal:


Hi,


we are using apache PDFBox to simply add a new page with some text to 
an already existing PDFFile. Now we got a new requirement that wants 
us to insert free-text chosen by the customer to be inserted into the 
file. This make me actually some kind of nervous because I am not sure 
if it is possible to inject malicious code into the pdf-file using the 
following code-block:


contentStream.beginText();
contentStream.setFont(font, fontSize);
contentStream.newLineAtOffset(marginLeft, texty);
contentStream.showText(text);
contentStream.endText();

Can anyone help me here?


My guess would be that it is not possible because PDFBox is probably 
inserting the text – whatever it may contain – as simple text into the 
pdf-file. But I am not sure of it.


Best regards

Pascal



Hauptsitz: Hochschulring 4, 28359 Bremen

Niederlassungen: Universitätsstr. 2, 10117 Berlin | Herwarthstraße 1, 
50672 Köln | Johannesstr. 162, 99084 Erfurt


Governikus GmbH & Co. KG
Aufsichtsratsvorsitzende: Carola Heilemann-Jeschke
Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann
Amtsgericht Bremen HRA 22041 | St.-Nr. 60/100/04568 | USt-ID DE203827312

Persönlich haftende Gesellschafterin:
Governikus Bremen GmbH

Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann Amtsgericht Bremen 
HRB 18756


****************************************************
Veranstaltungsvorschau: Besuchen Sie uns…

SCCON | 26.-27.10.2021 | Virtuell https://www.smartcountry.berlin/de/ 
<https://www.smartcountry.berlin/de/>
8. Zukunftskongress Staat & Verwaltung | 13.-15.12.2021 | bcc Berlin 
https://www.zukunftskongress.info/de/8-Zukunftskongress 
<https://www.zukunftskongress.info/de/8-Zukunftskongress>
OMNISECURE | 24.-26.01.2022 | Berlin https://omnisecure.berlin/ 
<https://omnisecure.berlin/>
Governikus Jahrestagung | 23.-24.02.2022 | Berlin 
https://www.jahrestagung.governikus.de/ 
<https://www.jahrestagung.governikus.de/>


























					Reply via email to