You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fop-dev@xmlgraphics.apache.org by "John R. Brinkema" <br...@teo.uscourts.gov> on 1999/12/02 21:58:42 UTC

Re: Simple Link Observations (SECURITY)

Arved Sandstrom wrote:

>>Some observations on simple links in FOP:
>> ...
>> It is easy to add code into PDFAction which renders ("render" is really
>> the wrong word for annotations, but...) a /URI link or a /Launch link instead,
>> if the target is an HTML page, or a mailto: link, or a .txt file. This
>> works well enough because I've tried it.
>>...
>> Arved Sandstrom

The /Launch capability is one of the *worst* ideas in PDF (an otherwise great
standard).  It opens a massive security hole ... one that allow an arbitray
command on the client system to be executed.  The command has to be on the client
already, but there are always lots of damaging commands there to choose from now
(i.e. under Windoz, try 'format c:').  Versions of Acrobat (I don't know about
xpdf or other PDF
processing tools) after version 3.01 give a warning message, but most users just
choose the default response, which is 'go ahead and execute the command'.

Please think hard and long about the security implecations of your ideas. /jb

                                                                            John
R. Brinkema

Administrative Office of the US Courts

Re: Simple Link Observations (SECURITY)

Posted by Arved Sandstrom <Ar...@chebucto.ns.ca>.

 On Thu, 2 Dec 1999, John R. Brinkema wrote:

> Arved Sandstrom wrote:
> 
> >>Some observations on simple links in FOP:
> >> ...
> >> It is easy to add code into PDFAction which renders ("render" is really
> >> the wrong word for annotations, but...) a /URI link or a /Launch link instead,
> >> if the target is an HTML page, or a mailto: link, or a .txt file. This
> >> works well enough because I've tried it.
> >>...
> The /Launch capability is one of the *worst* ideas in PDF (an otherwise great
> standard).  It opens a massive security hole ... one that allow an arbitray
> command on the client system to be executed.  The command has to be on the client
> already, but there are always lots of damaging commands there to choose from now
> (i.e. under Windoz, try 'format c:').  Versions of Acrobat (I don't know about
> xpdf or other PDF
> processing tools) after version 3.01 give a warning message, but most users just
> choose the default response, which is 'go ahead and execute the command'.
> 
> Please think hard and long about the security implecations of your ideas. /jb
> 
This is a valid point, and I thank you for mentioning it.

I personally could go with just having /Goto[R] and /URI actions, and
leave out the /Launch.

The worst security problems are going to be on the most common system -
Windows. Since I don't use it myself except when I must, maybe thoughts on
this should come from Windows aficionados.

Arved Sandstrom