You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@pdfbox.apache.org by Timo Vander Schuit <ti...@globalrelay.net> on 2017/05/29 17:29:10 UTC
Safe to take base64 image from client?
Hi,
The front-end generates a base64 encoded image of a graph and send it to the backend to use it with pdfbox to create a pdf file.
Are there any security concerns with this?
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Path("/pdfbox")
public void getChartsPdf(String base64ImageData) throws IOException{
PDDocument doc = null;
byte[] imageByte;
String base64Image = base64ImageData.split(",")[1];
BASE64Decoder decoder = new BASE64Decoder();
imageByte = decoder.decodeBuffer(base64Image);
try {
doc = new PDDocument();
PDPage page = new PDPage();
doc.addPage(page);
PDFont font = PDType1Font.HELVETICA_BOLD;
PDPageContentStream contentStream = new PDPageContentStream(doc, page);
BufferedImage bufImg = ImageIO.read(new ByteArrayInputStream(imageByte));
PDXObjectImage ximage = new PDPixelMap(doc, bufImg);
contentStream.beginText();
contentStream.setFont( font, 12 );
contentStream.moveTextPositionByAmount( 50, 700 );
contentStream.drawString("Timeline");
contentStream.endText();
contentStream.drawXObject(ximage, 20, 500, ximage.getWidth()/2, ximage.getHeight()/2);
contentStream.close();
doc.save("testCharts.pdf");
} catch (Exception e) {
System.err.println(e.getMessage());
} finally {
if (doc != null) {
doc.close();
}
}
}
Regards,
Timo
Re: Safe to take base64 image from client?
Posted by Aaron Mulder <am...@gmail.com>.
Don't you think it's worth validating the submitted content before the
comma, and perhaps inspecting the first few bytes of the "image data"
to ensure they comply with the header bytes required by the PNG or
JPEG spec?
I'm sure there would still be ways to mess with your code by feeding
it a malformed image file, but at least you can immediately discard
anything that's obviously not a raw image.
(Like, what if someday ImageIO decides to accept images in PDFs, and
as a side effect runs any Javascript in the PDF, or whatever...)
Thanks,
Aaron
On Mon, May 29, 2017 at 1:29 PM, Timo Vander Schuit
<ti...@globalrelay.net> wrote:
> Hi,
>
> The front-end generates a base64 encoded image of a graph and send it to the backend to use it with pdfbox to create a pdf file.
> Are there any security concerns with this?
>
> @POST
> @Consumes(MediaType.APPLICATION_JSON)
> @Path("/pdfbox")
> public void getChartsPdf(String base64ImageData) throws IOException{
>
> PDDocument doc = null;
> byte[] imageByte;
> String base64Image = base64ImageData.split(",")[1];
> BASE64Decoder decoder = new BASE64Decoder();
> imageByte = decoder.decodeBuffer(base64Image);
> try {
> doc = new PDDocument();
> PDPage page = new PDPage();
> doc.addPage(page);
> PDFont font = PDType1Font.HELVETICA_BOLD;
> PDPageContentStream contentStream = new PDPageContentStream(doc, page);
>
> BufferedImage bufImg = ImageIO.read(new ByteArrayInputStream(imageByte));
> PDXObjectImage ximage = new PDPixelMap(doc, bufImg);
>
> contentStream.beginText();
> contentStream.setFont( font, 12 );
> contentStream.moveTextPositionByAmount( 50, 700 );
> contentStream.drawString("Timeline");
> contentStream.endText();
> contentStream.drawXObject(ximage, 20, 500, ximage.getWidth()/2, ximage.getHeight()/2);
> contentStream.close();
> doc.save("testCharts.pdf");
> } catch (Exception e) {
> System.err.println(e.getMessage());
> } finally {
> if (doc != null) {
> doc.close();
> }
> }
> }
>
> Regards,
>
> Timo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org