You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@pdfbox.apache.org by Knüppel,
Pascal <Pa...@governikus.de> on 2021/10/19 12:10:11 UTC
pdf-code injection?
Hi,
we are using apache PDFBox to simply add a new page with some text to an already existing PDFFile. Now we got a new requirement that wants us to insert free-text chosen by the customer to be inserted into the file. This make me actually some kind of nervous because I am not sure if it is possible to inject malicious code into the pdf-file using the following code-block:
contentStream.beginText();
contentStream.setFont(font, fontSize);
contentStream.newLineAtOffset(marginLeft, texty);
contentStream.showText(text);
contentStream.endText();
Can anyone help me here?
My guess would be that it is not possible because PDFBox is probably inserting the text - whatever it may contain - as simple text into the pdf-file. But I am not sure of it.
Best regards
Pascal
[cid:Logo-Governikus-2021-Mail-Footer_02_76dcf085-1277-4d10-a749-2ff785460c85.png]
Hauptsitz: Hochschulring 4, 28359 Bremen
Niederlassungen: Universitätsstr. 2, 10117 Berlin | Herwarthstraße 1, 50672 Köln | Johannesstr. 162, 99084 Erfurt
Governikus GmbH & Co. KG
Aufsichtsratsvorsitzende: Carola Heilemann-Jeschke
Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann
Amtsgericht Bremen HRA 22041 | St.-Nr. 60/100/04568 | USt-ID DE203827312
Persönlich haftende Gesellschafterin:
Governikus Bremen GmbH
Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann Amtsgericht Bremen HRB 18756
****************************************************
Veranstaltungsvorschau: Besuchen Sie uns...
SCCON | 26.-27.10.2021 | Virtuell https://www.smartcountry.berlin/de/
8. Zukunftskongress Staat & Verwaltung | 13.-15.12.2021 | bcc Berlin https://www.zukunftskongress.info/de/8-Zukunftskongress
OMNISECURE | 24.-26.01.2022 | Berlin https://omnisecure.berlin/
Governikus Jahrestagung | 23.-24.02.2022 | Berlin https://www.jahrestagung.governikus.de/
Re: pdf-code injection?
Posted by Tilman Hausherr <TH...@t-online.de>.
Hi,
No because the text is just text, delimiters like ")" are escaped when
used in showText. There is no "PDF injection" this way. "Little Bobby
Tables" won't be successful.
Tilman
Am 19.10.2021 um 14:10 schrieb Knüppel, Pascal:
>
> Hi,
>
> we are using apache PDFBox to simply add a new page with some text to
> an already existing PDFFile. Now we got a new requirement that wants
> us to insert free-text chosen by the customer to be inserted into the
> file. This make me actually some kind of nervous because I am not sure
> if it is possible to inject malicious code into the pdf-file using the
> following code-block:
>
> contentStream.beginText();
> contentStream.setFont(font, fontSize);
> contentStream.newLineAtOffset(marginLeft, texty);
> contentStream.showText(text);
> contentStream.endText();
>
> Can anyone help me here?
>
> My guess would be that it is not possible because PDFBox is probably
> inserting the text – whatever it may contain – as simple text into the
> pdf-file. But I am not sure of it.
>
> Best regards
>
> Pascal
>
>
>
> Hauptsitz: Hochschulring 4, 28359 Bremen
> Niederlassungen: Universitätsstr. 2, 10117 Berlin | Herwarthstraße 1,
> 50672 Köln | Johannesstr. 162, 99084 Erfurt
>
> Governikus GmbH & Co. KG
> Aufsichtsratsvorsitzende: Carola Heilemann-Jeschke
> Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann
> Amtsgericht Bremen HRA 22041 | St.-Nr. 60/100/04568 | USt-ID DE203827312
>
> Persönlich haftende Gesellschafterin:
> Governikus Bremen GmbH
> Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann Amtsgericht Bremen
> HRB 18756
>
> ****************************************************
> Veranstaltungsvorschau: Besuchen Sie uns…
> SCCON | 26.-27.10.2021 | Virtuell https://www.smartcountry.berlin/de/
> <https://www.smartcountry.berlin/de/>
> 8. Zukunftskongress Staat & Verwaltung | 13.-15.12.2021 | bcc Berlin
> https://www.zukunftskongress.info/de/8-Zukunftskongress
> <https://www.zukunftskongress.info/de/8-Zukunftskongress>
> OMNISECURE | 24.-26.01.2022 | Berlin https://omnisecure.berlin/
> <https://omnisecure.berlin/>
> Governikus Jahrestagung | 23.-24.02.2022 | Berlin
> https://www.jahrestagung.governikus.de/
> <https://www.jahrestagung.governikus.de/>
>
AW: pdf-code injection?
Posted by Knüppel,
Pascal <Pa...@governikus.de>.
Thanks for the fast response this is really helpful and it sounds pretty relieving. :-)
Best regards
Pascal
Von: Waldemar Dick <wa...@skribble.com.INVALID>
Gesendet: Dienstag, 19. Oktober 2021 14:18
An: users@pdfbox.apache.org
Betreff: Re: pdf-code injection?
Hello Pascal,
It is just simple text, which is displayed and not interpreted or executed.
I would say, no risk there.
The only risk would be, if the font rendering application would have some security bug. But this shouldn't be your concern.
Best
Waldemar
On 19. 10 2021, at 14:10, Knüppel, Pascal <Pa...@governikus.de>> wrote:
Hi,
we are using apache PDFBox to simply add a new page with some text to an already existing PDFFile. Now we got a new requirement that wants us to insert free-text chosen by the customer to be inserted into the file. This make me actually some kind of nervous because I am not sure if it is possible to inject malicious code into the pdf-file using the following code-block:
contentStream.beginText();
contentStream.setFont(font, fontSize);
contentStream.newLineAtOffset(marginLeft, texty);
contentStream.showText(text);
contentStream.endText();
Can anyone help me here?
My guess would be that it is not possible because PDFBox is probably inserting the text – whatever it may contain – as simple text into the pdf-file. But I am not sure of it.
Best regards
Pascal
[cid:Logo-Governikus-2021-Mail-Footer_02_76dcf085-1277-4d10-a749-2ff785460c85.png]
Hauptsitz: Hochschulring 4, 28359 Bremen
Niederlassungen: Universitätsstr. 2, 10117 Berlin | Herwarthstraße 1, 50672 Köln | Johannesstr. 162, 99084 Erfurt
Governikus GmbH & Co. KG
Aufsichtsratsvorsitzende: Carola Heilemann-Jeschke
Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann
Amtsgericht Bremen HRA 22041 | St.-Nr. 60/100/04568 | USt-ID DE203827312
Persönlich haftende Gesellschafterin:
Governikus Bremen GmbH
Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann Amtsgericht Bremen HRB 18756
****************************************************
Veranstaltungsvorschau: Besuchen Sie uns…
SCCON | 26.-27.10.2021 | Virtuell https://www.smartcountry.berlin/de/
8. Zukunftskongress Staat & Verwaltung | 13.-15.12.2021 | bcc Berlin https://www.zukunftskongress.info/de/8-Zukunftskongress
OMNISECURE | 24.-26.01.2022 | Berlin https://omnisecure.berlin/
Governikus Jahrestagung | 23.-24.02.2022 | Berlin https://www.jahrestagung.governikus.de/
[cid:image001.jpg@01D7C4FA.835B0F10]
Waldemar Dick
signing & security
Re: pdf-code injection?
Posted by Waldemar Dick <wa...@skribble.com.INVALID>.
Hello Pascal,
It is just simple text, which is displayed and not interpreted or executed.
I would say, no risk there.
The only risk would be, if the font rendering application would have some security bug. But this shouldn't be your concern.
Best
Waldemar
> On 19. 10 2021, at 14:10, Knüppel, Pascal <Pa...@governikus.de> wrote:
>
> Hi,
>
> we are using apache PDFBox to simply add a new page with some text to an already existing PDFFile. Now we got a new requirement that wants us to insert free-text chosen by the customer to be inserted into the file. This make me actually some kind of nervous because I am not sure if it is possible to inject malicious code into the pdf-file using the following code-block:
>
> contentStream.beginText();
> contentStream.setFont(font, fontSize);
> contentStream.newLineAtOffset(marginLeft, texty);
> contentStream.showText(text);
> contentStream.endText();
>
> Can anyone help me here?
> My guess would be that it is not possible because PDFBox is probably inserting the text – whatever it may contain – as simple text into the pdf-file. But I am not sure of it.
>
> Best regards
> Pascal
>
>
>
> Hauptsitz: Hochschulring 4, 28359 Bremen
> Niederlassungen: Universitätsstr. 2, 10117 Berlin | Herwarthstraße 1, 50672 Köln | Johannesstr. 162, 99084 Erfurt
>
> Governikus GmbH & Co. KG
> Aufsichtsratsvorsitzende: Carola Heilemann-Jeschke
> Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann
> Amtsgericht Bremen HRA 22041 | St.-Nr. 60/100/04568 | USt-ID DE203827312
>
> Persönlich haftende Gesellschafterin:
> Governikus Bremen GmbH
> Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann Amtsgericht Bremen HRB 18756
>
>
> ****************************************************
> Veranstaltungsvorschau: Besuchen Sie uns…
> SCCON | 26.-27.10.2021 | Virtuell https://www.smartcountry.berlin/de/ <https://www.smartcountry.berlin/de/>
> 8. Zukunftskongress Staat & Verwaltung | 13.-15.12.2021 | bcc Berlin https://www.zukunftskongress.info/de/8-Zukunftskongress <https://www.zukunftskongress.info/de/8-Zukunftskongress>
> OMNISECURE | 24.-26.01.2022 | Berlin https://omnisecure.berlin/ <https://omnisecure.berlin/>
> Governikus Jahrestagung | 23.-24.02.2022 | Berlin https://www.jahrestagung.governikus.de/ <https://www.jahrestagung.governikus.de/>
Waldemar Dick
signing & security