Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsanitized string vulnerability in PDFKit <=0.5.2 #164

Closed
devn opened this issue Feb 21, 2013 · 0 comments
Closed

Unsanitized string vulnerability in PDFKit <=0.5.2 #164

devn opened this issue Feb 21, 2013 · 0 comments

Comments

@devn
Copy link
Member

devn commented Feb 21, 2013

Unsanitized String Vulnerability in PDFKit <= 0.5.2

There is a vulnerability in PDFKit <= 0.5.2 that puts applications
at risk of Remote Code Execution through improperly escaped
strings. This vulnerability has been given the CVE identifier
CVE-2013-1607.

Versions Affected: 0.5.2 and all earlier versions
Not affected: 0.5.3

Impact

If developers allow users to set parameters for the generation of
a PDF, an attacker can execute shell code via PDFKit generation
options.

A vulnerable application may look like the following:

html = '<html><head><title>Foo</title></head><body>Anything</body></html>'
PDFKit.new(html, :page_size => params[:page_size]).to_pdf

All users on versions of PDFKit prior to 0.5.2 should upgrade to
0.5.3 immediately.

Releases

The 0.5.3 release is available via rubgems and GitHub.

Workarounds

Sanitize user-provided arguments to PDFKit prior to the generation
of a PDF:

 params[:page_size].shellescape

Credits

Thank you to Hans-Martin Münch (it.sec, GmbH & Co. KG) for the report.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@devn