Skip to content
This repository

file inclusion possible if user-supplied image or font is used #383

Closed
felixgr opened this Issue August 10, 2012 · 1 comment

2 participants

felixgr Brad Ediger
felixgr

If a font is used with an user-supplied file name it would enable the attacker to include a TTF or DFONT file (or a file which looks similar) from the local disk. Directory traversal with ../ is possible. Filename extension overwrite (like PHP) using \x00 is not. The AFM font files are whitelisted, TTF and DFONT are not.

Similarly, an image call with user-supplied file name enables local file inclusion like above.

In all cases the included file has to adhere to certain format restrictions.

Brad Ediger
Collaborator

See #384. The core problem comes from blindly trusting the user's input, not from a bug in Prawn. The ability to include arbitrary fonts or images from disk is a feature in Prawn, not a bug. If you want to allow and end user to specify images or fonts while whitelisting or blacklisting certain ones, you need to implement that sanitize in user code.

Brad Ediger bradediger closed this August 12, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.