The same origin policy allows local files to be read by default #4536
Comments
Hmm, does that work with |
Great. |
I'm thinking that it's better to switch the default, as you weren't aware of it and you were reporting what you thought was a vulnerability! Discoverability seems to be low, and if it breaks for someone they can easily fix it. I'd appreciate a PR changing the default 👍 |
|
Great, will wait for one from you then! |
A release candidate for the 0.12.6 release is now available for download, which should contain changes which possibly address this issue. Would appreciate downloading the package and reporting back if any issues are encountered during testing. Assuming all goes well, I plan to release 0.12.6 on the 2-year anniversary of the previous release i.e. June 11, 2020. |
How to revert, using 0.12.6, to previous behavior? Is there some flag? |
You can always use |
The latest update broke my program in which i'm using the following line within a python file:
How/where should i add in the Thanks in advance! |
@ashkulz Thank you! |
Another option is to use |
where to put "--enable-local-file-access" ?? |
That depends on whether you use a wrapper for wkhtmltopdf or use the program without one. In my case, I am using laravel snappy, I can include the option like that: Should you use it directly you just append the option to the command like that I guess: |
wkhtmltopdf version(s) affected:
all version ( <=0.12.5 )
OS information
All supported OS
Description
Because the same-origin policy is not strict enough, the html files under the
file
domain can read any files.How to reproduce
Create an HTML file named
111.html
The file contents are as follows.
Convert HTML to PDF:
Expected behavior
View the file named
result.pdf
contents, you will see the contents of the file/etc/passwd
!Possible Solution
Make a strict same-origin policy or set a security option, to prevent HTML documents under the
file
domain from reading any files.The text was updated successfully, but these errors were encountered: