The same origin policy allows local files to be read by default

[1135]

wkhtmltopdf version(s) affected:
all version ( <=0.12.5 )

OS information
All supported OS

Description
Because the same-origin policy is not strict enough, the html files under the file domain can read any files.

How to reproduce

Create an HTML file named 111.html
The file contents are as follows.

<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<body>

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>

</body></html>

Convert HTML to PDF:

wkhtmltopdf  /tmp/111.html  /tmp/result.pdf

Expected behavior
View the file named result.pdf contents, you will see the contents of the file /etc/passwd!

Possible Solution
Make a strict same-origin policy or set a security option, to prevent HTML documents under the file domain from reading any files.

[ashkulz]

Hmm, does that work with --disable-local-file-access? I think the opposite is the default for backward compatibility reasons, but not sure if it should be made the default now.

[1135]

Great.-n --disable-local-file-access effectively prevents local file reading.
That is to say, the local file read will succeed only if this option is not used(default).
I understand it.You have the final say~

[ashkulz]

I'm thinking that it's better to switch the default, as you weren't aware of it and you were reporting what you thought was a vulnerability! Discoverability seems to be low, and if it breaks for someone they can easily fix it. I'd appreciate a PR changing the default 👍

[1135]

wkhtmltopdf is practical and used widely.
I found that someone had built a web service, and called wkhtmltopdf on the back end without considering security. As a result, it is not difficult for hackers to get information of the server remotely. so I reported the risk of this default configuration.
As you said, the PR will make it better~

[ashkulz]

Great, will wait for one from you then!

[ashkulz]

A release candidate for the 0.12.6 release is now available for download, which should contain changes which possibly address this issue.

Would appreciate downloading the package and reporting back if any issues are encountered during testing. Assuming all goes well, I plan to release 0.12.6 on the 2-year anniversary of the previous release i.e. June 11, 2020.

[pedrofurtado]

How to revert, using 0.12.6, to previous behavior? Is there some flag?

[ashkulz]

You can always use --enable-local-file-access.

[iturbe]

The latest update broke my program in which i'm using the following line within a python file:

imgkit.from_file('output/htmls/' + str(idx) + '.html', jpeg_output_path + str(number) + '_out.jpg')

How/where should i add in the --enable-local-file-access for it to work again?

Thanks in advance!

[ashkulz]

@iturbe: Looks like you're using imgkit ... please create a ticket there to document this, but you probably need to add { 'enable-local-file-access': None } as the last parameter.

[iturbe]

@ashkulz Thank you!

[jsmpereira]

Another option is to use --allow <path> to specify the folder(s) from which local files are allowed to be loaded.

[Javier-Sossa]

You can always use --enable-local-file-access.

where to put "--enable-local-file-access" ??

[der-Lehmann]

You can always use --enable-local-file-access.

where to put "--enable-local-file-access" ??

That depends on whether you use a wrapper for wkhtmltopdf or use the program without one. In my case, I am using laravel snappy, I can include the option like that: $snappy->setOption('enable-local-file-access', true);

Should you use it directly you just append the option to the command like that I guess: wkhtmltopdf --enable-local-file-access https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536 example.pdf