fenix/cpdf-source
1
0
Fork 0
mirror of https://github.com/johnwhitington/cpdf-source.git synced 2025-05-05 20:28:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Begin to check for injectible commands

Browse Source
This commit is contained in:
John Whitington 2025-04-24 16:30:40 +01:00
parent 505eb56e74
commit b6a9d3074b
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Changes
View File

@ -9,6 +9,12 @@ Extended features:
o -thinlines can ensure maximum as well as minimum thickness o -thinlines can ensure maximum as well as minimum thickness
o New -decompress-just-content for easier content stream debugging o New -decompress-just-content for easier content stream debugging
Fixes:
* Sanitizes inputs to prevent command injection attacks
* = Supported by a grant from NLnet
2.8.1 (April 2025) 2.8.1 (April 2025)
New features: New features:

5
cpdfcommand.ml
View File

@ -1637,12 +1637,15 @@ let setimageresolution f =
args.op <- Some (ImageResolution f) args.op <- Some (ImageResolution f)
let setimpath p = let setimpath p =
Cpdfutil.check_injectible p;
args.path_to_im <- p args.path_to_im <- p
let setjbig2encpath p = let setjbig2encpath p =
Cpdfutil.check_injectible p;
args.path_to_jbig2enc <- p args.path_to_jbig2enc <- p
let setp2ppath p = let setp2ppath p =
Cpdfutil.check_injectible p;
args.path_to_p2p <- p args.path_to_p2p <- p
let setfrombox s = let setfrombox s =
@ -2804,7 +2807,7 @@ let specs =
Arg.String setpostpend, Arg.String setpostpend,
" Postpend content to page"); " Postpend content to page");
("-gs", ("-gs",
Arg.String (fun s -> args.path_to_ghostscript <- s), Arg.String (fun s -> Cpdfutil.check_injectible s; args.path_to_ghostscript <- s),
" Path to gs executable"); " Path to gs executable");
("-gs-malformed", ("-gs-malformed",
Arg.Unit setgsmalformed, Arg.Unit setgsmalformed,