Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Demo Viewer Content Spoofing Vulnerability
588 views
Skip to first unread message
Brendan Dahl
Jan 22, 2016, 2:25:12 PM1/22/16
to dev-pdf-js
Issue:
The demo viewer allows PDF's to be fetched by using the "file" query
parameter in the URL to specify the PDF's URL (e.g.
https://mozilla.github.io/pdf.js/web/viewer.html?file=http://someotherdomain.org/doc.pdf).
The "file" parameter accepts any URL (including data URLs) which could
allow the viewer to display any documents permitted by an XHR request or a
document encoded in a data URL. While this behavior was intended for our
demo viewer, this behavior may not be expected for third party uses of the
demo viewer as it could make it appear a PDF is hosted on a site, but it is
actually coming from somewhere else.
Who's Affected:
Developers who use the demo PDF viewer on their own sites. The version of
PDF.js in Firefox and the Chrome plugin are NOT affected.
Fix:
By default we're going to start requiring that the PDF be hosted on the
same domain as the viewer. This behavior can be modified if it is not
desired.
We've rolled out fixed stable[1] and pre-release branches and we recommend
developers update. If a full update isn't possible we recommend applying a
patch[2]
[1] https://github.com/mozilla/pdf.js/releases/tag/v1.3.90
[2]
https://gist.github.com/yurydelendik/f90376dea2b2e3152640#file-pdfjs_viewer_file_origin-diff
The demo viewer allows PDF's to be fetched by using the "file" query
parameter in the URL to specify the PDF's URL (e.g.
https://mozilla.github.io/pdf.js/web/viewer.html?file=http://someotherdomain.org/doc.pdf).
The "file" parameter accepts any URL (including data URLs) which could
allow the viewer to display any documents permitted by an XHR request or a
document encoded in a data URL. While this behavior was intended for our
demo viewer, this behavior may not be expected for third party uses of the
demo viewer as it could make it appear a PDF is hosted on a site, but it is
actually coming from somewhere else.
Who's Affected:
Developers who use the demo PDF viewer on their own sites. The version of
PDF.js in Firefox and the Chrome plugin are NOT affected.
Fix:
By default we're going to start requiring that the PDF be hosted on the
same domain as the viewer. This behavior can be modified if it is not
desired.
We've rolled out fixed stable[1] and pre-release branches and we recommend
developers update. If a full update isn't possible we recommend applying a
patch[2]
[1] https://github.com/mozilla/pdf.js/releases/tag/v1.3.90
[2]
https://gist.github.com/yurydelendik/f90376dea2b2e3152640#file-pdfjs_viewer_file_origin-diff
ydel...@mozilla.com
Jan 24, 2016, 1:47:39 PM1/24/16
to mozilla-d...@lists.mozilla.org
On Friday, January 22, 2016 at 1:25:12 PM UTC-6, Brendan Dahl wrote:
> [1] https://github.com/mozilla/pdf.js/releases/tag/v1.3.90
The stable version was change 1.3.91 [1] to include additional change that was caused by uplifting of certain commits to the stable branch (see also [3]).
[1] https://github.com/mozilla/pdf.js/releases/tag/v1.3.91
[2]
https://gist.github.com/yurydelendik/f90376dea2b2e3152640
[3] https://github.com/mozilla/pdf.js/issues/6920
> [1] https://github.com/mozilla/pdf.js/releases/tag/v1.3.90
The stable version was change 1.3.91 [1] to include additional change that was caused by uplifting of certain commits to the stable branch (see also [3]).
[1] https://github.com/mozilla/pdf.js/releases/tag/v1.3.91
[2]
https://gist.github.com/yurydelendik/f90376dea2b2e3152640
[3] https://github.com/mozilla/pdf.js/issues/6920
0 new messages