diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2018-08-24 12:59:45 +0100 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2018-08-24 12:59:45 +0100 |
| commit | b0a3854751363657998d4c9bd33c290bf9d07c67 (patch) | |
| tree | c2c76ab0b26930123280acd26faa84f64d87c1a4 | |
| parent | e01e77a36cbb2e0277bc3a63852244bec41be0f6 (diff) | |
| download | ghostpdl-b0a3854751363657998d4c9bd33c290bf9d07c67.tar.gz | |
Improve PDF operator hiding
Firstly, hide the .setdistillerparams operator, if we try to use this
with a device which doesn't accept distiller params it could cause
problems. The setdistillerparams operator checks the device before
calling .setdistillerparams. This change is needed in *both*
pdf_main.ps and gs_init.ps (see next)
Secondly, fix the code for hiding PDF operators, when DELAYBIND is
true. We can't undefine the operators in pdf_main.ps if DELAYBIND
is true, because the procedures using them won't have been bound yet.
So we duplicate the code for removing the operators in gs_init.ps
and call that during .bindnow, after all the deferred binding has been
completed.
Previously the code for hiding the PDF and PostScript operators had been
left commented out, meaning that if a user chose DELAYBIND (which is
itself a massive security hole) then this minor layer of security
would not have been activated.
| -rw-r--r-- | Resource/Init/gs_init.ps | 7 | ||||
| -rw-r--r-- | Resource/Init/pdf_main.ps | 1 |
2 files changed, 6 insertions, 2 deletions
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps index db3f7fe66..90d68c7ee 100644 --- a/Resource/Init/gs_init.ps +++ b/Resource/Init/gs_init.ps @@ -2235,6 +2235,8 @@ SAFER { .setsafeglobal } if %% Since each operator is a potential security vulnerability, and any operator listed here %% is not required once the initislisation is complete and functions are bound, we undefine %% the ones that aren't needed at runtime. +%% This function is only called if DELAYBIND is true. It is a copy of the code at the end of pdf_main.ps +%% and must be maintained in parallel with it. [ /.pdfawidthshow /.pdfwidthshow /.currentblackptcomp /.setblackptcomp /.setfillcolor /.setfillcolorspace /.setstrokecolor /.setstrokecolorspace /.currentrenderingintent /.setrenderingintent @@ -2248,6 +2250,7 @@ SAFER { .setsafeglobal } if /.setfillconstantalpha /.setalphaisshape /.currentalphaisshape /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading /.settextrise /.currenttextrise /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling /.setPDFfontsize /.currentPDFfontsize +/.setdistillerparams % Used by our own test suite files %/.pushpdf14devicefilter % transparency-example.ps @@ -2277,8 +2280,8 @@ SAFER { .setsafeglobal } if //systemdict /.delaybind {} .forceput % reclaim the space //systemdict /.bindnow .forceundef % ditto put -% //systemdict /UndefinePostScriptOperators get exec -% //systemdict /UndefinePDFOperators get exec + //systemdict /UndefinePostScriptOperators get exec + //systemdict /UndefinePDFOperators get exec //systemdict /.forcecopynew .forceundef % remove temptation //systemdict /.forcedef .forceundef % ditto //systemdict /.forceput .forceundef % ditto diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps index 651689543..ae3dca9c2 100644 --- a/Resource/Init/pdf_main.ps +++ b/Resource/Init/pdf_main.ps @@ -3410,6 +3410,7 @@ DELAYBIND not { /.setfillconstantalpha /.setalphaisshape /.currentalphaisshape /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading /.settextrise /.currenttextrise /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling +/.setdistillerparams % Used by our own test suite files %/.pushpdf14devicefilter % transparency-example.ps |