diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2023-03-24 15:19:24 +0000 |
---|---|---|
committer | Ken Sharp <ken.sharp@artifex.com> | 2023-03-24 15:33:43 +0000 |
commit | 3635f4c75e54e337a4eebcf6db3eef0e60f9cebf (patch) | |
tree | a4f478ae0a237ad8d285609aae65d96db81b2f1c /Resource | |
parent | 37ed5022cecd584de868933b5b60da2e995b3179 (diff) | |
download | ghostpdl-3635f4c75e54e337a4eebcf6db3eef0e60f9cebf.tar.gz |
PostScript filters - remove non-standard filters when SAFER is true
Following on from bug #706494, there are a whole bunch of non-standard
filters, some of these are required for the old PDF interpreter
written in PostScript, some appear to have been included just for
symmetry with the Decode filters and some are gneuinely used by our
own support PostScript.
This code undefines all the filters we can from filterdict, thus
preventing any of those from being used maliciously. We do have to
retain /ImscaleDecode, /eexecDecode, /PFBDecode and /TBCPDecode as
these are used by the PostScript support files.
Diffstat (limited to 'Resource')
-rw-r--r-- | Resource/Init/gs_init.ps | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps index 7af812970..06153f846 100644 --- a/Resource/Init/gs_init.ps +++ b/Resource/Init/gs_init.ps @@ -2407,6 +2407,15 @@ currentdict /.locksafeglobal .undef %% ---------------- SAFER stuff END -------------------%% +/UndefinePostScriptFilters { + [ + /BCPEncode /TBCPEncode /PNGPredictorEncode /PNGPredictorDecode /PixelDifferenceDecode /PixelDifferenceEncode + /zlibEncode /zlibDecode /PWGDecode /eexecEncode /ArcfourEncode /PSStringEncode /MD5Encode /BCPDecode + /OLDPDF where {/OLDPDF get not {/SHA256Encode /AESDecode /JPXDecode /JBIG2Decode /ArcfourDecode /.EOFDecode} if} if + ] + {filterdict exch undef} forall +} .bind executeonly def + /UndefinePostScriptOperators { % This list is of operators which no longer appear to be used, and which we do not believe % to have any real use. For now we will undefine the operstors so they cannot easily be used @@ -2545,6 +2554,7 @@ currentdict /.locksafeglobal .undef ] {statusdict exch .forceundef} forall + //systemdict /UndefinePostScriptFilters .forceundef //systemdict /UndefinePostScriptOperators .forceundef } .bind executeonly def % must be bound and hidden for .forceundef @@ -2565,6 +2575,7 @@ currentdict /.locksafeglobal .undef SAFER { //systemdict /SAFERUndefinePostScriptOperators get exec } if + //systemdict /UndefinePostScriptFilters get exec //systemdict /UndefinePostScriptOperators get exec //systemdict /.forcecopynew .forceundef % remove temptation //systemdict /.forceput .forceundef % ditto @@ -2652,6 +2663,7 @@ FontDirectory readonly pop % If we are using DELAYBIND we have to defer the undefinition % until .bindnow. DELAYBIND not { + //systemdict /UndefinePostScriptFilters get exec //systemdict /UndefinePostScriptOperators get exec } if end |