Skip to content

Fix command injection#13

Merged
runlevel5 merged 2 commits into
masterfrom
update-security
Jun 5, 2026
Merged

Fix command injection#13
runlevel5 merged 2 commits into
masterfrom
update-security

Conversation

@runlevel5

Copy link
Copy Markdown
Contributor

No description provided.

runlevel5 added 2 commits June 5, 2026 18:30
All pdftk invocations were built by string interpolation and run via
%x{}, so file names containing shell metacharacters were interpreted
by the shell - command injection whenever an application passes
user-controlled paths.

Switch to Open3.capture2e with array arguments, which spawns pdftk
directly without any shell:

- call_pdftk now passes its arguments to the process verbatim;
  callers no longer need (or want) to quote paths
- cat keeps its documented wildcard support by expanding globs with
  Dir.glob instead of relying on the shell
- encrypt_options strings are tokenized with Shellwords.split to
  preserve the old word-splitting behaviour
- PdftkError messages still show a copy-pasteable command line,
  rendered with Shellwords.join

Adds a regression test filling a form whose destination is
'weird $(touch hacked); name.pdf' and asserting the name is treated
literally and nothing executes.
@runlevel5
runlevel5 added this pull request to the merge queue Jun 5, 2026
Merged via the queue into master with commit 9dcec94 Jun 5, 2026
3 checks passed
@runlevel5
runlevel5 deleted the update-security branch June 5, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant