Skip Menu |
 

This queue is for tickets about the PDF-API2 CPAN distribution.

Report information
The Basics
Id: 77692
Status: resolved
Priority: 0/
Queue: PDF-API2

People
Owner: Nobody in particular
Requestors: alexe [...] ed.ca
dietrich.streifert [...] googlemail.com
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 2.019
Fixed in: 2.022



Subject: Calls with static values to Float cause taint issues when used in taint mode.
Download (untitled) / with headers
text/plain 746b
When running a script that generates PDF::API2 document with taint mode -wT, calls to float in PDF/API2/Util.pm will cause a taint exception when passed to the ABS function. In some cases these errors were reasonable, since they flowed down from user selected data (like an image width). However calls to $text_object->translate( $xpos, $ypos ) with static content would also generate an exception. I found the attached patch solved the issues, by doing some simple validation on the floats, which solved the taint issues for our team. Their may be further taint/validation problems else where, but I have not found them yet. Running on : MacOS X 10.7.4 perl 5, version 12, subversion 3 (v5.12.3) built for darwin-thread- multi-2level
Subject: pdf_api2_taint.patch
--- PDF/API2/Util.pm 2011-03-10 15:46:12.000000000 -0800 +++ PDF/API2/Util.pm 2012-06-06 16:17:19.000000000 -0700 @@ -126,10 +126,20 @@ } else { return 0; } } +sub detaint_float { + my $match = $_[0] =~ /^([-+]?\d+[.]?\d*)$/s; + $_[0] = $match ? $1 : undef; + return (defined($_[0])); +} + + sub float { my $f=shift @_; my $mxd=shift @_||4; $f=0 if(abs($f)<0.0000000000000001); + + detaint_float($f); + my $ad=floor(xlog10($f)-$mxd); if(abs($f-int($f)) < (10**(-$mxd))) { # just in case we have an integer
From: alexe [...] ed.ca
Download (untitled) / with headers
text/plain 269b
Turns out this has been addressed in a different way in the patch being pushed to github. https://github.com/ssimms/pdfapi2/pull/3 After doing more digging, the issue is related to font metrics when fonts are loaded from disk. See the attached reduction for a sample.
Subject: sample_test.pl
Download sample_test.pl
text/x-perl 623b
use lib qw(. lib); use PDF::API2; # Create a blank PDF file $pdf = PDF::API2->new(); # Add a blank page $page = $pdf->page(); # Retrieve an existing page $page = $pdf->openpage(1); # Set the page size $page->mediabox('Letter'); my $f = $pdf->ttfont('DejaVuSans.ttf', -encode=>'utf8', -dokern=>'1'); my %text_options; $text_options{'-underline'} = 1; # Add some text to the page $text = $page->text(); $text->font($f, 20); $text->translate(200, 200); $text->text('Hello World!', %text_options); # Save the PDF $pdf->saveas('new.pdf');
Subject: DejaVuSans.ttf
Download DejaVuSans.ttf
application/octet-stream 703.1k

Message body not shown because it is not plain text.

From: alexe [...] ed.ca
Download (untitled) / with headers
text/plain 275b
Another option that may work depending on your environment, is to untainted the Font and then pass a file handler to pdf::api2. my $fh = IO::File->new('DejaVuSans.ttf') or return undef; $fh->untaint; my $font = $pdf->ttfont($fh, -encode=>'utf8', -dokern=>'1');
Subject: Insecure dependency in sprintf while running with -T switch at /usr/local/share/perl5/PDF/API2/Util.pm line 138.
Date: Thu, 20 Mar 2014 10:16:56 +0100
To: bug-PDF-API2 [...] rt.cpan.org
From: Dietrich Streifert <dietrich.streifert [...] googlemail.com>
Version: PDF-API2-2.021 perl: v5.10.1 OS: centos 6.5 environment: cgi with parameter -T We are using PDF::API2 to create pdf reports using a webapp backend which itself is based on CGI::Application. When changing the used fonts from core fonts to ttf fonts we encounter the following error message: Insecure dependency in sprintf while running with -T switch at /usr/local/share/perl5/PDF/API2/Util.pm line 138. This seems due to how the format parameter to sprintf is composed. A simple patch, separating format composition into a variable solves this issue: --- Util.pm.orig 2014-03-20 10:04:35.000000000 +0100 +++ Util.pm 2014-03-20 10:05:31.000000000 +0100 @@ -135,7 +135,8 @@ $value =~ s/\.$//; return $value; } else { - my $value = sprintf('%.'.abs($ad).'f',$f); + my $format = '%.'.abs($ad).'f'; + my $value = sprintf($format,$f); # Remove trailing zeros $value =~ s/(\.\d*?)0+$/$1/; $value =~ s/\.$//; See attached patch against current version of PDF::API2 Regards Dietrich

Message body is not shown because sender requested not to inline it.

On Thu Mar 20 05:17:10 2014, level420 wrote: Show quoted text
> Insecure dependency in sprintf while running with -T switch at > /usr/local/share/perl5/PDF/API2/Util.pm line 138. > > This seems due to how the format parameter to sprintf is composed. A > simple patch, separating format composition into a variable solves this > issue: > > --- Util.pm.orig 2014-03-20 10:04:35.000000000 +0100 > +++ Util.pm 2014-03-20 10:05:31.000000000 +0100 > @@ -135,7 +135,8 @@ > $value =~ s/\.$//; > return $value; > } else { > - my $value = sprintf('%.'.abs($ad).'f',$f); > + my $format = '%.'.abs($ad).'f'; > + my $value = sprintf($format,$f); > # Remove trailing zeros > $value =~ s/(\.\d*?)0+$/$1/; > $value =~ s/\.$//;
While this patch presumably works, it doesn't actually improve security. Can you back up a bit and find out where the tainted variable is coming from? Create a patch to validate and sanitize that value, and I'll commit that if the problem is being introduced by PDF::API2 rather than calling code. Thanks, Steve
Download (untitled) / with headers
text/plain 139b
Thanks for the bug report. I've implemented the change referenced in the GitHub pull request, so this should be fixed in the next release.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.