node-pdf-image icon indicating copy to clipboard operation
node-pdf-image copied to clipboard

Published 20 hours ago verified publisher icon mooz

resolve #340208 - Command injection in 'pdf-image', Severity:Medium

Open roest01 opened this issue 6 years ago • 2 comments

The constructGetInfoCommand would be initializing the command that is to the passed to 'exec' of getInfo(). The user input is not getting validated in #L26 of constructGetInfoCommand and it leads to command injection in #L43.

I've published v2.0.1 with this PR because of #38 . Tried to fix v1 from 2ab80d7 as well but it's not an easy merge because of the v2 code changes.

Where is Version 1.1.0 ? Last commit 2ab80d7 in master shows v1.0.2 ...

May i prepare an v1.1.1 (or v1.0.3) starting e633ad5 ? If yes can you create an release/v1 branch where i can merge my hotfix code into?

otherwise the recommendation is: update to v2.0.1 because of security issues and v1 keep unfixed.

roest01 avatar May 16 '18 14:05 roest01

This branch should be reviewed because the security report is going into a public disclosure soon. @mooz if it help you can forget about my version questions :)

roest01 avatar May 29 '18 13:05 roest01

rebased - Jul 10 2018

roest01 avatar Jul 10 '18 14:07 roest01