Skip to content
This repository has been archived by the owner on Apr 15, 2020. It is now read-only.

resolve #340208 - Command injection in 'pdf-image', Severity:Medium #39

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

roest01
Copy link
Contributor

@roest01 roest01 commented May 16, 2018

The constructGetInfoCommand would be initializing the command that is to the passed to 'exec' of getInfo(). The user input is not getting validated in #L26 of constructGetInfoCommand and it leads to command injection in #L43.

I've published v2.0.1 with this PR because of #38 .
Tried to fix v1 from 2ab80d7 as well but it's not an easy merge because of the v2 code changes.

Where is Version 1.1.0 ?
Last commit 2ab80d7 in master shows v1.0.2 ...

May i prepare an v1.1.1 (or v1.0.3) starting e633ad5 ?
If yes can you create an release/v1 branch where i can merge my hotfix code into?

otherwise the recommendation is: update to v2.0.1 because of security issues and v1 keep unfixed.

@roest01 roest01 force-pushed the bugfix/#38_securityHotfix_v2 branch from a33ba3e to bb7fa45 Compare May 17, 2018 13:46
@roest01
Copy link
Contributor Author

roest01 commented May 29, 2018

This branch should be reviewed because the security report is going into a public disclosure soon.
@mooz if it help you can forget about my version questions :)

@roest01 roest01 force-pushed the bugfix/#38_securityHotfix_v2 branch from bb7fa45 to ec54d22 Compare July 10, 2018 14:11
@roest01
Copy link
Contributor Author

roest01 commented Jul 10, 2018

rebased - Jul 10 2018

@roest01 roest01 mentioned this pull request Apr 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant