Skip Menu |

This queue is for tickets about the PDF-API2 CPAN distribution.

Report information
The Basics
Id: 77692
Status: resolved
Priority: 0/
Queue: PDF-API2
People
Owner: Nobody in particular
Requestors: alexe [...] ed.ca
dietrich.streifert [...] googlemail.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 2.019
Fixed in: 2.022
Attachments
DejaVuSans.ttf
PDF-API2-Util.pm.patch
pdf_api2_taint.patch
sample_test.pl

History Show all quoted text
  Thu Jun 07 17:27:10 2012 alexe [...] ed.ca - Ticket created
Subject: Calls with static values to Float cause taint issues when used in taint mode.
When running a script that generates PDF::API2 document with taint mode -wT, calls to float in PDF/API2/Util.pm will cause a taint exception when passed to the ABS function. In some cases these errors were reasonable, since they flowed down from user selected data (like an image width). However calls to $text_object->translate( $xpos, $ypos ) with static content would also generate an exception. I found the attached patch solved the issues, by doing some simple validation on the floats, which solved the taint issues for our team. Their may be further taint/validation problems else where, but I have not found them yet. Running on : MacOS X 10.7.4 perl 5, version 12, subversion 3 (v5.12.3) built for darwin-thread- multi-2level
Subject: pdf_api2_taint.patch
--- PDF/API2/Util.pm 2011-03-10 15:46:12.000000000 -0800 +++ PDF/API2/Util.pm 2012-06-06 16:17:19.000000000 -0700 @@ -126,10 +126,20 @@ } else { return 0; } } +sub detaint_float { + my $match = $_[0] =~ /^([-+]?\d+[.]?\d*)$/s; + $_[0] = $match ? $1 : undef; + return (defined($_[0])); +} + + sub float { my $f=shift @_; my $mxd=shift @_||4; $f=0 if(abs($f)<0.0000000000000001); + + detaint_float($f); + my $ad=floor(xlog10($f)-$mxd); if(abs($f-int($f)) < (10**(-$mxd))) { # just in case we have an integer
  Thu Jun 07 19:36:22 2012 alexe [...] ed.ca - Correspondence added
From: alexe [...] ed.ca
Turns out this has been addressed in a different way in the patch being pushed to github. https://github.com/ssimms/pdfapi2/pull/3 After doing more digging, the issue is related to font metrics when fonts are loaded from disk. See the attached reduction for a sample.
Subject: sample_test.pl
use lib qw(. lib); use PDF::API2; # Create a blank PDF file $pdf = PDF::API2->new(); # Add a blank page $page = $pdf->page(); # Retrieve an existing page $page = $pdf->openpage(1); # Set the page size $page->mediabox('Letter'); my $f = $pdf->ttfont('DejaVuSans.ttf', -encode=>'utf8', -dokern=>'1'); my %text_options; $text_options{'-underline'} = 1; # Add some text to the page $text = $page->text(); $text->font($f, 20); $text->translate(200, 200); $text->text('Hello World!', %text_options); # Save the PDF $pdf->saveas('new.pdf');
Subject: DejaVuSans.ttf
Download DejaVuSans.ttf
application/octet-stream 703.1k

Message body not shown because it is not plain text.

  Thu Jun 07 20:15:27 2012 alexe [...] ed.ca - Correspondence added
From: alexe [...] ed.ca
Another option that may work depending on your environment, is to untainted the Font and then pass a file handler to pdf::api2. my $fh = IO::File->new('DejaVuSans.ttf') or return undef; $fh->untaint; my $font = $pdf->ttfont($fh, -encode=>'utf8', -dokern=>'1');
  Thu Mar 20 05:17:10 2014 dietrich.streifert [...] googlemail.com - Ticket #94032: Ticket created
Subject: Insecure dependency in sprintf while running with -T switch at /usr/local/share/perl5/PDF/API2/Util.pm line 138.
Date: Thu, 20 Mar 2014 10:16:56 +0100
To: bug-PDF-API2 [...] rt.cpan.org
From: Dietrich Streifert <dietrich.streifert [...] googlemail.com>
Version: PDF-API2-2.021 perl: v5.10.1 OS: centos 6.5 environment: cgi with parameter -T We are using PDF::API2 to create pdf reports using a webapp backend which itself is based on CGI::Application. When changing the used fonts from core fonts to ttf fonts we encounter the following error message: Insecure dependency in sprintf while running with -T switch at /usr/local/share/perl5/PDF/API2/Util.pm line 138. This seems due to how the format parameter to sprintf is composed. A simple patch, separating format composition into a variable solves this issue: --- Util.pm.orig 2014-03-20 10:04:35.000000000 +0100 +++ Util.pm 2014-03-20 10:05:31.000000000 +0100 @@ -135,7 +135,8 @@ $value =~ s/\.$//; return $value; } else { - my $value = sprintf('%.'.abs($ad).'f',$f); + my $format = '%.'.abs($ad).'f'; + my $value = sprintf($format,$f); # Remove trailing zeros $value =~ s/(\.\d*?)0+$/$1/; $value =~ s/\.$//; See attached patch against current version of PDF::API2 Regards Dietrich

Message body is not shown because sender requested not to inline it.

  Mon Mar 24 16:49:38 2014 steve [...] deefs.net - Ticket #94032: Correspondence added
On Thu Mar 20 05:17:10 2014, level420 wrote: Show quoted text
> Insecure dependency in sprintf while running with -T switch at > /usr/local/share/perl5/PDF/API2/Util.pm line 138. > > This seems due to how the format parameter to sprintf is composed. A > simple patch, separating format composition into a variable solves this > issue: > > --- Util.pm.orig 2014-03-20 10:04:35.000000000 +0100 > +++ Util.pm 2014-03-20 10:05:31.000000000 +0100 > @@ -135,7 +135,8 @@ > $value =~ s/\.$//; > return $value; > } else { > - my $value = sprintf('%.'.abs($ad).'f',$f); > + my $format = '%.'.abs($ad).'f'; > + my $value = sprintf($format,$f); > # Remove trailing zeros > $value =~ s/(\.\d*?)0+$/$1/; > $value =~ s/\.$//;
While this patch presumably works, it doesn't actually improve security. Can you back up a bit and find out where the tainted variable is coming from? Create a patch to validate and sanitize that value, and I'll commit that if the problem is being introduced by PDF::API2 rather than calling code. Thanks, Steve
  Mon Mar 24 16:49:38 2014 The RT System itself - Ticket #94032: Status changed from 'new' to 'open'
  Mon Mar 24 16:49:39 2014 steve [...] deefs.net - Ticket #94032: Status changed from 'open' to 'stalled'
  Fri Jun 13 09:08:00 2014 steve [...] deefs.net - Correspondence added
Thanks for the bug report. I've implemented the change referenced in the GitHub pull request, so this should be fixed in the next release.
  Fri Jun 13 09:08:00 2014 The RT System itself - Status changed from 'new' to 'open'
  Fri Jun 13 09:08:01 2014 steve [...] deefs.net - Status changed from 'open' to 'patched'
  Fri Jun 13 09:09:40 2014 steve [...] deefs.net - Ticket #94032: Merged into ticket #77692
  Fri Jun 13 09:09:40 2014 steve [...] deefs.net - Merged into ticket #77692
  Fri Jul 04 15:14:51 2014 steve [...] deefs.net - Status changed from 'patched' to 'resolved'
  Fri Jul 04 15:14:51 2014 steve [...] deefs.net - Fixed in 2.022 added