Hi Michał, At 2023-07-30T08:29:35+0000, Michał Kruszewski via wrote: > Why does PDFPIC require unsafe mode -U, but PSPIC doesn't?
troff(1):
-U Operate in unsafe mode, enabling the open, opena, pi, pso, and
sy requests, which are disabled by default because they allow an
untrusted input document to write to arbitrary file names and
run arbitrary commands. [...]
pdfpic.tmac uses the `sy` (and, post-groff 1.23.0, `pso`) requests;
pspic.tmac does not.
> If I understand correctly one can easily execute shell commands from
> PostScript.
I didn't know that. At the same time, (a) the formatter itself does not
interpret general PostScript,[1] and (b) the grops(1) output driver
doesn't either; it _produces_ PostScript[2]. If interpretation of
PostScript is security-hazardous, it is the PostScript interpreter that
needs to be managed. I suppose that GhostScript's often-seen (and
now-default) `-dSAFER` option addresses this issue.[3]
Does this help?
Regards,
Branden
[1] The formatter's `psbb` request performs limited interpretation of
PostScript to extract bounding box information.
https://git.savannah.gnu.org/cgit/groff.git/tree/src/roff/troff/input.cpp?h=1.23.0#n6549
[2] A document can embed arbitrary content into troff output by means of
the `\!` escape sequence and `output` request. The former is a CSTR
#54 feature. Whether this constitutes an attack surface would
depend on how the output driver is written.
[3] https://ghostscript.com/docs/9.54.0/Use.htm
signature.asc
Description: PGP signature
