I do not have much knowledge in this area. I just came across this interesting blog https://cromwell-intl.com/open-source/pdf-not-authorized.html that also has some nice references.
However, right now I wonder when I should be extra careful when using groff. -Tpdf is my default choice, and most of my papers include images, so I use -U almost all the time. Best regards, Michał Kruszewski Sent with Proton Mail secure email. ------- Original Message ------- On Sunday, July 30th, 2023 at 12:26 PM, G. Branden Robinson <g.branden.robin...@gmail.com> wrote: > Hi Michał, > > At 2023-07-30T08:29:35+0000, Michał Kruszewski via wrote: > > > Why does PDFPIC require unsafe mode -U, but PSPIC doesn't? > > > troff(1): > -U Operate in unsafe mode, enabling the open, opena, pi, pso, and > sy requests, which are disabled by default because they allow an > untrusted input document to write to arbitrary file names and > run arbitrary commands. [...] > > pdfpic.tmac uses the `sy` (and, post-groff 1.23.0, `pso`) requests; > pspic.tmac does not. > > > If I understand correctly one can easily execute shell commands from > > PostScript. > > > I didn't know that. At the same time, (a) the formatter itself does not > interpret general PostScript,[1] and (b) the grops(1) output driver > doesn't either; it produces PostScript[2]. If interpretation of > PostScript is security-hazardous, it is the PostScript interpreter that > needs to be managed. I suppose that GhostScript's often-seen (and > now-default) `-dSAFER` option addresses this issue.[3] > > Does this help? > > Regards, > Branden > > [1] The formatter's `psbb` request performs limited interpretation of > PostScript to extract bounding box information. > > https://git.savannah.gnu.org/cgit/groff.git/tree/src/roff/troff/input.cpp?h=1.23.0#n6549 > > [2] A document can embed arbitrary content into troff output by means of > the `\\!` escape sequence and `output` request. The former is a CSTR > #54 feature. Whether this constitutes an attack surface would > depend on how the output driver is written. > > [3] https://ghostscript.com/docs/9.54.0/Use.htm
