GhostScript: Error: /invalidfileaccess in --file--

Question

I get the well known error if I try to include a file which is outside the known paths:

Error: /invalidfileaccess in --file--

I know that I could use -DNOSAFER but I want to avoid this, since this would allow malicious code to be executed.

Is there an option to tell gs "you are allowed to read any file, but you must not remove or delete any files"?

Answer 1

(Answer duplicated from gGt an output file with a count of PDF pages for each file with Ghostscript; both these SO issues popped up while I was looking for a solution myself and no dice. :'-( )

---

Note that since GhostScript 9.50 the SAFER mode has been turned ON by default, resulting in /invalidfileaccess errors like these, which would not go away by making sure all directory separators in thee path are / forward slashes, fiddling with the current path, etc.

This has cost me quite some hair and several hours today, but anno 2020 you'll need to do something like this:

Solution 1: Add source path to the accepted list using --permit-file-read=<path> to make the /invalidfileaccess go away

gs -q --permit-file-read=d:/ -dNODISPLAY -c "(d:/test.pdf) (r) file runpdfbegin pdfpagecount = quit"

i.e. make sure that the path to the PDF you're loading in the PostScript command/script is in the approved list a.k.a. permission list, using one of the --permit-file-xyz commandline arguments.

Solution 2: Quick hack with -I<path> to make the /invalidfileaccess go away

gs -q -Id:/ -dNODISPLAY -c "(d:/test.pdf) (r) file runpdfbegin pdfpagecount = quit"

i.e. make sure that the path to the PDF you're loading in the PostScript command/script is in the approved list a.k.a. permission list.

The -Id:/ in the example above is just a quick hack to make sure the source path of your path is on that list, given this bit from the official documentation:

Finally, paths supplied on the command line (such as those in -I, -sFONTPATH parameters) are added to the permitted reading list. Similarly, paths read during initialisation from Fontmap, cidfmap, and the platform specific font file enumeration (e.g. fontconfig on Unix systems) are automatically added to the permit read lists.

Note / Aside about expectations when using -I like that:

Another surprise for me was that

gs -q  -I d:/ -dNODISPLAY -c "(test.pdf) (r) file runpdfbegin pdfpagecount = quit"

i.e. specifying the source path of the PDF in the -I include set and then omitting it in the PostScript command, still gave me an /invalidfileaccess so make sure to specify a proper absolute path for the PDF you're loading.

Notes

Applies to PostScript scripts, not the -f commandline

This problem only occurs with file loads inside -c PostScript commands, not with PDF/PS source files specified directly on the commandline using -f <file>.

How to check if this is your actual problem

Test 1: Try the same without the extra -I<path> or --permit-file-read=<path>: does the error return? If yes, then bingo!

When this commandline (note the missing -Id:/ or --permit-file-read=d:/ is the only change):

gs -q -dNODISPLAY -c "(d:/test.pdf) (r) file runpdfbegin pdfpagecount = quit"

gives you the "invalid file access" error as in:

   Error: /invalidfileaccess in --file--
   Operand stack:
      (d:/test.pdf)   (r)
   Execution stack:
      %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--
   Dictionary stack:
      --dict:737/1123(ro)(G)--   --dict:0/20(G)--   --dict:75/200(L)--
   Current allocation mode is local
   Last OS error: Permission denied
   GPL Ghostscript 9.52: Unrecoverable error, exit code 1

than you quite probably have a -dSAFER problem which is fixed by the above addition of the PDF source directory to the accepted paths list (see also the GhostScript documentation at 'NOSAFER' and onwards including the section about --permit-file-read=pathlist et al.

Test 2: Does the problem go away when you run with -dNOSAFER? If yes, then bingo!

When this commandline:

gs -q -dNOSAFER -dNODISPLAY -c "(d:/test.pdf) (r) file runpdfbegin pdfpagecount = quit"

works okay, then that's a sure sign you need either of the solutions described above to get rid of the /invalidfileaccess error.

WARNING: Older answers you find on the Net probably won't work anymore

As I've looked at quite a few discussions, both here at SO and elsewhere, including various bugtrackers, nobody seems to mention this anywhere as all those pages/entries are from before GhostScript release 9.50 and 2019AD.

Quoting from the 9.50 change notes:

The file access control capability (enable with -dSAFER) has been completely rewritten, with a ground-up rethink of the design. For more details, see: SAFER.

It is important to note that -dSAFER now only enables the file access controls, and no longer applies restrictions to standard Postscript functionality (specifically, restrictions on setpagedevice). If your application relies on these Postscript restrictions, see OLDSAFER, and please get in touch, as we do plan to remove those Postscript restrictions unless we have reason not to.

IMPORTANT: File access controls are now enabled by default. In order to run Ghostscript without these controls, see NOSAFER

Important Note for Windows Users: See below under Incompatible Changes

The SAFER change is from 2019-09-30 (release 9.50)