Menu
I would like to know if there are dangerous safety/security issues when a application is designed to call a command-line utility that opens a PDF file and yields some information in text files or images.
396
OS command injection comes to mind. If the user is able to control part of the command line (e.g. "AcroRd32.exe file.pdf") If the attacker can control the name of the file, then you have to add strong white-list validation, so that "AcroRd32.exe file.pdf && format C: && rem .pdf" cannot be injected for example
75
Yes, calling a command line utility presents extra security concerns: Your application is now only as secure as the command line utility.
As an example, if there is a buffer overflow in the utility, then an attacher might be able to exploit it via your application.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
