Comments (1)
Hello,
actually 'embed.rb' does not just embed the target file into the document. It
will
also inject a little script that will try to run the file at document opening.
However, Acrobat Reader has some restrictions about which files are granted to
be
extracted and run. This security filtering is merely based on the filename
extension.
Some extensions are blacklisted, some are whitelisted, others will pop up an
alert
box to ask for user approval before running the file.
This list of extensions cannot be modified from the Reader interface, you can
find it
on Windows into the registry key:
HKLM\SOFTWARE\Policies\Adobe\Acrobat
Reader\9.0\FeatureLockDown\cDefaultLaunchAttachmentPerms
On Unix systems, it can be found in the preference file in the directory where
Reader
is installed.
On my Linux system: /opt/Adobe/Reader9/Reader/GlobalPrefs/reader_prefs
Only PDF and FDF files are whitelisted by default (which means you can extract
and
run an embedded document from an existing document with no user warning).
In a nutshell, if you plan to embed a malicious file into a document, you have
two
options:
1) Find a flaw in Acrobat Reader to bypass security checks. That's the way I
did when
I began working on the 9.0 version, but it has now been fixed by Adobe.
2) Use a non-blacklisted filename extension for your attachments. Before the 9
version of Reader, I used to embed malicious JAR archives into documents as
*.jar
files were not blacklisted. Still the file has to be launched by Windows
Explorer
thereafter, so you can't set whatever extension you wish. Anyway, on Unix
systems,
the filename extension filter is just a joke.
Regards,
Guillaume
Original comment by [email protected]
on 11 May 2010 at 12:41
- Changed state: Done
from origami-pdf.
Related Issues (20)
- Issues with using Origami in REMnux HOT 1
- Error on saving obfuscated pdf
- ccittfaxdecode issue when rows > 1 HOT 1
- Support filter abbreviation HOT 1
- Patch for /lib/origami/graphics/instruction.rb HOT 1
- Patch for /lib/origami/numeric.rb HOT 4
- Patch for /lib/origami/graphics/instruction.rb HOT 1
- Linearized document causes error: Cannot remove last revision
- Can't decrypt file because of wrong padding HOT 1
- Cannot compute correct okey in AESv3 R5 HOT 1
- pdf.encrypt incompatible character encodings: UTF-8 and ASCII-8BIT HOT 2
- No tests, examples, or documentation on how to use acro/xdp forms
- Error: uninitialized constant Origami::DICT_SPECIAL_TYPES HOT 1
- Created ruby script from PDF, script produces error HOT 4
- Please include tests in releases uploaded to rubygems
- Move project to GitHub
- The avast detected origami includes virus
- Unable to process signed document from Adobe Echosign
- Creating clean pdf destroys pdf
- Error during launch of pdfwalker
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from origami-pdf.