diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2023-08-24 15:24:35 +0100 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2023-08-24 15:24:35 +0100 |
| commit | e59216049cac290fb437a04c4f41ea46826cfba5 (patch) | |
| tree | b3e5c01f1fed64659674825edaa84d3acc6a90aa | |
| parent | 75993a948c4e46fdbf2e5f79af81529a2ecccac8 (diff) | |
IJS device - try and secure the IJS server startup
Bug #707051 ""ijs" device can execute arbitrary commands"
The problem is that the 'IJS' device needs to start the IJS server, and
that is indeed an arbitrary command line. There is (apparently) no way
to validate it. Indeed, this is covered quite clearly in the comments
at the start of the source:
* WARNING: The ijs server can be selected on the gs command line
* which is a security risk, since any program can be run.
Previously this used the awful LockSafetyParams hackery, which we
abandoned some time ago because it simply couldn't be made secure (it
was implemented in PostScript and was therefore vulnerable to PostScript
programs).
This commit prevents PostScript programs switching to the IJS device
after SAFER has been activated, and prevents changes to the IjsServer
parameter after SAFER has been activated.
SAFER is activated, unless explicitly disabled, before any user
PostScript is executed which means that the device and the server
invocation can only be configured on the command line. This does at
least provide minimal security against malicious PostScript programs.
| -rw-r--r-- | devices/gdevijs.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/devices/gdevijs.c b/devices/gdevijs.c index 8cbd84b97..16f5a1752 100644 --- a/devices/gdevijs.c +++ b/devices/gdevijs.c | |||
| @@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev) | |||
| 888 | static const char rgb[] = "DeviceRGB"; | 888 | static const char rgb[] = "DeviceRGB"; |
| 889 | gx_device_ijs *ijsdev = (gx_device_ijs *)dev; | 889 | gx_device_ijs *ijsdev = (gx_device_ijs *)dev; |
| 890 | 890 | ||
| 891 | if (ijsdev->memory->gs_lib_ctx->core->path_control_active) | ||
| 892 | return_error(gs_error_invalidaccess); | ||
| 891 | if (!ijsdev->ColorSpace) { | 893 | if (!ijsdev->ColorSpace) { |
| 892 | ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1, | 894 | ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1, |
| 893 | "gsijs_initialize"); | 895 | "gsijs_initialize"); |
| @@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) | |||
| 1326 | if (code >= 0) | 1328 | if (code >= 0) |
| 1327 | code = gsijs_read_string(plist, "IjsServer", | 1329 | code = gsijs_read_string(plist, "IjsServer", |
| 1328 | ijsdev->IjsServer, sizeof(ijsdev->IjsServer), | 1330 | ijsdev->IjsServer, sizeof(ijsdev->IjsServer), |
| 1329 | dev->LockSafetyParams, is_open); | 1331 | ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); |
| 1330 | 1332 | ||
| 1331 | if (code >= 0) | 1333 | if (code >= 0) |
| 1332 | code = gsijs_read_string_malloc(plist, "DeviceManufacturer", | 1334 | code = gsijs_read_string_malloc(plist, "DeviceManufacturer", |