Comment by UniverseHacker

Comment by UniverseHacker 9 days ago

This is horrifying, PDFs should not be able to execute code.

tbraydn 8 days ago

A surprising number of things used to accept executable code.

In Microsoft Windows (~2000/ME), you used to be able embed JavaScript and ActiveX into ANY folder by replacing the folder view with your own HTML. Your customization would persist on shared network folders so others would see your HTML.

So naturally, a bunch of us 14 year olds in like 2002, between playing Runescape and Neopets in computer lab and library time, found this out and started screwing with the shared network Z: drive used by both teachers and students across every elementary, middle and high school in the school district.

There were dumb things you could do with all that power like open people’s CD-ROM reader trays by abusing the Windows Media ActiveX control. It had an eject() method on the object.

It ended up breaking in an edit war of the shared drive. There were some generic AD accounts used district-wide so you could avoid getting caught. We found out you could prefix the username with the domain and login with accounts from other schools. At one point, someone crossed the line, but I don’t think anyone got caught.

Reply View 2 replies

ta1243 8 days ago

You put the <img src="file://c:/con/con"> in right? Or had that been fixed by the DHTML era

Reply View | 1 reply
- slig 8 days ago
  
  I used to place that as the home page of IE.
  
  Reply View | 0 replies

crazygringo 8 days ago

Seriously, I hate it.

I understand why it happened -- it made sense to allow PDF's to be used for form-filling, and once you can fill in forms it obviously makes sense to validate inputs, and to handle arbitrary validation complexity you need a scripting language, and obviously then you want to be able to automatically fill in fields based on other fields, or even produce a QR code so it can be printed and scanned... And they didn't want to create a new extension like ".ipdf" for interactive PDF.

But still. I hate it.

Reply View 0 replies

cess11 9 days ago

One should reject all PDF:s except /a-standards compliant ones.

Reply View 4 replies

belval 8 days ago

Maybe if one enjoys endless conversations with unhappy customers. Easier to simply isolate the PDF rendering/parsing and move on.

Reply View | 1 reply
- silon42 8 days ago
  
  A conversion tool would be useful.
  
  Reply View | 0 replies
martin_a 8 days ago

Let me tell you about the lord and savior of the printing industry, the PDF/X standard...

Reply View | 1 reply
- cess11 8 days ago
  
  It allows external sources. I think even the ICC profile can sit outside the document, as well as stuff like video.
  I like the archivable series, the document comes with what is needed to render it.
  
  Reply View | 0 replies

fsckboy 8 days ago

>PDFs should not be able to execute code

Postscript is code (it's a stack machine), and PDFs are Postscript

Reply View 1 reply

martin_a 8 days ago

> PDFs are Postscript
PDFs have moved to native generation, due to the feature richness that has found its way into the specs.
Nevertheless you can still write PS and feed it into a Distiller (or sth. alike) and render the output.

Reply View | 0 replies

nejsjsjsbsb 8 days ago

HTMLs too :)

Reply View 0 replies