Issue metadata
Sign in to add a comment
|
JavaScript in PDF is executed without user input
Reported by
tmeu...@gmail.com,
Oct 26 2017
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Steps to reproduce the problem:
1. Open the attached file in Chrome
2. In this file there is the following object as test:
19 0 obj
<</Type/Catalog/Pages 6 0 R
/OpenAction 25 0 R
/ViewerPreferences<</DisplayDocTitle true
>>
/Lang(nl-NL)
>>
endobj
25 0 obj
<</Type/Action/S/JavaScript/JS (app.alert('Javascript!');) >>
endob
3.
What is the expected behavior?
Either a question: "Are you sure that you want to do stuff that can harm you and your computer?" or nothing
What went wrong?
JavaScript is executed directly at opening of a PDF with JavaScript. This is a security risk for the users because they do not expect JavaScript in documents that they might or might not trust. A document with JavaScript can actually do real damage and trigger vulnerabilities in the PDF parser.
In a PDF JavaScript should never be executed without user interaction.
Did this work before? No
Chrome version: 62.0.3202.62 (Officiƫle build) (64-bits) Channel: stable
OS Version: 10.0
Flash Version:
I can understand if you say: "Hey man this is not a problem as we allow JS to be executed on webpages as well, so we do not think a document is any different." But please do send an e-mail to me saying that so that I know this (on tmeulemans@securesult.nl). I looked a bit the fool at a demo after a pentest saying: "you need to still approve to execute JS. Oh shit apparently not in chrome...."
,
Oct 30 2017
That is not my opinion, but hey I guess you guys can decide yourself. When developing from a security by design and security by default point of view JS execution without user interaction should be off by default.
,
Feb 2 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 26 2017Mergedinto: 445758
Status: Duplicate (was: Unconfirmed)