Best practice for safe viewing of PDFs posted to list

Cathal Garvey cathalgarvey at cathalgarvey.me
Thu Jun 11 02:13:33 PDT 2015


 > After all, pdf.js has no more or less permissions than any other JS
 > you might encounter in the wild

Are we sure about this? JS loaded from localhost can do some dangerous 
stuff because CORS doesn't apply anymore to local resources such as the 
filesystem. What context does pdf.js run in? If Mozilla didn't carefully 
sandbox it, and if it executes PDF Javascript embeds (does it?) then it 
could potentially have filesystem access?

This would mean that the closed-source spyware platform from Google 
might actually be safer in this case. But I don't know; pdf.js might be 
injected into the remote resource and therefore have CORS restrictions 
tied to the source domain. It's all implementation..

I'd be inclined to use pdfotext for textual data or GIMP as Steve 
recommended. You can probably use some combination of common PDF utils, 
headless GIMP, and ImageMagick to make a script to do the same thing 
instantaneously.

On 10/06/15 23:01, Riad S. Wahby wrote:
> Seth <list at sysfu.com> wrote:
>> Curious if the advice given above is still relevant and also what other on
>> the list recommend for safe viewing of PDFs.
>
> If your web browsing habits don't include NoScript, then you're likely no
> worse off using pdf.js to view PDFs than you are browsing arbitrary websites.
> After all, pdf.js has no more or less permissions than any other JS you might
> encounter in the wild; and since pdf.js is bundled with modern versions of
> Firefox, you might be inclined to think that it's likely non-malicious even if
> it's exploitable by rogue PDFs. But that's no worse than some JS malware you
> were fed via DNS poisoning or CDN hijacking.
>
> (This can be seen either as an implicit endorsement of pdf.js or of NoScript.)
>
> -=rsw
>

-- 
Scientific Director, IndieBio Irish Programme
  Now running in Cork, Ireland May->July
  Learn more at indieb.io and follow along!
Twitter:  @onetruecathal
Phone: +353876363185
miniLock: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
peerio.com: cathalgarvey



More information about the cypherpunks mailing list