It was reported [1] that html2ps suffers from an arbitrary file disclosure in SSI directives, as noted via the exploit [2] posted to PacketStorm. This has not been addressed upstream from what I can tell. If html2ps is called via a web page that allows a user to upload the content to convert to ps, it could allow for abitrary file content disclosure based on the permissions of the user running html2ps. This would affect html2ps in Fedora 10, 11, rawhide, and EPEL 5. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633 [2] http://www.packetstormsecurity.org/0909-exploits/html2ps-disclose.txt
This was not reported upstream at all, so I emailed the author. He isn't really maintaining html2ps anymore, but did provide the following patch to disable SSI support: *** 2526,2530 **** $inc=""; $file=$3; ! if($1 eq "include" && (substr($file,0,1) ne "/" || $opt_r)) { if(substr($file,0,1) ne "/") { $file=$B2.$file; --- 2526,2530 ---- $inc=""; $file=$3; ! if(0 && $1 eq "include" && (substr($file,0,1) ne "/" || $opt_r)) { if(substr($file,0,1) ne "/") { $file=$B2.$file; He has, however, indicated that he will try to come up with a better fix. I think it unlikely that many people would be using html2ps as a CGI to parse untrusted user input, so it may be prudent to disable the support altogether if we do not get an appropriate fix or cannot come up with one.
Upstream has released 1.0b6 to address this issue: 091021 1.0b6 "Security" fix. Changed behavior for SSI, to avoid having arbitrary readable files disclosed on a web server that uses html2ps in a web application (cgi script etc), allowing HTML files to be uploaded for conversion. Setting up a service like this is begging for trouble in my opinion. (Is /bin/cat also a vulnerability, since one can use it in a web app, allowing uploading arbitrary parameters to it?) Could you update to the b6 release? The diff is quite small so patching would be an option as well, but because the only change in this version is this fix, I think it would be better to update to the latest version. http://user.it.uu.se/~jan/html2ps.html
New upstream fix does two things: disable SSI by default and checks for ".." in file path. Problem is the second thing is done by m// operator that replaces $` and $' variables that are used later. IOW, the fix introduce bug
(In reply to comment #7) IOW, the fix introduce regression. I have proposed following fix to upstream: diff --git a/html2ps b/html2ps index 98d3b8c..b6fb943 100755 --- a/html2ps +++ b/html2ps @@ -2525,6 +2525,7 @@ sub Subst{ while(/<!--#(include|config|echo)\s+(\w+)\s*="([^"]+)"\s*-->/) { $inc=""; $file=$3; + my ($prefix, $suffix) = ($`,$'); if($1 eq "include" && ($file !~m"^/|\.\." || $opt_r)) { if(substr($file,0,1) ne "/") { $file=$B2.$file; @@ -2545,7 +2546,7 @@ sub Subst{ } elsif ($1 eq "echo") { $inc=$var{$3}; } - $_=$`.$inc.$'; + $_=$prefix.$inc.$suffix; } } s/(­?|­?|<!--hy-->)/)HY(/g;
Petr, have you heard from upstream yet regarding this? Is this fix suitable to fix the regression and something they will be incorporating upstream? Thanks.
No, I haven't. However I think the patch is very trivial and bug in 1.0b6 upstream version is obvious. This is what I sent to upstream: ===Begining of mail=== Date: Tue, 27 Apr 2010 13:30:50 +0200 From: Petr Pisar <ppisar> To: jan.se Subject: html2ps-1.0b6 SSI fix breaks document composition Hello, while reviewing html2ps-1.0b6 release because of SSI directory traversal bug, I found your fix introduced regression: - if($1 eq "include" && (substr($file,0,1) ne "/" || $opt_r)) { + if($1 eq "include" && ($file !~m"(^/|\.\.)" || $opt_r)) { m/// operator replaces $` and $' variables if match succeeds. However these variables are used later on to complete $_. This is reason why former code used susbtr() instead of match operator. Simple fix is to store those two variables and retrieve their content at the end: [the above quoted patch from comment #8] This is testcase where 1.0b6 dismisses everything and pastes just a part of first included file name matching m"^/|..": <html> <body> <p>Should include (README):</p> <!--#include file="README"--> <p>Should not include (../etc/passwd):</p> <!--#include file="../etc/passwd"--> <p>Should chroot (/etc/passwd):</p> <!--#include file="/etc/passwd"--> </body> </html> ===End of mail=== Thus I have not waited longer and fixed the code in RHEL6 on my own.
html2ps-1.0-0.3.b5.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/html2ps-1.0-0.3.b5.fc11
html2ps-1.0-0.4.b5.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/html2ps-1.0-0.4.b5.fc12
html2ps-1.0-0.2.b5.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/html2ps-1.0-0.2.b5.el5
Upstream has accepted proposed patch (comment #8) and released new version 1.0b7.
html2ps-1.0-0.3.b5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
html2ps-1.0-0.4.b5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
html2ps-1.0-0.2.b5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.