search

Kozea / WeasyPrint

The awesome document factory
https://weasyprint.org
BSD 3-Clause "New" or "Revised" License
7.14k stars 681 forks source link

Is the SSRF vulnerability fixed? #1288

Closed cjaentsch closed 3 years ago

cjaentsch commented 3 years ago

We think of switching from PrinceXML to WeasyPrint.

While researching I just found a presentation about a nasty SSRF vulnerability in WeasyPrint: https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresent

Is this already fixed?

liZe commented 3 years ago

Hello @cjaentsch.

Just as other web renderers, WeasyPrint has a lot of features that are useful but also dangerous when not configured correctly. The problem presented in this document is covered by this chapter, with solutions listed at the bottom. You’ll find on the same page other possible vulnerabilities, with related solutions.

Regarding access to documents through URLs (including file://… URLs), the url_fetcher mechanism gives you full power to filter exactly what you want to filter. The documentation should give you enough information about that.

Don’t hesitate to ask if you need more information about security issues, we’ll be happy to help.

cjaentsch commented 3 years ago

@liZe Thank you for your answer! We want to use WeasyPrint as a standalone 1-on-1 replacement for PrinceXML - which seems to work quite smoothly. Is there a possibility to configure own url fetcher filters without using WeasyPrint as a python lib?

liZe commented 3 years ago

Thank you for your answer!

You’re welcome!

We want to use WeasyPrint as a standalone 1-on-1 replacement for PrinceXML - which seems to work quite smoothly. Is there a possibility to configure own url fetcher filters without using WeasyPrint as a python lib?

It’s currently not possible to do this without writing some Python code. What’s needed is often a small (~50/100 lines) Python script to use instead of the weasyprint command, but it’s not a simple CLI option. You can probably find examples online, and we can even write a small example if you want!

PrinceXML has equivalent "vulnerabilities" (sometimes called "features", depending on the context :smile:). Adding <script>PDF.attachFile("file:///etc/passwd", "passwd")</script> into the HTML file attaches /etc/passwd to the generated PDF when JavaScript is enabled.

liZe commented 3 years ago

Feel free to reopen if there’s anything else we can do for you!