Closed cjaentsch closed 3 years ago
Hello @cjaentsch.
Just as other web renderers, WeasyPrint has a lot of features that are useful but also dangerous when not configured correctly. The problem presented in this document is covered by this chapter, with solutions listed at the bottom. You’ll find on the same page other possible vulnerabilities, with related solutions.
Regarding access to documents through URLs (including file://…
URLs), the url_fetcher
mechanism gives you full power to filter exactly what you want to filter. The documentation should give you enough information about that.
Don’t hesitate to ask if you need more information about security issues, we’ll be happy to help.
@liZe Thank you for your answer! We want to use WeasyPrint as a standalone 1-on-1 replacement for PrinceXML - which seems to work quite smoothly. Is there a possibility to configure own url fetcher filters without using WeasyPrint as a python lib?
Thank you for your answer!
You’re welcome!
We want to use WeasyPrint as a standalone 1-on-1 replacement for PrinceXML - which seems to work quite smoothly. Is there a possibility to configure own url fetcher filters without using WeasyPrint as a python lib?
It’s currently not possible to do this without writing some Python code. What’s needed is often a small (~50/100 lines) Python script to use instead of the weasyprint
command, but it’s not a simple CLI option. You can probably find examples online, and we can even write a small example if you want!
PrinceXML has equivalent "vulnerabilities" (sometimes called "features", depending on the context :smile:). Adding <script>PDF.attachFile("file:///etc/passwd", "passwd")</script>
into the HTML file attaches /etc/passwd
to the generated PDF when JavaScript is enabled.
Feel free to reopen if there’s anything else we can do for you!
We think of switching from PrinceXML to WeasyPrint.
While researching I just found a presentation about a nasty SSRF vulnerability in WeasyPrint: https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresent
Is this already fixed?