Closed phfalk closed 6 years ago
I think it might be a good idea to restrict URLs to http:// and https:// protocols. The current demo allows file:// type URLs and can therefore be used to read information from the file system.
Try for example https://url-to-pdf-api.herokuapp.com/api/render?url=file:///etc/passwd
There might be issues with other protocols as well. I only tested file:// URLs.
See also #6
Thank you for opening the issue! Fixed in https://github.com/alvarcarto/url-to-pdf-api/commit/af5f96cc06fda90ea1dab5756e508aa11e139080
I think it might be a good idea to restrict URLs to http:// and https:// protocols. The current demo allows file:// type URLs and can therefore be used to read information from the file system.
Try for example https://url-to-pdf-api.herokuapp.com/api/render?url=file:///etc/passwd
There might be issues with other protocols as well. I only tested file:// URLs.