Created attachment 6321 [details] security wrapper Referring to: http://bugs.ghostscript.com/show_bug.cgi?id=691316 http://www.securityfocus.com/archive/1/511433 I see that at gs tries many files in (under) current directory at startup, so it is dangerous to do e.g. cd /tmp; gs any.ps To see list of files that gs tries, use: strace -omylog gs; grep '"\./' mylog | sort -u I now use a security wrapper (attached), to protect. Cheers, Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
AFAIK this is as documented. See doc/Use.htm on the '-P' , '-P-' switches for turning this behavior on and off. This is not new and changing it would upset other people.
Ghostscript makefiles have a macro to make -P- the default. Set SEARCH_HERE_FIRST=0 on your make line and voila! See the comments in: # Define whether or not searching for initialization files should always # look in the current directory first. This leads to well-known security # and confusion problems, but users insist on it. # NOTE: this also affects searching for files named on the command line: # see the "File searching" section of Use.htm for full details. # Because of this, setting SEARCH_HERE_FIRST to 0 is not recommended. This comment, and the build macro and -P- flag date back to at least 1997 (the oldest I have readily available -- version 5.03) so this issue, and our cautionary note have been known since then. The number of ghostscript users has grown, so changing the way that ghostscript finds files at this point would be painful for many users, and unless the comments relate to a way to make this 'painless' for existing users, please cease comments on this bug. The issue is CLOSED !!! Also, PLEASE make sure you have contacted the maintainers of the clients of ghostscript (gv, cups, etc). to let them know that in your opinion they should be using -P- along with -dSAFER. That way they can also address the need to explicitly specify paths on files they provide as input.