Bug 691736

Summary: New default -P- behaviour needs tweaking
Product: Ghostscript Reporter: Tim Waugh <twaugh>
Component: PS InterpreterAssignee: Alex Cherepanov <alex>
Status: RESOLVED WONTFIX    
Severity: normal    
Priority: P4    
Version: 8.71   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Tim Waugh 2010-10-28 13:21:54 UTC 
The new default behaviour prevents files relative to the current working directory being loaded at initialisation when -dSAFER is used-- this is great news.  However, it also prevents these files being loaded after initialisation, leading to the sort of failure seen below.  Is it possible to prevent non-system files being loaded during initialisation whilst retaining the ability to load CWD files after initialisation is finished?

touch spiral.ps
gs -dSAFER <<EOF
(spiral.ps) (r) file
EOF

GPL Ghostscript  9.00 (2010-09-14)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>Error: /invalidfileaccess in --file--
Operand stack:
   (spiral.ps)   (r)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   %loop_continue   --nostringval--   --nostringval--   false   1   %stopped_push   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--
Dictionary stack:
   --dict:1151/1684(ro)(G)--   --dict:0/20(G)--   --dict:77/200(L)--
Current allocation mode is local
Last OS error: 11
Current file position is 21
GS<2>
Comment 1 Alex Cherepanov 2010-10-28 13:59:32 UTC 
1. gs is working as designed. A rogue PS program is prevented from snooping
   on the user's files.

2. v. 9.00 didn't introduce anything new in this respect. Earlier versions
   of gs report exactly the same error.
Comment 2 Tim Waugh 2010-10-28 14:59:54 UTC 
Sorry, this change of behaviour was introduced in 8.71, not 9.00.

Is there any switch that can be used for a known-good PS program that wants to (a) read user files, and (b) operate safely during initialisation so that user files are not read until initialisation is complete?
Comment 3 Ray Johnston 2010-10-28 15:28:27 UTC 
Once 'SAFER' is set, the list of permitted directories is locked. Only by
having a 'known good' PS file in a location that is acceptable to be accessed
can the known good file be used by specifying that directory with the -I
option on the command line.

Ghostscript 9.00 is working as documented and as intended insofar as this
behavior.