Summary: | Security review bug - Error handling | ||
---|---|---|---|
Product: | Ghostscript | Reporter: | Ken Sharp <ken.sharp> |
Component: | Security (public) | Assignee: | Ray Johnston <ray.johnston> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | cbuissar, chris.liddell |
Priority: | P4 | ||
Version: | unspecified | ||
Hardware: | PC | ||
OS: | Windows 7 | ||
Customer: | Word Size: | --- |
Description
Ken Sharp
2018-09-04 15:45:24 UTC
I didn't realise this had been entered in bugzilla until I'd already got this working.... http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb713b3818b That implements a solution: we copy the default error handlers from errordict (during initialization) into the (pre-existing) dictionary gserrordict. We then make gserrordict noaccess. It also makes the default error handler procedure executeonly. When SAFER is in force, we ignore errordict, and only pull the handler from gserrordict. As before, gserrordict also contains Ghostscript specific error(s) which we don't want in errordict (where they might confuse jobs that expect only the errors Adobe includes), and also that shouldn't ever be manipulated by jobs, anyway. Thus Postscript jobs that expect to be able to manipulate errordict can still do so, but the changes will have no effect (in SAFER). I'm going to leave this open: topic for discussion: should we provide a solution that allows only specific errors to be "locked". The example that springs to mind is embedded systems would probably want to ensure the VMerror is always handled correctly, but may want to allow other errors to be replaced. As far as I am concerned (and based on experience with GS embedded customers), this can be closed. Customers that want to control handling of errors will modify the handler in errordict, and will most likely want that error handler to be used rather than what some PS job may have stuck in errordict, but if they want to, their error handler can load the handler from errordict and execute it. Now that Chris (et al.) have made the errordict a "dummy" version in SAFER mode, and the gserrordict cannot be changed, this can be closed. |