Insecure Features in PDFs

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
PDF pdf-document-processor

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • qpdf

    QPDF: A content-preserving PDF document transformer

    • Given how well Preview.app and Safari work for viewing >99% of PDFs I actually encounter in the wild, this article makes Apple's engineering decisions look good.

    It also confirms many suspicions I've had over the years that have led me to, e.g., running all PDFs from questionable sources through VirusTotal before viewing on platforms where I wouldn't normally run antivirus software.

    The original article also confirms my suspicions that this step is inadequate:

    Because the Launch action can be considered as a danger- ous feature, we conducted a large-scale evaluation of 294,586 PDF documents downloaded from the Internet, in order to research if there are any legitimate use cases at all. Of those documents, only 532 files (0.18%) contained a Launch action. While none of the files was classified as malicious according to the VirusTotal database, we conclude that the Launch action is rarely used in the wild and its support should be removed by PDF implementations as well as the standard.

    Incidentally, the Launch action is still present in the most recent version of the PDF standard[1], with only OS-specific launch parameters deprecated (which include passing arguments to the launched executable, so eliminating the deprecated feature is still a significant security gain).

    Finally, I'm both personally and professionally curious about how the non-DoS examples in this articles may apply to non-viewer PDF tools and libraries like qpdf[2] and Ghostscript's original and recently reimplemented PDF interpreters[3].

    [1] https://pdfa.org/resource/iso-32000-pdf/

    (registration required, but at least the base standard is available at no cost; sadly, important incorporated standards like ISO 21757-1:2020 [ECMAScript for PDF] are not)

    [2] https://qpdf.sourceforge.io

    [3] https://ghostscript.com/blog/pdfi.html

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Jim Keller criticizes Nvidia CUDA, x86 – 'CUDA's a swamp, not a moat, like x86'

    1 project | news.ycombinator.com | 23 Feb 2024

  • PDF Annotations and Collaboration with Golang PDF Library

    1 project | dev.to | 1 Sep 2023

  • ✨ JBIG2 Support in GoLang: An Exciting New Addition to the Toolkit! 💻🚀

    1 project | /r/u_Shahab_Golang | 4 Jul 2023

  • 🚀 Creating Tables Using Pure Go - A Step-by-Step Guide

    1 project | /r/u_Shahab_Golang | 19 Jun 2023

  • 📊 Poll: Did You Find the Golang PDF Libraries Post Helpful?

    1 project | /r/u_Shahab_Golang | 15 Jun 2023