-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent Loading Unwanted Documents by URL in External Viewer #253
Comments
The same story with errorMessage: The error message displayed on the page can be controlled by an attacker via the "errorMessage" parameter. An attacker could craft a convincing message to trick a user into revealing their account information or visiting a malicious site. /assets/pdfjs/web/viewer.html?errorMessage=Your%20account%20has%20been%20blocked,%20please%20visit%20www.attacker.com%20to%20restore%20access&errorAppend=true |
Bug Report or Feature Request (mark with an
x
)I'm using the library to load documents by BLOB in external viewer, which opens the document in a new browser tab. The URL then looks like this:
https://localhost:4200/assets/pdfjs/web/viewer.html?file=blob%3Ahttps%3A%2F%2Flocalhost%3A4200%2F00ff689b-bfca-44d0-bea7-a8331c073397&viewerId=ng2-pdfjs-viewer-ID1&beforePrint=true&afterPrint=true&pagesLoaded=true&pageChange=true&fileName=Car%20Loan%20Agreement.pdf&openFile=true&download=true&viewBookmark=true&print=true&fullScreen=true&find=true&locale=en-GB#&page=1&errorMessage=undefined&errorAppend=true
However, nothing prevents user from changing
file
query parameter value to e.g. this:https://localhost:4200/assets/pdfjs/web/viewer.html?file=https://corsproxy.io/?https://appex.no/wp-content/uploads/2024/06/test-pdf.pdf
This exposes the app to phishing attacks.
Could I somehow prevent such behavior in any way?
The text was updated successfully, but these errors were encountered: