Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Possible information disclosure #19304

Open
mrdvdrm opened this issue Jan 8, 2025 · 2 comments
Open

[Bug]: Possible information disclosure #19304

mrdvdrm opened this issue Jan 8, 2025 · 2 comments

Comments

@mrdvdrm
Copy link

mrdvdrm commented Jan 8, 2025

Attach (recommended) or Link to PDF file

Example.pdf

Web browser and its version

Firefox 134.0

Operating system and its version

Linux 64

PDF.js version

Firefox 134 embedded viewer

Is the bug present in the latest PDF.js version?

Yes

Is a browser extension

No

Steps to reproduce the problem

  1. Set up web server ie python in a directory with the example pdf:
    python3 -m http.server
  2. Load pdf document in firefox browser
    localhost:8000/Example.pdf 1 GET works as expected
    127.0.0.1:8000/Example.pdf 1 GET works as expected

192.168.1.128:8000/Example.pdf 1 GET + 2 Bad requests with binary info.
pcurl:8000/Example.pdf 1 GET + 2 Bad requests with binary info.

What is the expected behavior?

Web server should receive a single GET for the PDF file

What went wrong?

Server receives two additional Bad requests with binary information whenever a URL or IP different from localhost or 127.0.0.1 is used.

When localhost address is used:
The Bad requests include binary information I have been unable to identify
image
image

When ip address or pc url name is used:
image
image

Link to a viewer

No response

Additional context

No response

@Snuffleupagus
Copy link
Collaborator

Please see https://github.com/mozilla/pdf.js/blob/master/.github/CONTRIBUTING.md (emphasis mine):

If you are developing a custom solution, first check the examples at https://github.com/mozilla/pdf.js#learning and search existing issues. If this does not help, please prepare a short well-documented example that demonstrates the problem and make it accessible online on your website, JS Bin, GitHub, etc. before opening a new issue or contacting us in the Matrix room -- keep in mind that just code snippets won't help us troubleshoot the problem.

@mrdvdrm
Copy link
Author

mrdvdrm commented Jan 11, 2025

It is not a new custom solution. I have logged the web requests of pdf.js to a simple web server running in the local machine and there are irregular requests from pdf.js viewer that shouldn't occur. These requests contain binary data I can not identify and could contain sensitive information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants