堆栈内存溢出
  简体   繁体   English

在浏览器中打开PDF文件易受攻击

[英]Opening PDF files in the browser vulnarability

 原文  2013-07-27 17:03:04       java/ security/ java-ee/ pdf/ download

问题描述

We have a Java based web application deployed on WebLogic. 我们在WebLogic上部署了一个基于Java的Web应用程序。 We provide direct links to some PDF files, which the users can download/ open in their browser. 我们提供指向某些PDF文件的直接链接,用户可以在其浏览器中下载/打开这些文件。 Our security team is claiming that to allow opening PDF files in the browser is a security risk. 我们的安全团队声称允许在浏览器中打开PDF文件存在安全风险。 So they want to force the users to download the PDF files first rather than opening them in the browser window. 因此,他们希望强制用户先下载PDF文件,而不是在浏览器窗口中打开它们。

  1. Is this really a security risk? 这真的有安全隐患吗?

  2. If the PFD is a trogen/ vulnerable, how come downloading the file first and opening it could solve the problem? 如果PFD是trogen /易受攻击的,那么如何首先下载文件并打开它可以解决问题?

  3. Is their a way to programmatically prevent the user from opening the PDF files in the browser window and to force downloading the PDF files first? 他们是否以编程方式阻止用户在浏览器窗口中打开PDF文件并强制首先下载PDF文件?

2 个解决方案

解决方案1
 1  2013-07-30 17:37:53

To force the browser to give download option to the PDF : 强制浏览器为PDF提供下载选项:

response.setHeader ("Content-Disposition", "attachment;filename=\\"" + filename + "\\""); response.setHeader(“ Content-Disposition”,“ attachment; filename = \\”“ +文件名+” \\“”);

解决方案2
 0  2013-07-29 17:53:45

Forcing the user to save a PDF file first and then open it is actually likely to be more risky than allowing it to be opened in the browser. 强迫用户先保存PDF文件然后再打开它,实际上比允许在浏览器中打开它更具风险。

It's not better: 这不是更好:

  • Any vulnerabilities in your PDF reader (probably Adobe Reader) will be triggered whether it is opened now or later. 无论是现在还是以后打开,PDF读取器(可能是Adobe Reader)中的任何漏洞都将被触发。
  • Any decent virus scanner will be able to scan a PDF before it is opened, no matter if the pdf was downloaded to a temporary internet files folder, or some other user selected folder (eg downloads). 无论PDF是下载到Internet临时文件夹还是其他用户选择的文件夹(例如,下载文件),任何体面的病毒扫描程序都可以在打开PDF之前对其进行扫描。 (But if these are your PDF files, viruses probably aren't much of a concern.) (但是,如果这些是您的PDF文件,则可能不会很担心病毒。)

But it might be worse: 但这可能更糟:

  • If the client is Firefox, then allowing the pdf to be opened directly will lead to PDF.js being used, which is likely to be more secure than Adobe Reader. 如果客户端是Firefox,则允许直接打开pdf将导致使用PDF.js,这可能比Adobe Reader 更安全 In bypassing this client, you're exposing your users to greater risk. 在绕过此客户端时,您使用户面临更大的风险。
  • You are conditioning users to download and open files from the internet. 您正在限制用户从Internet下载和打开文件。 A minor point, but the more you can avoid this the better. 次要点,但是越可以避免越好。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法使用servlet和jsp在浏览器中打开PDF文件 - PDF file not opening in browser using servlet and jsp PDF文件无法使用类加载器打开 - PDF files not opening using class loader 使用Java Web App在浏览器中打开文件 - Opening files in the browser with Java Web App 如何下载文件而不是在浏览器中打开? - How to make files download instead of opening in browser? 在SWT浏览器中打开PDF文件 - XulRunner默认查看器 - Opening PDF file in SWT Browser - XulRunner default viewer PDF未打开 - PDF not opening 从jar文件夹打开pdf文件时出错 - error while opening pdf files from jar folder 如何阻止webChromeClient在Android浏览器中打开文件 - How can I stop webChromeClient from opening files in the Android Browser 从.jar在SWT浏览器中打开HTML文件,超链接有效 - Opening HTML files in SWT browser from .jar with hyperlinks working 为什么使用 PDFBOX 受密码保护的 PDF 在 Microsoft Edge 浏览器中无需密码即可打开? - Why password protected PDF using PDFBOX is opening without password in Microsoft Edge browser?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM