Forum How do I...?

Need a way to block file:// access

tarquinwj
It's important for our needs that we do not allow users to get access to the files on the server. All processing must be done with URLs or single uploaded files. Currently XInclude and <iframe> can load file:// URLs. Is there a way to stop Prince from supporting file:// URLs with the exception of the file specified on the command line?

Right now, they could use:
<iframe src="file:///usr/local/www/mainsite/passwords.php">

I can see the --no-network switch to do the opposite, but is there any way to do the equivalent of --no-file ?

Note, if there is no such ability now, and you consider adding such a switch, it must still be possible to do: `prince foo.xml -o bar.pdf` but foo.xml must not be able to load file:// URLs either as image/iframe resources, or using XInclude.

(Background info: We are running a server installation of Prince using a custom written Web UI, allowing internal URLs or file uploads to be converted. We use the PHP class, edited to provide access to a few more of the command line options, and to prevent \ and " in the file names or user/pass, while also allowing multiple files.)
mikeday
There is no way at present to prevent Prince from loading files, and it might be rather tricky to provide perfect security in all cases. For starters, XML files can refer to external entities, style rules can import external style sheets, and style sheets can refer to external font files and hyphenation pattern files. It might be possible to disable these with a command-line option, but the most secure approach would be to run Prince from a user account that doesn't have read access to important files, or even from within a chroot jail so that the files can't even be accessed at all.