1

I have a python web application that accepts a http URL to a PDF file from the URL. As part of what the application does, it needs to convert the PDF into a TIFF image using ghost script. And for this, the PDF needs to be saved locally. So to do this I use urllib like this:

testfile = urllib.URLopener()
pdf_destination = os.path.join(self.options.storefolder, self.options.uniquecode+".pdf")
testfile.retrieve(pdfurl, pdf_destination) //Fortify vuln. found here

This works ok, however, Fortify SCA gives a critical vulnerability of "Path Manipulation". Is there a way to resolve this? Should I just ensure that pdfurl contains a valid pdf file name? or is there a better way to resolve this?

Anthony
  • 33,838
  • 42
  • 169
  • 278
  • What is the source for pdfurl? But I'm reasonably sure you have a false positive, mark it in Fortify as a false positive if pdfurl does not come from a user. – Vetsin Jul 05 '17 at 02:27
  • Pdfurl does come from the user – Anthony Jul 05 '17 at 09:38

1 Answers1

1

Ghostscript doesn't need the file saved locally, it can accept the data piped via stdin. It then creates a local temporary copy of the file (because PDF files require random access) but I presume that would be acceptable.

Of course, that still leaves you the problem of piping the PDf file into Ghostscript via stdin, I don't know how you would do that.

KenS
  • 30,202
  • 3
  • 34
  • 51