如何在用户提供的 HTML 上安全地运行 wkhtmltopdf? [英] How to run wkhtmltopdf securely on user-supplied HTML?
问题描述
在用户提供的 HTML 上运行服务器端时,wkhtmltopdf 是否足够安全以防止滥用,如果是,我需要哪些参数?
Is wkhtmltopdf secure enough to prevent abuse when run server-side on user-supplied HTML, and if so, which arguments would I need?
我找到了如何禁止本地文件访问,但我也想至少阻止对 localhost 的网络访问,并且通常让它与现代浏览器一样安全.是吗?
I found how to disallow local file access, but I'd also like at least to prevent network access to localhost, and generally have it be about as secure as a modern browser. Is it?
我实际上并不打算在用户提供的 HTML 上运行 wkhtmltopdf,而是在服务器生成的 HTML 上运行.我担心 wkhtmltopdf 的存在会使任何 HTML 注入漏洞比其他情况严重得多.因此,理想情况下,我希望保护 wkhtmltopdf,就像我期待任意用户输入一样.
I don't actually intend to run wkhtmltopdf on user-supplied HTML, but on server-generated HTML. I'm concerned that the presence of wkhtmltopdf would make any HTML injection vulnerability far more severe than it may have been otherwise. So ideally I'd like to secure wkhtmltopdf as if I were expecting arbitrary user input.
推荐答案
答案似乎是这样做不够安全".
The answer appears to be "it is not secure enough to do that".
在本次讨论中,建议您应该在沙箱中运行它,并且过滤/清理提供的 HTML.
In this discussion, it was suggested that you should run it in a sandbox and filter/sanitize the supplied HTML.
作者没有提到需要什么样的 HTML 过滤.我能想到的一个可能的安全问题是 wkhtmltopdf 可以从服务器的 Intranet 访问通常无法从外部访问的内容并将其公开在 PDF 中.如果您使用 --disable-javascript 禁用 Javascript,并使用 --disable-local-file-access 禁用本地文件访问,那么仍然可以使用iframe,或使用内联 CSS 或 img.src 获取图像.
The authors do not mention what kind of HTML filtering is required. One possible security issue I can think of is that wkhtmltopdf could access content from the server's intranet that is not normally accessible from the outside and expose it in the PDF. If you disable Javascript with --disable-javascript, and disable local file access with --disable-local-file-access, then it's still possible to expose such content using an iframe, or by sourcing an image using inline CSS or img.src.
这篇关于如何在用户提供的 HTML 上安全地运行 wkhtmltopdf?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
