Toggle/Resize PDF Embeds

[ProxRocks]

this filter will only work if you are already using z12's "Toggle Flash Resize"...

it basically BLOCKS embedded PDFs until you-the-user toggles it "on" (i got fed up with a particular SSL site changing their d@mn license agreement every week or so and since i do NOT allow scripts within .pdf's, the embedded license agreement would throw up a 'do you wish to allow scripts' dialog)...

with this, i do NOT need to download the NEVER-READ-ANYWAY license agreement and just click the "I Agree" button (or toggle and read) and proceed on my merry way...

Code:

Name = "<embed>: Toggle PDFs [add]"
Active = TRUE
Bounds = "<embed*>( </embed>|)"
Limit = 2700
Match = "(*src=*.pdf*)\0"
        "$SET(tfr=$GET(tfr)1)"
        "(($TST(script=*))$SET(1=\\")$SET(2=\\)|$SET(1=")$SET(2=))"
Replace = "<span class=\1proxoFlash_$GET(tfr)\1 style=\1display:block\1>"
          "<a title=\1Play Media\1 onmouseover=\1proxo.tfr.titleFlash(event)\1>"
          "<img alt=\1Toggle Media\1 src=\1http://local.ptron/My_HTML/43unite_HTML/player_play.png\1 style=\1border-style:none\1 /><\2/a>"
          "<br />"
          "<\2/span>"
          "<span class=\1drsElement\1 style=\1display:none\1>"
          "<textarea style=\1display:none\1>"
          "\0"
          "<\2/textarea>"
          "<\2/span>"

[Graycode]

(Sep. 23, 2009 05:37 PM)ProxRocks Wrote:  ... and since i do NOT allow scripts within .pdf's, the embedded license agreement would throw up a 'do you wish to allow scripts' dialog)...

Can Proxo modify the data content of PDF files, even with 'application/pdf' or other non-text Content-Type?

The reason I ask that is I've been nailing JavaScript from PDF using my proxy.
When I change all its content '/JavaScript' into '/NotaScript' then *poof* the PDF scripting is disabled.

Got the idea from: http://answers.google.com/answers/thread...59827.html

[JJoe]

(Sep. 26, 2009 09:32 PM)Graycode Wrote:  Can Proxo modify the data content of PDF files, even with 'application/pdf' or other non-text Content-Type?

(Sep. 26, 2009 09:32 PM)Graycode Wrote:  change all its content '/JavaScript' into '/NotaScript'

Code:

[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: pdf force filtering (in) (fail)"
Match = "application/pdf$FILTER(true)(^)"

[Patterns]
Name = "Disable PDF scripting "
Active = TRUE
URL = "$IHDR(Content-Type:*/pdf) "
Limit = 11
Match = "/JavaScript"
Replace = "/NotaScript"

provided with no warranties of any kind, express or implied, including but not limited to...

Have fun

[ProxRocks]

i still got the (d@mn) "This document contains JavaScripts" error dialog with the filters as posted...

However, changing the [Patterns] filter to as below solved the nuisance for me - no error dialog at all, none, naughta...

Code:

Name = "Disable PDF scripting {JJoe} (modified)"
Active = TRUE
URL = "$IHDR(Content-Type:*/pdf)"
Limit = 3
Match = "/JS"
Replace = "/NotaScript"

AWESOME!


edit: byte limit dropped down to 3...

[JJoe]

I wonder if "/JS" is a little too little.

Inside http://www.documents.dgs.ca.gov/osp/pdf/std020.pdf
I see '/' followed by 'a-z' in what may be unrelated data.
Just '/js' may get more than the scripts.

Code:

247 0 obj<</S/JavaScript/JS(µiK17„$n\)\)ÈÐFx3.vìžÀ)>>
endobj

I think I've seen 'obj' followed by a line return.

How about

Code:

[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: pdf force filtering (in) (fail)"
Match = "application/pdf$FILTER(true)(^)"

[Patterns]
Name = "Disable PDF scripting "
Active = TRUE
URL = "$IHDR(Content-Type:*/pdf) "
Limit = 32
Match = "(obj <</S)\0/JavaScript/JS"
Replace = "\0"
          "/NotaScript/SS"

BTW,
I'm using 'HTML Debug info' to look inside the pdf.

Hmmm... Would be nice to get shonen in there

Code:

[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: pdf force filtering (in) (fail)"
Match = "application/pdf$FILTER(true)(^)"

[Patterns]
Name = "Disable PDF scripting shonen"
Active = TRUE
URL = "$IHDR(Content-Type:*/pdf) "
Limit = 32
Match = "(obj <</S)\0/JavaScript/JS"
Replace = "\0"
          "/ShonenScript/"

HTH

[ProxRocks]

(Sep. 27, 2009 05:00 PM)JJoe Wrote:  How about

Code:

[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: pdf force filtering (in) (fail)"
Match = "application/pdf$FILTER(true)(^)"

[Patterns]
Name = "Disable PDF scripting "
Active = TRUE
URL = "$IHDR(Content-Type:*/pdf) "
Limit = 32
Match = "(obj <</S)\0/JavaScript/JS"
Replace = "\0"
          "/NotaScript/SS"

BTW,
I'm using 'HTML Debug info' to look inside the pdf.

using debug-info here also, kinda cool to "see" something other than html code, lol...


the above is working for me... (didn't try the Shonen...)

[Graycode]

I applaud what you're doing to control undesirable aspects of certain PDF.

I've been just nailing the '/JavaScript' portion for PDF that comes from untrusted places, which seemed to kill their imbedded scripts from running. I hadn't realized that the '/JS' might also need to be hit in order to keep the reader from prompting though.

[ProxRocks]

i've only tested the prompting in Adobe Reader 9.1.3 (due to "office politics", i'm kinda stuck with it [though i honestly don't mind, i'm not a fan of Foxit et alia])...

although, i'm using a LITE version that i download the 'official' installer from Adobe, tweak the living crap out of it, then install without all of the useless Adobe BLOAT...

another option is a proggy called "Adobe Reader SpeedUp" - but in that i've learned how to "edit" the installer myself, i've since abandoned AR SpeedUp and don't even know if it still works with the latest AR...

[Siamesecat]

Can PDF viewers run Javascript? I read .pdf files with a helper application. What would the script be doing in a PDF reader?

[Graycode]

(Oct. 04, 2009 05:59 AM)Siamesecat Wrote:  Can PDF viewers run Javascript? I read .pdf files with a helper application.

I think most PDF viewers include the scripting ability.

Quote:What would the script be doing in a PDF reader?

Sometimes very simple things. Some of those from the IRS auto-format numbers you enter into their PDF forms.

But they can also do malicious things. Scripting in PDF has unfortunately become a vector for malware injection.
http://isc.sans.org/diary.html?storyid=6445

My personal view is that scripting doesn't belong in PDF. But it's there and that can't be ignored. I feel it's safer to kill off or otherwise disable PDF scripts, even if doing so might eliminate something potentially useful like pretty-number formatting for the IRS.

[ProxRocks]

it honestly never ceases to amaze me how so many people think "javascript" is a 'good thing'...

it's almost like the only way people start to "distrust" things anymore these days is if the entity contains the word "Microsoft" before it...

if it were called "MS JavaScript", you know dang well that more people would be blocking it in their browsers by default and they'd be aware of its presence in .pdf files...

[defconnect]

The potential danger of embedded JavaScripts in PDFs has been proved once again: http://blog.trendmicro.com/new-adobe-zero-day-exploit/
Acrobat JavaScript is by default enabled in Adobe Acrobat/Reader.

---

Adobe has been made aware of the problem and expects to release an update tomorrow: http://www.adobe.com/support/security/bu...09-15.html