diff options
author | John MacFarlane <jgm@berkeley.edu> | 2021-08-20 21:43:22 -0700 |
---|---|---|
committer | John MacFarlane <jgm@berkeley.edu> | 2021-08-20 21:43:22 -0700 |
commit | 13cf02acfd6ddc85bcd1788dc787d35fe92a2010 (patch) | |
tree | 349c4fe336e4d6987fba17fb997e1c0bcfd13d76 /MANUAL.txt | |
parent | 07d847a9100924e3c9bec1e536e2ad2b4b57162e (diff) | |
download | pandoc-13cf02acfd6ddc85bcd1788dc787d35fe92a2010.tar.gz |
MANUAL.txt/security: add a note on security risks of include directives.
Diffstat (limited to 'MANUAL.txt')
-rw-r--r-- | MANUAL.txt | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/MANUAL.txt b/MANUAL.txt index c94b69289..62ee9b593 100644 --- a/MANUAL.txt +++ b/MANUAL.txt @@ -6537,21 +6537,26 @@ application, here are some things to keep in mind: writer could in principle do anything on your file system. Please audit filters and custom writers very carefully before using them. -2. If your application uses pandoc as a Haskell library (rather than +2. Several input formats (including HTML, Org, and RST) support `include` + directives that allow the contents of a file to be included in the + output. An untrusted attacker could use these to view the contents of + files on the file system. + +3. If your application uses pandoc as a Haskell library (rather than shelling out to the executable), it is possible to use it in a mode that fully isolates pandoc from your file system, by running the pandoc operations in the `PandocPure` monad. See the document [Using the pandoc API](https://pandoc.org/using-the-pandoc-api.html) for more details. -3. Pandoc's parsers can exhibit pathological performance on some +4. Pandoc's parsers can exhibit pathological performance on some corner cases. It is wise to put any pandoc operations under a timeout, to avoid DOS attacks that exploit these issues. If you are using the pandoc executable, you can add the command line options `+RTS -M512M -RTS` (for example) to limit the heap size to 512MB. -4. The HTML generated by pandoc is not guaranteed to be safe. +5. The HTML generated by pandoc is not guaranteed to be safe. If `raw_html` is enabled for the Markdown input, users can inject arbitrary HTML. Even if `raw_html` is disabled, users can include dangerous content in URLs and attributes. |