From 13cf02acfd6ddc85bcd1788dc787d35fe92a2010 Mon Sep 17 00:00:00 2001 From: John MacFarlane Date: Fri, 20 Aug 2021 21:43:22 -0700 Subject: MANUAL.txt/security: add a note on security risks of include directives. --- MANUAL.txt | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'MANUAL.txt') diff --git a/MANUAL.txt b/MANUAL.txt index c94b69289..62ee9b593 100644 --- a/MANUAL.txt +++ b/MANUAL.txt @@ -6537,21 +6537,26 @@ application, here are some things to keep in mind: writer could in principle do anything on your file system. Please audit filters and custom writers very carefully before using them. -2. If your application uses pandoc as a Haskell library (rather than +2. Several input formats (including HTML, Org, and RST) support `include` + directives that allow the contents of a file to be included in the + output. An untrusted attacker could use these to view the contents of + files on the file system. + +3. If your application uses pandoc as a Haskell library (rather than shelling out to the executable), it is possible to use it in a mode that fully isolates pandoc from your file system, by running the pandoc operations in the `PandocPure` monad. See the document [Using the pandoc API](https://pandoc.org/using-the-pandoc-api.html) for more details. -3. Pandoc's parsers can exhibit pathological performance on some +4. Pandoc's parsers can exhibit pathological performance on some corner cases. It is wise to put any pandoc operations under a timeout, to avoid DOS attacks that exploit these issues. If you are using the pandoc executable, you can add the command line options `+RTS -M512M -RTS` (for example) to limit the heap size to 512MB. -4. The HTML generated by pandoc is not guaranteed to be safe. +5. The HTML generated by pandoc is not guaranteed to be safe. If `raw_html` is enabled for the Markdown input, users can inject arbitrary HTML. Even if `raw_html` is disabled, users can include dangerous content in URLs and attributes. -- cgit v1.2.3