On Thu, Jan 26, 2006 at 10:16:58AM +0100, Michel Messerschmidt wrote:
Carlos E. R. said:
The Wednesday 2006-01-25 at 16:01 -0800, Crispin Cowan wrote:
* PDF: Did you know that the PDF standard allows for embedded Javascript? And that the Adobe Acrobat viewer executes this Javascript? Much much scarier than web bugs.
I thought this only applied to acrobat version 7. Also, I though that other viewers, like xpdf, were safe in this respect.
Javascript is included in the PDF specificaton at least since v1.3 (i.e. Acrobat 4). And PDF supports event-triggered "auto-open" scripts with the same bad security design as MS Office formats (see chapter 8.5.2 in http://partners.adobe.com/public/developer/en/pdf/PDFReference.pdf for details).
I'm not sure if xpdf implements the javascript functionality.
For Acrobat, javascript/ECMAscript functionality is implemented as a plugin called "Escript.api" (found in the "plug_ins" subdirectory). To disable a plugin, simply remove it from this directory (including any subdirectories). Warning: Many other plugins depend on javascript (including the plugins for forms, spellcheck, weblinks, accessability, digital signatures, multimedia). All these won't work properly without javascript.
Yes. Adobe is basing functionality heavily on JavaScript. I have actually talked to them and voiced my concerns, but they will not deviate from that course, basically because the functionality they want requires some kind of programming language inside. Ciao, Marcus