Thanks for the fast response this is really helpful and it sounds pretty relieving. :-)
Best regards Pascal Von: Waldemar Dick <[email protected]> Gesendet: Dienstag, 19. Oktober 2021 14:18 An: [email protected] Betreff: Re: pdf-code injection? Hello Pascal, It is just simple text, which is displayed and not interpreted or executed. I would say, no risk there. The only risk would be, if the font rendering application would have some security bug. But this shouldn't be your concern. Best Waldemar On 19. 10 2021, at 14:10, Knüppel, Pascal <[email protected]<mailto:[email protected]>> wrote: Hi, we are using apache PDFBox to simply add a new page with some text to an already existing PDFFile. Now we got a new requirement that wants us to insert free-text chosen by the customer to be inserted into the file. This make me actually some kind of nervous because I am not sure if it is possible to inject malicious code into the pdf-file using the following code-block: contentStream.beginText(); contentStream.setFont(font, fontSize); contentStream.newLineAtOffset(marginLeft, texty); contentStream.showText(text); contentStream.endText(); Can anyone help me here? My guess would be that it is not possible because PDFBox is probably inserting the text – whatever it may contain – as simple text into the pdf-file. But I am not sure of it. Best regards Pascal [cid:Logo-Governikus-2021-Mail-Footer_02_76dcf085-1277-4d10-a749-2ff785460c85.png] Hauptsitz: Hochschulring 4, 28359 Bremen Niederlassungen: Universitätsstr. 2, 10117 Berlin | Herwarthstraße 1, 50672 Köln | Johannesstr. 162, 99084 Erfurt Governikus GmbH & Co. KG Aufsichtsratsvorsitzende: Carola Heilemann-Jeschke Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann Amtsgericht Bremen HRA 22041 | St.-Nr. 60/100/04568 | USt-ID DE203827312 Persönlich haftende Gesellschafterin: Governikus Bremen GmbH Geschäftsführer: Dr. Stephan Klein, Holger Mohrmann Amtsgericht Bremen HRB 18756 **************************************************** Veranstaltungsvorschau: Besuchen Sie uns… SCCON | 26.-27.10.2021 | Virtuell https://www.smartcountry.berlin/de/ 8. Zukunftskongress Staat & Verwaltung | 13.-15.12.2021 | bcc Berlin https://www.zukunftskongress.info/de/8-Zukunftskongress OMNISECURE | 24.-26.01.2022 | Berlin https://omnisecure.berlin/ Governikus Jahrestagung | 23.-24.02.2022 | Berlin https://www.jahrestagung.governikus.de/ [cid:[email protected]] Waldemar Dick signing & security
