When working on adding firejail to the image scalers I noticed that the PdfHandler extension shells out to ghostscript in the PdfHandler_body.php without using the -dSAFER option. The lack of -dSAFER is one the traditional pitfalls when dealing with PostScript files. Some examples:
https://lists.debian.org/debian-security-announce/2003/msg00016.html
https://lists.debian.org/debian-security-announce/2005/msg00180.html
https://lists.debian.org/debian-security-announce/2006/msg00102.html
Quoting from the ghostscript manpage:
-dSAFER
Restricts file operations the job can perform. Strongly recommended for spoolers, conversion scripts or other sensitive environments where a badly written or malicious PostScript program code must be prevented from changing important files.(Now why is such an option not the default? I don't know, but it's been like that for a long time, so people have probably just gotten used to it)
From what I can tell PdfHandler operates only on PDF files and I'm not sure whether the subset of PostScript used in PDFs is affected by the traditional attacks around commands like "deletefile", but at least the official docs from GhostScript also use -dSAFER when operating on PDFs, e.g. Chapter 2 of http://ghostscript.com/doc/8.54/Use.htm so I think it would we should add it just to be sure.