Page MenuHomePhabricator
Create Task
Maniphest T89765

Show warning about privacy/security issues on PDF file pages
Closed, ResolvedPublic2 Estimated Story Points
Actions

Assigned To
MarkTraceur
Authored By
Tgr
Feb 17 2015, 10:10 PM
Tags
Referenced Files
F56124: pdf-warning.png
Mar 5 2015, 6:56 PM
F56024: pdf-pages.png
Mar 5 2015, 4:47 PM
F53473: page-issue-orange.svg
Mar 3 2015, 11:05 AM
F53456: pdf-warning.png
Mar 3 2015, 11:05 AM
Subscribers
Aklapper
csteipp
gerritbot
Jdforrester-WMF
Krenair
Pginer-WMF
Tgr
Verdy_p

Description

There are various privacy and security issues with some PDF clients (Adobe Reader, Adobe Acrobat) which can be used to expose the IP address and other private data of the reader to the author of the document. These are not new but probably still not widely known.

We should display a small warning on PDF description pages and link to a page with information about how to set secure defaults in mainstream PDF readers.

Details

SubjectRepoBranchLines +/-
Add message documentation for file warningmediawiki/extensions/PdfHandlermaster+4 -0
Add warning about PDF files on the file page.mediawiki/extensions/PdfHandlermaster+35 -1
Add framework for file warningsmediawiki/coremaster+147 -3
[WIP] Add warning about PDF files on the file page.mediawiki/extensions/PdfHandlerwmf/1.25wmf15+54 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Feb 17 2015, 10:10 PM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added projects: Multimedia, acl*security.
Tgr subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 17 2015, 10:10 PM
Gilles subscribed.Feb 18 2015, 9:58 AM

Isn't that something that could be filtered/sanitized at the upload stage? That's how we usually deal with file formats that can contain code/phone home features.

Anomie subscribed.Feb 18 2015, 2:57 PM

Apparently PDF has so many ways to hide such content that detecting such files is a hard problem. See https://blog.avast.com/2011/04/22/another-nasty-trick-in-malicious-pdf/ for an example.

Tgr added a comment.Feb 18 2015, 7:10 PM

T89745 has some details but in general there doesn't seem to be any library claiming to reliably identify such files, just various experimental tools / research projects. There are apparently several ways user data could be leaked by a PDF reader (Javascript, Flash, remote images, reference XObjects, DRM), and several content obfuscation techniques on top of that.

csteipp mentioned this in T89744: External reference in PDF.Feb 18 2015, 8:06 PM
Gilles added a project: Multimedia-Sprint-2015-02-25.Feb 25 2015, 9:01 AM
Gilles set Security to None.Feb 25 2015, 9:18 AM
Gilles edited a custom field.
Gilles assigned this task to Pginer-WMF.Feb 25 2015, 5:43 PM
Gilles added a project: Design.
Pginer-WMF added a comment.Mar 3 2015, 11:05 AM

From what I understood of the problem I considered the following:

  • The warning is about the format, so it may make sense to place it closer to where the format is displayed.
  • A subtle but visible indication is preferred since (a) it will appear for all PDFs regardless of the user being already aware, and (b) we want to avoid yet another warning box users tend to ignore.
  • A compact initial presentation, where user can expand on more details when needed would accommodate the different needs.

Based on that, I think the following could work:

  • For the original file section where the format information is provided, make the "application/pdf" text use a warning color. I picked orange (#FF5D00) in the example below, but we can go with yellow (#FFB50D) or red (#D11813) depending on the severity we consider for the issue).
  • An additional warning icon is shown next to the file format using the same color.
  • When hovering or clicking on the file format text or the icon, a tooltip will describe the issue including a link to a description page on how to configure your PDF viewer properly. I also included a remark to clarify that the issue is not specific for the file but general for the format.

A mockup with the above idea:

pdf-warning.png (731×1 px, 247 KB)

The icon used:

page-issue-orange.svg1 KBDownload

csteipp subscribed.Mar 3 2015, 5:43 PM

I really like the mockup! @Gilles, if this is something multimedia can schedule to get developed, I think we can safely call this addressed.

Gilles added a comment.Mar 4 2015, 9:17 AM

Yeah, we'll schedule it for our next sprint, which starts later today.

Gilles removed Pginer-WMF as the assignee of this task.Mar 4 2015, 9:17 AM
Gilles added a subscriber: Pginer-WMF.
Gilles edited projects, added Multimedia-Sprint-2015-03-04; removed Multimedia-Sprint-2015-02-25.Mar 4 2015, 4:52 PM
MarkTraceur claimed this task.Mar 4 2015, 8:17 PM
MarkTraceur triaged this task as High priority.
MarkTraceur added a comment.Mar 5 2015, 4:47 PM

@Pginer-WMF your mockup is on a PDF that only has one page - on multiple-paged PDFs, the page count comes after the MIME type:

pdf-pages.png (438×1 px, 102 KB)

Any changes with that in mind? (I will assume no for now, we can make them later)

MarkTraceur added a comment.Mar 5 2015, 5:03 PM

@Pginer-WMF sorry to hit you with concerns after the fact, but you also have, in the mockup, only part of the second message linked. Would it be terribly ugly for me to add a "learn more" link as a separate paragraph under the main warning?

MarkTraceur added a comment.Mar 5 2015, 5:06 PM

And...what is that link supposed to be to?

Pginer-WMF added a comment.Mar 5 2015, 5:29 PM

I think the same approach should work on multi-page PDFs, but it is a good catch, we can check how it looks in case we may want to adjust something (e.g., some spacing).

gerritbot subscribed.Mar 5 2015, 6:53 PM

Change 194564 had a related patch set uploaded (by MarkTraceur):
Add warning about PDF files on the file page.

https://gerrit.wikimedia.org/r/194564

gerritbot added a project: Patch-For-Review.Mar 5 2015, 6:53 PM

Change 194565 had a related patch set uploaded (by MarkTraceur):
Add framework for file warnings

https://gerrit.wikimedia.org/r/194565

MarkTraceur added a comment.Mar 5 2015, 6:56 PM

Here's what I've got so far.

pdf-warning.png (718×1 px, 167 KB)

gerritbot added a comment.Mar 5 2015, 7:13 PM

Change 194569 had a related patch set uploaded (by MarkTraceur):
[WIP] Add warning about PDF files on the file page.

https://gerrit.wikimedia.org/r/194569

gerritbot added a comment.Mar 5 2015, 7:14 PM

Change 194564 abandoned by MarkTraceur:
[WIP] Add warning about PDF files on the file page.

Reason:
Sorry! See https://gerrit.wikimedia.org/r/194569

https://gerrit.wikimedia.org/r/194564

MarkTraceur moved this task from Backlog to Needs code review on the Multimedia-Sprint-2015-03-04 board.Mar 5 2015, 7:31 PM
Tgr moved this task from Needs code review to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-04 board.Mar 6 2015, 1:09 AM
MarkTraceur moved this task from Reviewed, needs improvements to Needs code review on the Multimedia-Sprint-2015-03-04 board.Mar 6 2015, 8:26 PM
Gilles moved this task from Needs code review to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-04 board.Mar 9 2015, 9:24 AM
MarkTraceur added a comment.Mar 9 2015, 9:01 PM

Bit stalled as we deal with insanity in oojs-ui to make this possible.

Krenair added a project: OOUI.Mar 9 2015, 9:14 PM
Krenair subscribed.
Jdforrester-WMF mentioned this in rGOJUe0492fef1ec8: Add warning variant to MediaWiki set.Mar 9 2015, 9:32 PM
Jdforrester-WMF subscribed.Mar 9 2015, 9:34 PM

Trivial OOjs UI portion of this task now complete.

Jdforrester-WMF removed a project: OOUI.Mar 9 2015, 9:34 PM
TrevorParscal mentioned this in T92023: Make OOjs UI IconWidget flaggable so icon variants can be used, the way ButtonElement does.Mar 9 2015, 9:34 PM
TrevorParscal mentioned this in T92024: Make OOjs UI LabelWidget flaggable so text colors can be used, the way ButtonElement does.
TrevorParscal mentioned this in T92026: Add 'warning' message type and use 'warning' flag to OOUI messages.
TrevorParscal mentioned this in T92028: Reconsider use of colored buttons used in the body of the page..Mar 9 2015, 9:42 PM
Gilles edited projects, added Multimedia-Sprint-2015-03-11; removed Multimedia-Sprint-2015-03-04.Mar 11 2015, 4:22 PM
Gilles moved this task from Backlog to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-11 board.
Jaredzimmerman-WMF moved this task from Incoming to In Development on the Design board.Mar 11 2015, 7:15 PM
MarkTraceur moved this task from Reviewed, needs improvements to Needs code review on the Multimedia-Sprint-2015-03-11 board.Mar 13 2015, 3:50 PM
Gilles moved this task from Needs code review to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-11 board.Mar 16 2015, 1:09 PM
MarkTraceur moved this task from Reviewed, needs improvements to Needs code review on the Multimedia-Sprint-2015-03-11 board.Mar 18 2015, 3:05 PM
Gilles edited projects, added Multimedia-Sprint-2015-03-18; removed Multimedia-Sprint-2015-03-11.Mar 18 2015, 4:14 PM
Gilles moved this task from Backlog to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-18 board.
Gilles moved this task from Reviewed, needs improvements to Needs code review on the Multimedia-Sprint-2015-03-18 board.
Gilles moved this task from Needs code review to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-18 board.Mar 18 2015, 5:18 PM
gerritbot added a comment.Mar 18 2015, 5:25 PM

Change 194565 merged by jenkins-bot:
Add framework for file warnings

https://gerrit.wikimedia.org/r/194565

MarkTraceur mentioned this in rMWa398c0c93375: Add framework for file warnings.Mar 23 2015, 3:51 PM
MarkTraceur added a subtask: T93882: Write a page describing security problems with PDFs.Mar 25 2015, 2:09 PM
Gilles edited projects, added Multimedia-Sprint-2015-03-25; removed Multimedia-Sprint-2015-03-18.Mar 25 2015, 3:44 PM
Gilles moved this task from Backlog to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-25 board.Mar 25 2015, 3:47 PM
Gilles closed subtask T93882: Write a page describing security problems with PDFs as Resolved.Mar 26 2015, 12:57 PM
Gilles moved this task from Reviewed, needs improvements to Ready for testing on the Multimedia-Sprint-2015-03-25 board.Mar 26 2015, 1:07 PM
gerritbot added a comment.Mar 26 2015, 1:08 PM

Change 194569 merged by jenkins-bot:
Add warning about PDF files on the file page.

https://gerrit.wikimedia.org/r/194569

Diffusion mentioned this in rMEXTdca7da364c28: Updated mediawiki/extensions Project: mediawiki/extensions/PdfHandler….Mar 26 2015, 1:08 PM
Gilles mentioned this in rEPHDf4f87cebcc0b: Add warning about PDF files on the file page..Mar 26 2015, 1:10 PM
Gilles moved this task from Ready for testing to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-25 board.Mar 26 2015, 5:22 PM

Needs i18n documentation

gerritbot added a comment.Mar 26 2015, 7:17 PM

Change 199972 had a related patch set uploaded (by MarkTraceur):
Add message documentation for file warning

https://gerrit.wikimedia.org/r/199972

MarkTraceur moved this task from Reviewed, needs improvements to Needs code review on the Multimedia-Sprint-2015-03-25 board.Mar 26 2015, 7:27 PM
Gilles moved this task from Needs code review to Reviewed, needs improvements on the Multimedia-Sprint-2015-03-25 board.Apr 1 2015, 7:02 AM
csteipp mentioned this in T89745: Stored XSS in PDF files.Apr 20 2015, 5:21 PM
MarkTraceur added a comment.Apr 21 2015, 1:45 PM

csteipp asked me yesterday, on IRC, whether this could be closed, but the i18n patch still needs to be merged. One small fix to do. I'll do it first thing.

gerritbot added a comment.Apr 21 2015, 3:11 PM

Change 199972 merged by jenkins-bot:
Add message documentation for file warning

https://gerrit.wikimedia.org/r/199972

Diffusion mentioned this in rMEXT9d3df5491a89: Updated mediawiki/extensions Project: mediawiki/extensions/PdfHandler….Apr 21 2015, 3:11 PM
MarkTraceur mentioned this in rEPHDdf34a496c4c8: Add message documentation for file warning.Apr 21 2015, 3:12 PM
MarkTraceur closed this task as Resolved.Apr 21 2015, 3:17 PM

Thanks for the merge, @Tgr

Gilles unsubscribed.Apr 23 2015, 6:20 AM
Verdy_p subscribed.EditedApr 27 2015, 2:17 AM

May be we could force uploaded PDFs to be converted to DejaVu : stop supporting PDFs natively.

However this will require a lengthy conversion process to render them (and if they are prerendered as bitmaps, their storage size will be largely increased: this could be a problem for PDFs stored in Commons containing scanned facsimiles of books for Wikisource).

Can't we use some safe XML format to render them, such as "paged SVG" or an open document format like eBook ?

IMHO, the eBook format should be supported by default in Commons (like DejaVu) to deprecate PDF uploads (and avoid all server-side conversions: these conversions should be performed by an utility on a ToolLabs server, or by users themselves), but I've not considered if it is fully safe (can it embed scripts?). The ODT format is definitely not safe (just like Microsoft document formats that embed scripts in several languages).

The plain old RTF format could be enabled as well (without its scriptable extensions added by Microsoft), as well as standard TeX in a standard profile

We could support also PostScript, with Ghostscript running on the server in its "safe" minimum profile, including for generating DejaVu files (or just a single image in PNG format for previewing a single page of the PostScript file).

Aklapper added a comment.Apr 27 2015, 8:19 AM
In T89765#1237339, @Verdy_p wrote:

May be we could force uploaded PDFs to be converted to DejaVu : stop supporting PDFs natively.

That does not sound reasonible - PDF is a popular format.

chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits