Impact
Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if url_fetcher is configured to prevent access to files and URLs.
Patches
Fixed by 734ee8e that’s included in 61.2
Workarounds
- Check that no PDF attachment is defined in source HTML.
- Launch WeasyPrint in a sandbox that prevents access to the filesystem and the network.
Impact
Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if
url_fetcheris configured to prevent access to files and URLs.Patches
Fixed by 734ee8e that’s included in 61.2
Workarounds