Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (5)

Resolved Native PDF Metadata - Security Issue

  1. Issue
0
Votes
Undo
  1. Adrian Parker
    Adrian Parker
  2. PowerBuilder
  3. Friday, 15 November 2019 09:26 AM UTC

We've just had a security review and one thing that has been highlighted as important is that the PDFs generated by Powerbuilder PDFLib contain metadata.. which in of itself is okay, but one of the elements is the name of the windows user who created the PDF, which is considered an attack vector.

How can we stop Powerbuilder from outputting this ?

  1. PDF
  2. Security
Issues with global variables and a common PBL/PBD
Does Powerbuilder 2017 support EMS resumption
Responses (5)
Adrian Parker
Adrian Parker Accepted Answer Pending Moderation
  1. Monday, 18 November 2019 09:13 AM UTC
  2. PowerBuilder
  3. # 1

Hi Mark, 

From the picture, that looks like a datawindow property..  are you saying that we'd have to put something generic in there to stop the automatic insertion of the windows user, or will there be another property that says don't output that metadata field?

Cheers
Adrian

Comment
Mark Lee @Appeon
  1. Mark Lee @Appeon
  2. Tuesday, 19 November 2019 06:24 AM UTC
Hi Adrian,

Yes, this is a DataWindow property. In the new PB version, if you don't set this Author metadata field, then this metadata field will be empty in the exported PDF file. And the name of the windows user will no longer be inserted automatically.
  1. Helpful
Adrian Parker
  1. Adrian Parker
  2. Tuesday, 19 November 2019 08:35 AM UTC
Thanks Mark, one final question.. when will R2 be available.. I've seen one comment that says possibly 2020 Q1, but I'm being asked for something more specific if possible.
  1. Helpful
Mark Lee @Appeon
  1. Mark Lee @Appeon
  2. Wednesday, 20 November 2019 02:57 AM UTC
Hi Adrian,



As I know, the release of 2019 R2 is tentatively scheduled for March 2020. However, as for the exact date, it is not decided yet because it might be changed due to some additional requirements.



Regards,

  1. Helpful
There are no comments made yet.
Mark Lee @Appeon
Mark Lee @Appeon Accepted Answer Pending Moderation
  1. Monday, 18 November 2019 05:17 AM UTC
  2. PowerBuilder
  3. # 2

Hi Adrian,

Thanks for reporting this problem.

In fact, we have already provided the properties (Author, Subject, Keywords, Application, etc.) settings in our internal PB 2019 R2 Beta (see the attachment).

This functionality will be included in the next GA release.

 

Regards,

Attachments (1)
nativepdf properties settings.png nativepdf properties settings.png
Comment
Load more comments
Mark Lee @Appeon
  1. Mark Lee @Appeon
  2. Tuesday, 19 November 2019 06:34 AM UTC
Hi Michael,

Sorry to let you know that as this issue was reported recently, when we were scheduling the upcoming 2017 R3 MR, it was still in the requirements queue list waiting for further analysis. So in this case, there is no sufficient time for us to add it into the upcoming 2017 R3 MR yet, however, it will be considered in a future MR.



Regards,
  1. Helpful
Chris Pollach @Appeon
  1. Chris Pollach @Appeon
  2. Tuesday, 19 November 2019 18:36 PM UTC
Hi Everyone;

FYI: Just in case you open the current R2 "preview" beta and cannot find the new PDF meta data properties ... they are currently not in this beta. Mark has a newer build. These properties should be availabe for testing in the "official" customer beta in January, 2020.

Regards ... Chris

  1. Helpful
Mark Lee @Appeon
  1. Mark Lee @Appeon
  2. Wednesday, 20 November 2019 02:58 AM UTC
Hi Chris,



You are right. Thanks for your clarification.



Regards,
  1. Helpful
There are no comments made yet.
Chris Pollach @Appeon
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Friday, 15 November 2019 22:22 PM UTC
  2. PowerBuilder
  3. # 3

Hi Adrian;

   Got it ....

1) Use PDF ToolKit (free edition) - my favourite PDF tool I use called from PB Apps.  ;-)

    https://www.pdflabs.com/tools/pdftk-the-pdf-toolkit

2) Use the command ... for example

    pdftk MyDW_PDF.pdf dump_data output info.txt

3) Edit the TXT file and replace meta data values as required

    Use FileReadEX, FileWriteEx to automate the TXT file values via PowerScript

4) Run the PDF Toolkit command ...

    pdftk MyDW_PDF.pdf update_info  info.txt output MyDW_PDF.pdf

5) New PDF file signature ... (from my quick test a few minutes ago)

/Creator (PScript5.dll Version 5.2.2)
/Title (PDF Wars)
/Producer (Lucas films)
/Author (DarthVader)
/ModDate (D:20191114105002-05'00')
/CreationDate (D:20191114105002-05'00')

HTH

Regards ... Chris

Comment
There are no comments made yet.
Adrian Parker
Adrian Parker Accepted Answer Pending Moderation
  1. Friday, 15 November 2019 21:45 PM UTC
  2. PowerBuilder
  3. # 4

Hi Chris,

It is strange that nobody has highlighted this as an issue before given we've been producing PDFs from PB for something like 25 years.  But now someone has brought it up, we have to respond as I'm pretty sure someone is going to get seriously bent out of shape over it given the nature of the 'issue'.

I'll raise a ticket to get the ball rolling, but I'm also going to look at finding a PDF library that I could integrate into the app to modify the PDF files directly.. assuming that any kind of PB fix would be quite a ways down the road.

Cheers

Adrian

Comment
There are no comments made yet.
Chris Pollach @Appeon
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Friday, 15 November 2019 20:25 PM UTC
  2. PowerBuilder
  3. # 5

Hi Adrian;

   I just looked at my latest Native PDF generation and you are correct ...

/Subject ()
/Title (DataWindow)
/Author (Chris)
/Creator (Appeon PB)
/CreationDate (D:20191114110036-05'00')
/Producer (PDFlib 9.0.7p1 \(C++/Win32\))

    There is nothing that I know of that controls what "meta data" is ir is not placed into the PDF during the generation process. I would suggest opening up a Support Ticket for this issue.

FWIW: I also noticed that GhostScript does this as well when using the Distill! PDF generation option in the DWO.

</Producer(GPL Ghostscript 9.23)
/CreationDate(D:20191114105002-05'00')
/ModDate(D:20191114105002-05'00')
/Title(DataWindow)
/Creator(PScript5.dll Version 5.2.2)
/Author(Chris)>>endobj

Thought: I wonder if we can change this by some kind of O/S "impersonation" setting?

Regards ... Chris

 

 

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.
We use cookies which are necessary for the proper functioning of our websites. We also use cookies to analyze our traffic, improve your experience and provide social media features. If you continue to use this site, you consent to our use of cookies.