Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify the way to pass the glyph drawing instructions from the worker to the main thread #18015

Merged
merged 1 commit into from Apr 28, 2024
Merged

Simplify the way to pass the glyph drawing instructions from the worker to the main thread #18015

merged 1 commit into from Apr 28, 2024
+150 −61

Conversation

calixteman
Copy link
Contributor

and remove the use of eval in the font loader.

@calixteman
Simplify the way to pass the glyph drawing instructions from the work…
551e639 
…er to the main thread

and remove the use of eval in the font loader.
@calixteman
Copy link
Contributor Author

/botio test

@moz-tools-bot
Copy link
Collaborator

From: Bot.io (Linux m4)

Received

Command cmd_test from @calixteman received. Current queue size: 0

Live output at: http://54.241.84.105:8877/c1ca9a99111a8e2/output.txt

@moz-tools-bot
Copy link
Collaborator

From: Bot.io (Windows)

Received

Command cmd_test from @calixteman received. Current queue size: 0

Live output at: http://54.193.163.58:8877/a833d31f5fba71b/output.txt

@moz-tools-bot
Copy link
Collaborator

From: Bot.io (Linux m4)

Failed

Full output at http://54.241.84.105:8877/c1ca9a99111a8e2/output.txt

Total script time: 27.17 mins

  • Unit tests: Passed
  • Integration Tests: Passed
  • Regression tests: FAILED
  different ref/snapshot: 18
  different first/second rendering: 3

Image differences available at: http://54.241.84.105:8877/c1ca9a99111a8e2/reftest-analyzer.html#web=eq.log

@moz-tools-bot
Copy link
Collaborator

From: Bot.io (Windows)

Failed

Full output at http://54.193.163.58:8877/a833d31f5fba71b/output.txt

Total script time: 42.14 mins

  • Unit tests: Passed
  • Integration Tests: Passed
  • Regression tests: FAILED
  different ref/snapshot: 2

Image differences available at: http://54.193.163.58:8877/a833d31f5fba71b/reftest-analyzer.html#web=eq.log

@calixteman calixteman merged commit 85e64b5 into mozilla:master Apr 28, 2024
8 of 9 checks passed
@calixteman calixteman deleted the rm_eval_font_loader branch April 28, 2024 21:27
make-github-pseudonymous-again added a commit to infoderm/patients that referenced this pull request May 11, 2024
@make-github-pseudonymous-again
🔐 security: Disable user-input eval in pdfjs-dist usage.
2ad2525 
By default, pdfjs-dist optimizes some path resolution logic by compiling
a JavaScript function on the fly. The function is built using string
concatenation and no effort is made at sanitizing the parts it is
built from. These parts could contain user-input which leads to a code
injection vulnerability. This commit disables this default behavior.
An alternative is to upgrade pdfjs-dist to v4.2.67 or later.

See:
  - https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
  - https://www.cve.org/CVERecord?id=CVE-2024-4367
  - https://security.snyk.io/vuln/SNYK-JS-PDFJSDIST-6810403
  - GHSA-wgrm-67xf-hhpq.
  - mozilla/pdf.js#18015
  - wojtekmaj/react-pdf#1786
  - https://security.stackexchange.com/questions/248462/is-firefoxs-new-javascript-support-within-pdf-files-a-security-concern/248985#248985
  - https://stackoverflow.com/questions/49299000/what-are-the-security-implications-of-the-isevalsupported-option-in-pdf-js
  - mozilla/pdf.js#10818
Merged
make-github-pseudonymous-again added a commit to infoderm/patients that referenced this pull request May 11, 2024
@make-github-pseudonymous-again
🔐 security: Disable user-input eval in pdfjs-dist usage.
dd6ca32 
By default, pdfjs-dist optimizes some path resolution logic by compiling
a JavaScript function on the fly. The function is built using string
concatenation and no effort is made at sanitizing the parts it is
built from. These parts could contain user-input which leads to a code
injection vulnerability. This commit disables this default behavior.
An alternative is to upgrade pdfjs-dist to v4.2.67 or later.

For reference, see:
  - https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
  - https://www.cve.org/CVERecord?id=CVE-2024-4367
  - https://security.snyk.io/vuln/SNYK-JS-PDFJSDIST-6810403
  - GHSA-wgrm-67xf-hhpq
  - mozilla/pdf.js#18015
  - wojtekmaj/react-pdf#1786
  - https://security.stackexchange.com/questions/248462/\
    is-firefoxs-new-javascript-support-within-pdf-files-a-security-concern/\
    248985
  - https://stackoverflow.com/questions/49299000/\
    what-are-the-security-implications-of-the-isevalsupported-option-in-pdf-js
  - mozilla/pdf.js#10818

Not sure if this will break anything and/or will make certain things
slower.
make-github-pseudonymous-again added a commit to infoderm/patients that referenced this pull request May 11, 2024
@make-github-pseudonymous-again
🔐 security: Disable user-input eval in pdfjs-dist usage.
9489f5a 
By default, pdfjs-dist optimizes some path resolution logic by compiling
a JavaScript function on the fly. The function is built using string
concatenation and no effort is made at sanitizing the parts it is
built from. These parts could contain user-input which leads to a code
injection vulnerability. This commit disables this default behavior.
An alternative is to upgrade pdfjs-dist to v4.2.67 or later.

See:
  - https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
  - https://www.cve.org/CVERecord?id=CVE-2024-4367
  - https://security.snyk.io/vuln/SNYK-JS-PDFJSDIST-6810403
  - GHSA-wgrm-67xf-hhpq.
  - mozilla/pdf.js#18015
  - wojtekmaj/react-pdf#1786
  - https://security.stackexchange.com/questions/248462/is-firefoxs-new-javascript-support-within-pdf-files-a-security-concern/248985#248985
  - https://stackoverflow.com/questions/49299000/what-are-the-security-implications-of-the-isevalsupported-option-in-pdf-js
  - mozilla/pdf.js#10818
github-merge-queue bot pushed a commit to infoderm/patients that referenced this pull request May 11, 2024
@make-github-pseudonymous-again
🔐 security: Disable user-input eval in pdfjs-dist usage.
a1ecaef 
By default, pdfjs-dist optimizes some path resolution logic by compiling
a JavaScript function on the fly. The function is built using string
concatenation and no effort is made at sanitizing the parts it is
built from. These parts could contain user-input which leads to a code
injection vulnerability. This commit disables this default behavior.
An alternative is to upgrade pdfjs-dist to v4.2.67 or later.

For reference, see:
  - https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
  - https://www.cve.org/CVERecord?id=CVE-2024-4367
  - https://security.snyk.io/vuln/SNYK-JS-PDFJSDIST-6810403
  - GHSA-wgrm-67xf-hhpq
  - mozilla/pdf.js#18015
  - wojtekmaj/react-pdf#1786
  - https://security.stackexchange.com/questions/248462/\
    is-firefoxs-new-javascript-support-within-pdf-files-a-security-concern/\
    248985
  - https://stackoverflow.com/questions/49299000/\
    what-are-the-security-implications-of-the-isevalsupported-option-in-pdf-js
  - mozilla/pdf.js#10818

Not sure if this will break anything and/or will make certain things
slower.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Snuffleupagus Snuffleupagus Snuffleupagus approved these changes

Assignees
No one assigned
Labels
font-conversion
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@calixteman @moz-tools-bot @Snuffleupagus