How secure are XPS documents?

StackOverflow https://stackoverflow.com/questions/1747323

  •  20-09-2019
  •  | 
  •  

Question

How secure are XPS documents? After looking from the inside of an XPS document, found the Unicode-string property. Could someone inject e.x. a script into the Unicode string property?

How does the XPS viewer treat the Unicode string property? As a collection of glyphs or what?

UPDATE: I added the following string as UnicodeText 

!@#$%^&*()_+

and the XPS viewer refused to open the file. This is how this question came into my mind

Was it helpful?

Solution

XPS documents, as opposed to (coughs) some other format cannot contain scripts or active content. They are only used as a high-fidelity pre-print format. That being said, it's not entirely impossible for XPS parsers to contain security vulnerabilities. And they can be exploited. So far I haven't heard of any such exploits, though.

But back to your point. If someone wants to put a script into a string in an XPS document he can surely do so. He just shouldn't expect it to be executed. If some software actually does that, then it's probably a security problem with the software and not with the file format.

Just because you can put malware into a text file (remember iloveyou.vbs?) that doesn't mean that text files themselves have a security vulnerability :-)

ETA: The UnicodeString attribute in question aids searching inside the XPS file:

The UnicodeString attribute holds the array of Unicode scalar values that are represented by the current element. Specifying a Unicode string is RECOMMENDED, as it supports searching, selection, and accessibility.

And while the string itself is expected to be in a certain format (also detailed in the standard on page 115), the reason why the viewer didn't want to accept your input is that it's not even well-formed XML since the ampersand (&) appears unescaped. I assume that it would work if you encode the ampersand as & as required by XML. The spec also states that

The standard XML escaping mechanisms are used to specify XML-reserved characters.

But even with that in place, the relationship between the UnicodeString attribute and other parts of the document are quite intricate. They wrote over half a page on that and which combinations are valid and which are not. So I'd suggest you read up on that first, before trying to play around further :-)

OTHER TIPS

p.95 of the XPS 1.0 spec: "The standard XML escaping mechanisms are used to specify XML-reserved characters."

The '&' might be causing troubles.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top