IMSLP Forums

How does IMSLP make sure that uploaded pdfs don't hold inside exploits? after all malicious pdfs were how the first iphones got jailbroken. and some pdf readers will run embedded javascripts. (well not the ones i use but still)

a search of forum didn't turn up anything but i am curious as a user. thank you

It's a valid question, and the present answer is that we don't. It'd probably be worth investigating into some MediaWiki plug-in that examines uploaded PDFs for any sort of code. If any is found the upload should be blocked. I can't think of a valid reason why any submitted PDFs need include such code.

At CPDL (http://www.cpdl.org) we analyzed this subject for scores hosted on our servers. According to http://blog.didierstevens.com/programs/pdf-tools/ most suspicious pdf files may be identified if they include both /AA and /OpenAction statements, as they indicate an automatic action to be performed when the page/document is viewed.

I intended to implement a script that performs this check for all CPDL files. Unfortunately this activity is in my pipeline since a long time... Anyway, I'm ready to share it with IMSLP when ready.

Max