twistermc / pdfjs-viewer-shortcode Goto Github PK

Critical Problems:

• The Plugin "PDFjs Viewer - Embed PDFs" has a security vulnerability.

Vulnerability Severity: 6.4/10.0 (Medium) Vulnerability Information
https://wordpress.org/plugins/pdfjs-viewer-shortcode/#developers

Hi when I create tutor lms plugin lesson ,
there is addpdf button next to insert media.
But when I press the addpdf button, it not work and did not pop up windows.
Could you help me fix the problem.
This pdfjs-viewer is very useful for me.
many thanks

Hi,

First of all, I must say it is the best pdf embedder I have found on Wordpress.

However, I found one issue which I must draw your attention to. Whenever, a user is making the printing option false, it is most likely that they want to switch off the printing function completely. What I see is that only the printing button gets removed. One can still print the file using Ctrl+P or Right Click>Print. Is that what you can fix from here? Or, it is to be done from mozilla/pdf.js?

If it is doable from here, I would like to have that feature.

Best,

Pratyay

I found a LFI in viewer , i have the lastest version of this plugin (1.5.9) , and it's exploitable, where can i write to explain It? . For patch It asap . Sorry english is not my native language.

Why in you plug-in you are using more than a year-old version of PDF.js? Compatibility issues or some other reason?

Hi. I have had a working https://hsvpaddlersclub.com website for a couple of years using the pdf.js viewer plug-in and it's been fine. I logged in to add an event today and all the PDFs are grey blanks! I have automatic updates turned on for the plug-in. Something's broken recently, I think. I was working on the website a few days ago and everything was fine I think.
Here's a sample screenprint:

Hi, is it possibile to set class on $iframe_code and $fullscreen_link?
I think it's important to manage elements using theme's CSS.

Thanks a lot in advance.

HI,

I need some help, all of the pages using the plugin got an error viewing the PDF.

Please see screen shots and link below:

[pdfjs-viewer url="https%3A%2F%2Fwww.philippineconsulatela.org%2Fwp-content%2Fuploads%2F2021%2F08%2FADVISORY-Deadline-of-Overseas-Voter-Registration-Corrected-Date.pdf" viewer_width=100% viewer_height=800px fullscreen=true download=false print=false]

Thank you.

Hi,

First, thank you for this wonderful plugin and your work on it ;

Is it possible to have an option to remove/disable the "open file" feature please ?

I just don't see any use for it, and it makes heavier the UI, also I'm hoping it can't be a feature that leads to some sort of exploit possible

Thank you very much :)

The new update that came out on 10/22/2020 created a "fatal error" within my site. Deactivating the plugin has been the expedient solution to this problem. Has this been happening for others as well?

I am new to web development so don't know exactly what is going on here. Does anybody have some ideas as to what is going on here?

Also, is this the best place to ask this question?

Hello,
For my need, I need to have an option to display only the full screen link
.
Example of implementation:
option: display_pdf (true by default)
Thank

Hey Thomas McMahon,

I just wanted to share that the pdfjs/web/viewer.php file has a potential code injection problem. I would recommend changing the version outputs as follows:

<?php echo htmlentities($_GET["v"], ENT_QUOTES); ?>

– The Problem –
It appears pdfjs/web/viewer.php is being called directly & that’s problematic when WordPress hosting/sites are properly hardened to prevent that potentially harmful attack vector.

It’s a WordPress theme & plugin guideline to not call PHP files directly as this can be a serious security issue. Instead, the files should be included and then have their functions/hooks/etc. called via the WordPress system (which then has better control & view into what’s being done for security purposes & code interoperability as well as certifying that the code being ran wasn’t just some random file that was uploaded & is really part of the plugin/system.)

As such, there are actually WordPress hosting providers, plugins (Sucuri being one of many), and configurations that specifically disable the ability of a PHP file located in a theme or plugin from being called directly. This importantly makes it so a malicious PHP file that might somehow be uploaded to the site can’t then just be executed by visiting that file (per it then being blocked). This then, unfortunately, blocks parts of plugins/themes that don’t follow the guideline & just have PHP file(s) being called directly (when that’s totally avoidable as mentioned above.)

– Potential Fix –
In the case of viewer.php, I see no reason it can’t have its code included that's called via more WordPress-integrated means (ex. as a virtual page URL that the plugin makes available which effectively serves as an alias for viewer.php to show the plugin officially expects that to be executed & isn't just a PHP file that could've potentially been injected into the site to then be ran as potentially malicious standalone code [hence Sucuri & others offering to block standalone PHP file execution within the wp-content folder, etc.])

There might be cases outside of viewer.php, but that one is for sure actively problematic, at the moment.

Again, this is an important security precaution where this direct PHP file being called should be redone. Also, this means the plugin is actively breaking on assorted hosting/setups where they have things hardened against this potential attack vector as a whole.

https://wordpress.org/support/article/hardening-wordpress/#code-execution-plugins specifically calls out this guideline and details officially recommended way (have it display a page like any other and adapt it and/or only output things as needed for what’s being shown [assuming it isn’t otherwise an admin-ajax.php related function instead of a page-style output]) to avoid this problem.

Sites with Sucuri have a workaround for now where you can whitelist PHP file execution for viewer.php within the wp-content folder, but that is an added step to make it so the plugin doesn't break that otherwise could be avoided through conventions WordPress documentation has outlined (per the link above.)

I've also posted this on the WP.org support forum just in case others experience this & don't know to also check GitHub: https://wordpress.org/support/topic/security-compatibility-concern-plugin-is-calling-php-files-directly/

Thanks for the great plugin. I just want to make sure this plugin is kept secure & doesn't break when sites/hosting harden their security in this particular way.

The parameter search_term not working..
Is there also a way to select a page number?

Once updated to 1.5.1 on Wordpress 4.8.14 I get HTTP 500 due to Call to un defined function register_block_type() in pdfjs-viewer.php on line 158.

Fixed by changing line 158 to:

    if ( function_exists( 'register_block_type' ) )  {
            register_block_type('blocks/pdfjs-block', array(
                    'editor_script' => 'gutenberg-pdfjs',
                    'editor_style' => 'gutenberg-pdfjs-edit-style',
                    'style' => 'gutenberg-pdfjs'
            ));
    }

Hi!
I'm using RU lang.
I saw this warning in console. How I can fix that?

#layers is undefined. l10n.js:825
#layers is undefined. l10n.js:897
#layers_label is undefined. l10n.js:825
#layers_label is undefined. l10n.js:897

When updating the 1.5.2 the plugin is no longer loading the PDFs properly.

I am using this shortcode

[pdfjs-viewer url=https://octavosystems.com/octavosystems.com/wp-content/uploads/2020/04/OSD32MP1_BRK_SCH.pdf viewer_width=600px viewer_height=700px fullscreen=true download=true print=true]

I am getting this error message:

PDF.js v2.3.200 (build: 4ae3f9fc)
Message: Missing PDF "https://octavosystems.com/wp-content/uploads/2020/04/OSD32MP1_BRK_SCH.pdf".

it looks like the URL path is being manipulated to pull out the second octavosystems.com in the correct URL.

Hi,

In your latest version (v2.2) the PDF cannot be loaded onto the page and when I open the Browser Console I receive the following error message:

/wp-content/plugins/pdfjs-viewer-shortcode/pdfjs/web/viewer.mjs” was blocked because of a disallowed MIME type (“application/octet-stream”)

In NGINX or Open Lite Speed Web Server I need add .mjs to mime config.

/usr/local/lsws/conf/mime.properties
js, mjs = text/javascript

This is not the correct way. That file "viewer.mjs" must be .js and the Server should not add such mimes.

Thanks ❤️

I would like to be able to set a default opening page, which is not always page #1

I get this error with any pdf I try to display.
I have media settings option to store media by year and date switched on - Is this causing the error with loading the pdf?
Only threads I see on the web seem to imply I either need to:

Set HOSTED_VIEWER_ORIGINS_OPTIONS - I don't know where to set this or what format is needed

Comment out code for this message - I feel this is unsafe and I don't want to change plug in code in any way

Please help resolve this for me

All my pdfs were working fine then they stopped.

'No Result Found'

'Attempt Block Recovery' didn't work either.

Would it be possible that the plugin caches pdfs from remote origins, in order to avoid 'Message: file origin does not match viewer's' - errors?

Da qualche giorno il plugin non fa visualizzare i file pdf, vedi allegato.

quale potrebbe essere il problema e come risolvere?

Plugin is great ! thank you.

According to me it would be useful to add :

1. Choices for the zoom : "full page" would be great and others
2. Choices for scroll : for some documents, horizontal scroll is better and it exists just force this document to already have this setting by default.
3. Choice for double page : same logic than the point 2.

by the way it seems the translation text possible for the fullscreen view doesn't work, and disable it also.

Thanks to consider my suggestions.

Best regards

If i choose a PDF it is inserted as http and will not load (mixed content), i have to manually change it to https which breaks the plugin settings in the editor.

I was building a similar (but not so sophisticated, only as shortcode) solution for a website, but decided to use pdfobject.js https://pdfobject.com/ on front that checks the browser for an intrinsic pdf viewer and adds the pdf by an embed tag in this case. Only if it recognizes that ther is no pdf viewer support it calls something else (in my case, exactly what you are doing, invoking a pdf.js viewer in iframe). Perhaps this could be a good enhancement for your plugin? It speeds up many things in case of browser support.

Hi, great plugin! Easy to use and very practical. Only thing: we are forced to use the short code because the block will not allow us to embed PDF files that are in a custom (ftp) directory.

Not a big issue because it works very well with the short code, but it might be an idea for improvement?

And maybe... an option to hide the Bookmark icon on the right... or allow custom CSS for the iframe via a style="..." shortcode parameter?

Hello,

I noticed that certain PDFs are blocked in Edge by Microsoft Defender SmartScreen only when using the pdfjs URL. Accessing them directly is fine.

Bad embed (blocked): https://dev.kla.com/advance/innovation/spts-co-develops-drug-administering-microneedles
Bad URL (blocked): https://www.kla.com/wp-content/plugins/pdfjs-viewer-shortcode/pdfjs/web/viewer.php?file=https://www.kla.com/wp-content/uploads/microneedles.pdf&attachment_id=0&dButton=true&pButton=true&oButton=false&sButton=true#zoom=auto&pagemode=none&_wpnonce=783542386d
Raw URL (works): https://www.kla.com/wp-content/uploads/microneedles.pdf

I noticed that the zoom parameter has a hash in front instead of an ampersand.
Changing the # to & on embed.php lines 131 and 136 fixed the issue with both the embed and the "fullscreen" URL.

Ill submit a pull request here shortly. Thank you!

Hi,
I would really like to use this plugin, but even in Chrome I get a huge red Microsoft Defender security warning, which will probably be a no-go for the nonprofit website it should be on.

I've tried to use latest code from development branch, I've updated the PDF.js javascript libraries to latest stable, the red warning is still present and scary.

Is this also happening to someone else? Is there any chance to fix this? It doesn't seem to happen with the pure PDF.js libraries...

Thanks!

Hi,

Our friends over at Cookiebot notified us about a cookie being set without consent of the user. It's the pdfjs.history cookie. I can't find any setting in this plugin that may fix this.

When I asked Cookiebot support about this, they referred to this page.

I haven't searched for any hooks in the plugin code that can maybe add attributes to scripts. Is there such a thing? Or do you see any other solution?

Regards,
Bas

If plugin is used on a device width of 320px the viewer window is too large to fit. Tested with viewer setting width=0 and all pdf page fit options.

Result: Pdf document not centered in screen, viewer has horizontal scrollbar.

Hi,
When a fillable PDF is embedded, the font size of the fields is significantly smaller than that of the original file.