[cairo-bugs] [Bug 99514] Allow to set the pdf metadata producer

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jan 24 11:02:58 UTC 2017


--- Comment #3 from Adrian Johnson <ajohnson at redneon.com> ---
(In reply to Paolo Borelli from comment #2)
> There are two reasons why we would like to be able to set this metadata:
> 1) There are libraries that use cairo internally: one example is libgxps
> which is used to convert xps to pdf and internally uses cairo: I think it
> would be more accurate to be able to set producer to gxps in that case

In this case you set the creator to gxps. The creator is the code that
generated the PDF content. The producer is the code that generated the PDF

> 2) As Ignacio mentioned, there are cases where it would be better to not
> include any metadata at all. This was reported to us as a security concern,
> if you have a server application that generates a pdf an attacker can know
> that the server is using cairo for that specific function and explot known
> vulerabilities

This is not a valid security concern. It is easy to determine the producer by
comparing the PDF structure with sample output from various PDF producers.

You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170124/65ff6f40/attachment.html>

More information about the cairo-bugs mailing list