[cairo-bugs] [Bug 99514] Allow to set the pdf metadata producer

Tue Jan 24 11:58:00 UTC 2017

https://bugs.freedesktop.org/show_bug.cgi?id=99514

--- Comment #5 from Paolo Borelli <paolo.borelli at gmail.com> ---
(In reply to Adrian Johnson from comment #3)
> (In reply to Paolo Borelli from comment #2)
> > There are two reasons why we would like to be able to set this metadata:
> > 
> > 
> > 1) There are libraries that use cairo internally: one example is libgxps
> > which is used to convert xps to pdf and internally uses cairo: I think it
> > would be more accurate to be able to set producer to gxps in that case
> 
> In this case you set the creator to gxps. The creator is the code that
> generated the PDF content. The producer is the code that generated the PDF
> structure.
>

Well, the creator would be the program that uses libgxps.

> > 2) As Ignacio mentioned, there are cases where it would be better to not
> > include any metadata at all. This was reported to us as a security concern,
> > if you have a server application that generates a pdf an attacker can know
> > that the server is using cairo for that specific function and explot known
> > vulerabilities
> 
> This is not a valid security concern. It is easy to determine the producer
> by comparing the PDF structure with sample output from various PDF producers.

Security is not black and white, it is about mitigating risk: reading metadata
is much simpler than what you describe. It is unfortunate that we will need to
strip the metadata in post processing...

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170124/be9cfc49/attachment-0001.html>