Skip to content

Commit

Permalink
Backport pull request #5694 from jellyfin-web/release-10.9.z
Browse files Browse the repository at this point in the history
Disable eval support in pdfjs

Original-merge: 4bb0c67

Merged-by: thornbill <[email protected]>

Backported-by: Joshua M. Boniface <[email protected]>
  • Loading branch information
thornbill authored and joshuaboniface committed Jun 23, 2024
1 parent 85b0697 commit 2cbc9e4
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion src/plugins/pdfPlayer/plugin.js
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,12 @@ export class PdfPlayer {
this.bindEvents();
GlobalWorkerOptions.workerSrc = appRouter.baseUrl() + '/libraries/pdf.worker.js';

const downloadTask = getDocument(downloadHref);
const downloadTask = getDocument({
url: downloadHref,
// Disable for PDF.js XSS vulnerability
// https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
isEvalSupported: false
});
return downloadTask.promise.then(book => {
if (this.cancellationToken) return;
this.book = book;
Expand Down

0 comments on commit 2cbc9e4

Please sign in to comment.