Bug 99514 - Allow to set the pdf metadata producer
Summary: Allow to set the pdf metadata producer
Status: RESOLVED MOVED
Alias: None
Product: cairo
Classification: Unclassified
Component: pdf backend (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Adrian Johnson
QA Contact: cairo-bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-24 09:28 UTC by Ignacio Casal Quinteiro
Modified: 2018-08-25 13:37 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments
patch (3.76 KB, patch)
2017-01-24 09:28 UTC, Ignacio Casal Quinteiro
Details | Splinter Review

Description Ignacio Casal Quinteiro 2017-01-24 09:28:25 UTC
Created attachment 129124 [details] [review]
patch

With the new api introduced in cairo 1.15 I think it might be also useful to allow to set the producer. My use case is to basically generate the pdfs without any metadata.

See the proposed patch attached.
Comment 1 Adrian Johnson 2017-01-24 09:44:51 UTC
The producer is the library that generated the PDF. This is always cairo.
Comment 2 Paolo Borelli 2017-01-24 10:09:45 UTC
There are two reasons why we would like to be able to set this metadata:


1) There are libraries that use cairo internally: one example is libgxps which is used to convert xps to pdf and internally uses cairo: I think it would be more accurate to be able to set producer to gxps in that case

2) As Ignacio mentioned, there are cases where it would be better to not include any metadata at all. This was reported to us as a security concern, if you have a server application that generates a pdf an attacker can know that the server is using cairo for that specific function and explot known vulerabilities
Comment 3 Adrian Johnson 2017-01-24 11:02:58 UTC
(In reply to Paolo Borelli from comment #2)
> There are two reasons why we would like to be able to set this metadata:
> 
> 
> 1) There are libraries that use cairo internally: one example is libgxps
> which is used to convert xps to pdf and internally uses cairo: I think it
> would be more accurate to be able to set producer to gxps in that case

In this case you set the creator to gxps. The creator is the code that generated the PDF content. The producer is the code that generated the PDF structure.

> 2) As Ignacio mentioned, there are cases where it would be better to not
> include any metadata at all. This was reported to us as a security concern,
> if you have a server application that generates a pdf an attacker can know
> that the server is using cairo for that specific function and explot known
> vulerabilities

This is not a valid security concern. It is easy to determine the producer by comparing the PDF structure with sample output from various PDF producers.
Comment 4 Ignacio Casal Quinteiro 2017-01-24 11:52:09 UTC
> 
> This is not a valid security concern. It is easy to determine the producer
> by comparing the PDF structure with sample output from various PDF producers.

Well, clearly it will not stop from doing that but it will make it more difficult though. I do no not see such a problem adding the ability to set that field.
Comment 5 Paolo Borelli 2017-01-24 11:58:00 UTC
(In reply to Adrian Johnson from comment #3)
> (In reply to Paolo Borelli from comment #2)
> > There are two reasons why we would like to be able to set this metadata:
> > 
> > 
> > 1) There are libraries that use cairo internally: one example is libgxps
> > which is used to convert xps to pdf and internally uses cairo: I think it
> > would be more accurate to be able to set producer to gxps in that case
> 
> In this case you set the creator to gxps. The creator is the code that
> generated the PDF content. The producer is the code that generated the PDF
> structure.
>

Well, the creator would be the program that uses libgxps.

 
> > 2) As Ignacio mentioned, there are cases where it would be better to not
> > include any metadata at all. This was reported to us as a security concern,
> > if you have a server application that generates a pdf an attacker can know
> > that the server is using cairo for that specific function and explot known
> > vulerabilities
> 
> This is not a valid security concern. It is easy to determine the producer
> by comparing the PDF structure with sample output from various PDF producers.

Security is not black and white, it is about mitigating risk: reading metadata is much simpler than what you describe. It is unfortunate that we will need to strip the metadata in post processing...
Comment 6 Bryce Harrington 2017-02-07 01:33:45 UTC
It sounds like there are two distinct problems wanting addressed:

1.  A way to omit metadata entirely from generated PDFs
2.  A way to modify the Producer string in cairo-generated PDFs

Regarding the first point:  Like Adrian I'm skeptical of the actual value of omitting metadata for security protection (seems merely security-through-obscurity) -- I'd need to see a stronger case made to be convinced.  That said, I recall in Inkscape we had some interoperational/compatibility problems with SVG that included metadata, so provide a way for users to get stripped down "plain SVG" that excludes it.  I don't know if such problems are at all likely with PDF metadata, but if there are legitimate concerns here I wouldn't be opposed to allowing a toggle to omit it.

For the second point, again like Adrian says it appears that most cases where an app or library is using Cairo to produce PDFs they should list themselves as the Creator with Cairo as the PDF Producer.  Googling around seems to indicate Adobe and other PDF tools follow this same strategy.  There does seem to be demand for an ability to customize the Producer field, but from what I can tell it seems to be for branding purposes (or maybe even more nefarious reasons), which seem hardly compelling...

That said, it seems like it is easy enough to edit the generated PDF's metadata using other free software tools, and maybe it'd be better for Cairo to allow adding to the string so Cairo still gets tagged.  E.g. I'm thinking something more like:

... "   /Producer %s (cairo %s (http://cairographics.org))\n",
    ic->docinfo.producer, cairo_version_string ())

On the other hand, maybe the use case for this is small enough we could just direct folks that need to manipulate the metadata to the third party editing tools that they'd be using anyway?
Comment 7 GitLab Migration User 2018-08-25 13:37:55 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/109.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.