ocrmypdf-doc 6.1.2-1ubuntu1 / usr / share / doc / ocrmypdf / html / security.html

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  <title>PDF security issues &mdash; ocrmypdf 6.1.2 documentation</title>
  

  
  
  
  

  

  
  
    

  

  
  
    <link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
  

  

  
        <link rel="index" title="Index"
              href="genindex.html"/>
        <link rel="search" title="Search" href="search.html"/>
    <link rel="top" title="ocrmypdf 6.1.2 documentation" href="index.html"/>
        <link rel="next" title="Common error messages" href="errors.html"/>
        <link rel="prev" title="Batch processing" href="batch.html"/> 

  
  <script src="_static/js/modernizr.min.js"></script>

</head>

<body class="wy-body-for-nav" role="document">

   
  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search">
          

          
            <a href="index.html" class="icon icon-home"> ocrmypdf
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul>
<li class="toctree-l1"><a class="reference internal" href="introduction.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="release_notes.html">Release notes</a></li>
<li class="toctree-l1"><a class="reference internal" href="languages.html">Installing additional language packs</a></li>
</ul>
<p class="caption"><span class="caption-text">Usage</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="cookbook.html">Cookbook</a></li>
<li class="toctree-l1"><a class="reference internal" href="advanced.html">Advanced features</a></li>
<li class="toctree-l1"><a class="reference internal" href="batch.html">Batch processing</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">PDF security issues</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#pdfs-may-contain-malware">PDFs may contain malware</a></li>
<li class="toctree-l2"><a class="reference internal" href="#how-ocrmypdf-processes-pdfs">How OCRmyPDF processes PDFs</a></li>
<li class="toctree-l2"><a class="reference internal" href="#using-ocrmypdf-online-or-as-a-service">Using OCRmyPDF online or as a service</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#limiting-cpu-usage">Limiting CPU usage</a></li>
<li class="toctree-l3"><a class="reference internal" href="#temporary-storage-requirements">Temporary storage requirements</a></li>
<li class="toctree-l3"><a class="reference internal" href="#timeouts">Timeouts</a></li>
<li class="toctree-l3"><a class="reference internal" href="#commercial-alternatives">Commercial alternatives</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#password-protection-digital-signatures-and-certification">Password protection, digital signatures and certification</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="errors.html">Common error messages</a></li>
</ul>

            
          
        </div>
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="index.html">ocrmypdf</a>
        
      </nav>


      
      <div class="wy-nav-content">
        <div class="rst-content">
          















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="index.html">Docs</a> &raquo;</li>
        
      <li>PDF security issues</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
            
            <a href="_sources/security.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
  <div class="section" id="pdf-security-issues">
<h1>PDF security issues<a class="headerlink" href="#pdf-security-issues" title="Permalink to this headline">¶</a></h1>
<blockquote>
<div>OCRmyPDF should only be used on PDFs you trust. It is not designed to protect you against malware.</div></blockquote>
<p>Recognizing that many users have an interest in handling PDFs and applying OCR to PDFs they did not generate themselves, this article discusses the security implications of PDFs and how users can protect themselves.</p>
<p>The disclaimer applies: this software has no warranties of any kind.</p>
<div class="section" id="pdfs-may-contain-malware">
<h2>PDFs may contain malware<a class="headerlink" href="#pdfs-may-contain-malware" title="Permalink to this headline">¶</a></h2>
<p>PDF is a rich, complex file format. The official PDF 1.7 specification, ISO 32000:2008, is hundreds of pages long and references several annexes each of which are similar in length. PDFs can contain video, audio, XML, JavaScript and other programming, and forms. In some cases, they can open internet connections to pre-selected URLs. All of these possible attack vectors.</p>
<p>In short, PDFs <a class="reference external" href="https://security.stackexchange.com/questions/64052/can-a-pdf-file-contain-a-virus">may contain viruses</a>.</p>
<p>This <a class="reference external" href="https://theinvisiblethings.blogspot.ca/2013/02/converting-untrusted-pdfs-into-trusted.html">article</a> describes a high-paranoia method which allows potentially hostile PDFs to be viewed and rasterized safely in a disposable virtual machine. A trusted PDF created in this manner is converted to images and loses all information making it searchable and losing all compression. OCRmyPDF could be used restore searchability.</p>
</div>
<div class="section" id="how-ocrmypdf-processes-pdfs">
<h2>How OCRmyPDF processes PDFs<a class="headerlink" href="#how-ocrmypdf-processes-pdfs" title="Permalink to this headline">¶</a></h2>
<p>OCRmyPDF must open and interpret your PDF in order to insert an OCR layer. First, it runs all PDFs through <a class="reference external" href="https://github.com/qpdf/qpdf">qpdf</a>, a program that repairs PDFs with syntax errors. This is done because, in the author’s experience, a significant number of PDFs in the wild especially those created by scanners are not well-formed files. qpdf makes it more likely that OCRmyPDF will succeed, but offers no security guarantees. qpdf is also used to split the PDF into single page PDFs.</p>
<p>After qpdf, OCRmyPDF examines each page using <a class="reference external" href="https://github.com/mstamy2/PyPDF2">PyPDF2</a>. This library also has no warranties or guarantees. OCRmyPDF works with qpdf 5.0 and up, but version 7.0 is recommended because of known security vulnerabilities in early versions.</p>
<p>Finally, OCRmyPDF rasterizes each page of the PDF using <a class="reference external" href="http://ghostscript.com/">Ghostscript</a> in <code class="docutils literal"><span class="pre">-dSAFER</span></code> mode.</p>
<p>Depending on the options specified, OCRmyPDF may graft the OCR layer into the existing PDF or it may essentially reconstruct (“re-fry”) a visually identical PDF that may be quite different at the binary level. That said, OCRmyPDF is not a tool designed for sanitizing PDFs.</p>
</div>
<div class="section" id="using-ocrmypdf-online-or-as-a-service">
<h2>Using OCRmyPDF online or as a service<a class="headerlink" href="#using-ocrmypdf-online-or-as-a-service" title="Permalink to this headline">¶</a></h2>
<p>OCRmyPDF should not be deployed as a public-facing service, such as a website where a potential attacker could upload a PDF of their choice for OCR. OCRmyPDF is not designed to be secure against PDF malware. Another concern is PDFs specifically designed to be a denial of service attack: PDFs can contain recursive data structures that sometimes send parsers into infinite loops, and issue complex graphics drawing commands.</p>
<p>Setting aside these concerns, a side effect of OCRmyPDF is it may incidentally sanitize PDFs that contain malware. It runs <code class="docutils literal"><span class="pre">qpdf</span></code> to repair the PDF, which could correct malformed PDF structures that are part of an attack. When PDF/A output is selected (the default), the input PDF is partially reconstructed by Ghostscript. When <code class="docutils literal"><span class="pre">--force-ocr</span></code> is used, all pages are rasterized and reconverted to PDF, which could remove malware in embedded images. No guarantees.</p>
<p>OCRmyPDF should be relatively safe to use in a trusted intranet, with some considerations:</p>
<div class="section" id="limiting-cpu-usage">
<h3>Limiting CPU usage<a class="headerlink" href="#limiting-cpu-usage" title="Permalink to this headline">¶</a></h3>
<p>OCRmyPDF will attempt to use all available CPUs and storage, so executing <code class="docutils literal"><span class="pre">nice</span> <span class="pre">ocrmypdf</span></code> or limiting the number of jobs with the <code class="docutils literal"><span class="pre">-j</span></code> argument may ensure the server remains available. Another option would be run OCRmyPDF jobs inside a Docker container, a virtual machine, or a cloud instance, which can impose its own limits on CPU usage and be terminated “from orbit” if it fails to complete.</p>
</div>
<div class="section" id="temporary-storage-requirements">
<h3>Temporary storage requirements<a class="headerlink" href="#temporary-storage-requirements" title="Permalink to this headline">¶</a></h3>
<p>OCRmyPDF will use a large amount of temporary storage for its work, proportional to the total number of pixels needed to rasterize the PDF. The raster image of a 8.5×11” color page at 300 DPI takes 25 MB uncompressed; OCRmyPDF saves its intermediates as PNG, but that still means it requires about 9 MB per intermediate based on average compression ratios. Multiple intermediates per page are also required, depending on the command line given. A rule of thumb would be to allow 100 MB of temporary storage per page in a file – meaning that a small cloud servers or small VM partitions should be provisioned with plenty of extra space, if say, a 500 page file might be sent.</p>
<p>To check temporary storage usage on actual files, run <code class="docutils literal"><span class="pre">ocrmypdf</span> <span class="pre">-k</span> <span class="pre">...</span></code> which will preserve and print the path to temporary storage when the job is done.</p>
<p>To change where temporary files are stored, change the <code class="docutils literal"><span class="pre">TMPDIR</span></code> environment variable for ocrmypdf’s environment. (Python’s <code class="docutils literal"><span class="pre">tempfile.gettempdir()</span></code> returns the root directory in which temporary files will be stored.) For example, one could redirect <code class="docutils literal"><span class="pre">TMPDIR</span></code> to a large RAM disk to avoid wear on HDD/SSD and potentially improve performance. On Amazon Web Services, <code class="docutils literal"><span class="pre">TMPDIR</span></code> can be set to <a class="reference external" href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html">empheral storage</a>.</p>
</div>
<div class="section" id="timeouts">
<h3>Timeouts<a class="headerlink" href="#timeouts" title="Permalink to this headline">¶</a></h3>
<p>To prevent excessively long OCR jobs consider setting <code class="docutils literal"><span class="pre">--tesseract-timeout</span></code> and/or <code class="docutils literal"><span class="pre">--skip-big</span></code> arguments. <code class="docutils literal"><span class="pre">--skip-big</span></code> is particularly helpful if your PDFs include documents such as reports on standard page sizes with large images attached - often large images are not worth OCR’ing anyway.</p>
</div>
<div class="section" id="commercial-alternatives">
<h3>Commercial alternatives<a class="headerlink" href="#commercial-alternatives" title="Permalink to this headline">¶</a></h3>
<p>The author also provides professional services that include OCR and building databases around PDFs, and is happy to provide consultation.</p>
<p>Abbyy Cloud OCR is a viable commercial alternative with a web services API.</p>
</div>
</div>
<div class="section" id="password-protection-digital-signatures-and-certification">
<h2>Password protection, digital signatures and certification<a class="headerlink" href="#password-protection-digital-signatures-and-certification" title="Permalink to this headline">¶</a></h2>
<p>Password protected PDFs usually have two passwords, and owner and user password. When the user password is set to empty, PDF readers will open the file automatically and marked it as “(SECURED)”. While not as reliable as a digital signature, this indicates that whoever set the password approved of the file at that time. When the user password is set, the document cannot be viewed without the password.</p>
<p>Either way, OCRmyPDF does not remove passwords from PDFs and exits with an error on encountering them.</p>
<p><code class="docutils literal"><span class="pre">qpdf</span></code>, one of OCRmyPDF’s dependencies, can remove passwords. If the owner and user password are set, a password is required for <code class="docutils literal"><span class="pre">qpdf</span></code>. If only the owner password is set, then the password can be stripped, even if one does not have the owner password.</p>
<p>After OCR is applied, password protection is not permitted on PDF/A documents but the file can be converted to regular PDF.</p>
<p>Many programs exist which are capable of inserting an image of someone’s signature. On its own, this offers no security guarantees. It is trivial to remove the signature image and apply it to other files. This practice offers no real security.</p>
<p>Important documents can be digitally signed and certified to attest to their authorship. OCRmyPDF cannot do this. Open source tools such as pdfbox (Java) have this capability as does Adobe Acrobat.</p>
</div>
</div>


           </div>
           <div class="articleComments">
            
           </div>
          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
        <a href="errors.html" class="btn btn-neutral float-right" title="Common error messages" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
      
      
        <a href="batch.html" class="btn btn-neutral" title="Batch processing" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <p>
        &copy; Copyright 2018, James R. Barlow. Licensed under Creative Commons Attribution-ShareAlike 4.0..

    </p>
  </div>
  Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. 

</footer>

        </div>
      </div>

    </section>

  </div>
  


  

    <script type="text/javascript">
        var DOCUMENTATION_OPTIONS = {
            URL_ROOT:'./',
            VERSION:'6.1.2',
            COLLAPSE_INDEX:false,
            FILE_SUFFIX:'.html',
            HAS_SOURCE:  true,
            SOURCELINK_SUFFIX: '.txt'
        };
    </script>
      <script type="text/javascript" src="_static/jquery.js"></script>
      <script type="text/javascript" src="_static/underscore.js"></script>
      <script type="text/javascript" src="_static/doctools.js"></script>

  

  
  
    <script type="text/javascript" src="_static/js/theme.js"></script>
  

  
  
  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.StickyNav.enable();
      });
  </script>
   

</body>
</html>