fix: enhance PDF viewer security by removing file param and communicating via postMessage

Author: papphelix

lms/djangoapps/staticbook/views.py

@@ -81,30 +81,17 @@ def pdf_index(request, course_id, book_index, chapter=None, page=None):
     course = get_course_with_access(request.user, 'load', course_key)
     staff_access = bool(has_access(request.user, 'staff', course))
 
-    # Security: Check if file parameter contains external URL or dangerous schemes and reject it
-    file_param = request.GET.get('file', '')
-    if file_param:
-        # Block external URLs
-        if file_param.startswith(('http://', 'https://')):
-            raise Http404("External URLs are not allowed in file parameter")
-        # Block dangerous URL schemes (XSS vectors)
-        if file_param.lower().startswith(('javascript:', 'data:', 'vbscript:', 'file:')):
-            raise Http404("Dangerous URL scheme detected in file parameter")
-
     book_index = int(book_index)
     if book_index < 0 or book_index >= len(course.pdf_textbooks):
         raise Http404(f"Invalid book index value: {book_index}")
     textbook = course.pdf_textbooks[book_index]
 
-    viewer_params = ''
+    viewer_params = '#zoom=page-fit&disableRange=true'
     current_url = ''
 
     if 'url' in textbook:
         textbook['url'] = remap_static_url(textbook['url'], course)
         current_url = textbook['url']
-        if not current_url.startswith(('http://', 'https://')):
-            viewer_params = '&file='
-            viewer_params += current_url
 
     # then remap all the chapter URLs as well, if they are provided.
     current_chapter = None
@@ -120,9 +107,6 @@ def pdf_index(request, course_id, book_index, chapter=None, page=None):
             current_chapter = textbook['chapters'][0]
 
         current_url = current_chapter['url']
-        if not current_url.startswith(('http://', 'https://')):
-            viewer_params = '&file='
-            viewer_params += current_url
 
     viewer_params += '#zoom=page-fit&disableRange=true'
     if page is not None:

lms/templates/pdf_viewer.html

@@ -1,5 +1,5 @@
 <%page expression_filter="h"/>
-<!DOCTYPE html>
+<!DOCTYPE html>
 <%namespace name='static' file='static_content.html'/>
 <%!
 from openedx.core.djangolib.js_utils import (
@@ -46,10 +46,41 @@
         PDFJS.workerSrc = "${static.url('js/vendor/pdfjs/pdf.worker.js') | n, js_escaped_string}";
         PDFJS.disableWorker = true;
         PDFJS.cMapUrl = "${static.url('css/vendor/pdfjs/cmaps/') | n, js_escaped_string}";
-        PDF_URL = '${current_url | n, js_escaped_string}';
+
+        var PDF_URL = '${current_url | n, js_escaped_string}';
+
+        if (window.parent !== window) {
+          window.parent.postMessage({type: 'request_pdf_url'}, '*');
+
+          function handlePdfUrlResponse(event) {
+            if (event.data && event.data.type === 'pdf_url_response') {
+              PDF_URL = event.data.url;
+
+              if (PDFViewerApplication.open) {
+                PDFViewerApplication.open(PDF_URL);
+                PDFViewerApplication.mouseScroll(0);
+
+                setTimeout(function() {
+                  if (PDFViewerApplication.pdfDocument && PDFViewerApplication.pdfDocument.documentInfo) {
+                    var info = PDFViewerApplication.pdfDocument.documentInfo;
+                    if (event.data.title) info.Title = event.data.title;
+                    if (event.data.author) info.Author = event.data.author;
+                    if (event.data.subject) info.Subject = event.data.subject;
+                    if (event.data.keywords) info.Keywords = event.data.keywords;
+                    info.Creator = 'edX Platform';
+                  }
+                }, 500);
+              }
+            } else if (event.data && event.data.type === 'chapter_change') {
+              window.parent.postMessage({type: 'request_pdf_url'}, '*');
+            }
+          }
+
+          window.addEventListener('message', handlePdfUrlResponse);
+        }
     </script>
 
-    <script ${static.url('js/vendor/pdfjs/debugger.js')}></script>
+    <script type="text/javascript" src="${static.url('js/vendor/pdfjs/debugger.js')}"></script>
 
     <%static:js group='main_vendor'/>
     <%static:js group='application'/>
@@ -347,77 +378,77 @@
 
     </div> <!-- outerContainer -->
     <div id="printContainer"></div>
-<div id="mozPrintCallback-shim" hidden>
-  <style scoped>
-#mozPrintCallback-shim {
-  position: fixed;
-  top: 0;
-  left: 0;
-  height: 100%;
-  width: 100%;
-  z-index: 9999999;
-
-  display: block;
-  text-align: center;
-  background-color: rgba(0, 0, 0, 0.5);
-}
-#mozPrintCallback-shim[hidden] {
-  display: none;
-}
-@media print {
-  #mozPrintCallback-shim {
-    display: none;
-  }
-}
-
-#mozPrintCallback-shim .mozPrintCallback-dialog-box {
-  display: inline-block;
-  margin: -50px auto 0;
-  position: relative;
-  top: 45%;
-  left: 0;
-  min-width: 220px;
-  max-width: 400px;
-
-  padding: 9px;
-
-  border: 1px solid hsla(0, 0%, 0%, .5);
-  border-radius: 2px;
-  box-shadow: 0 1px 4px rgba(0, 0, 0, 0.3);
-
-  background-color: #474747;
-
-  color: hsl(0, 0%, 85%);
-  font-size: 16px;
-  line-height: 20px;
-}
-#mozPrintCallback-shim .progress-row {
-  clear: both;
-  padding: 1em 0;
-}
-#mozPrintCallback-shim progress {
-  width: 100%;
-}
-#mozPrintCallback-shim .relative-progress {
-  clear: both;
-  float: right;
-}
-#mozPrintCallback-shim .progress-actions {
-  clear: both;
-}
-  </style>
-  <div class="mozPrintCallback-dialog-box">
-    <!-- TODO: Localise the following strings -->
-    Preparing document for printing...
-    <div class="progress-row">
-      <progress value="0" max="100"></progress>
-      <span class="relative-progress">0%</span>
-    </div>
-    <div class="progress-actions">
-      <input type="button" value="Cancel" class="mozPrintCallback-cancel">
+    <div id="mozPrintCallback-shim" hidden>
+      <style scoped>
+        #mozPrintCallback-shim {
+          position: fixed;
+          top: 0;
+          left: 0;
+          height: 100%;
+          width: 100%;
+          z-index: 9999999;
+
+          display: block;
+          text-align: center;
+          background-color: rgba(0, 0, 0, 0.5);
+        }
+        #mozPrintCallback-shim[hidden] {
+          display: none;
+        }
+        @media print {
+          #mozPrintCallback-shim {
+            display: none;
+          }
+        }
+
+        #mozPrintCallback-shim .mozPrintCallback-dialog-box {
+          display: inline-block;
+          margin: -50px auto 0;
+          position: relative;
+          top: 45%;
+          left: 0;
+          min-width: 220px;
+          max-width: 400px;
+
+          padding: 9px;
+
+          border: 1px solid hsla(0, 0%, 0%, .5);
+          border-radius: 2px;
+          box-shadow: 0 1px 4px rgba(0, 0, 0, 0.3);
+
+          background-color: #474747;
+
+          color: hsl(0, 0%, 85%);
+          font-size: 16px;
+          line-height: 20px;
+        }
+        #mozPrintCallback-shim .progress-row {
+          clear: both;
+          padding: 1em 0;
+        }
+        #mozPrintCallback-shim progress {
+          width: 100%;
+        }
+        #mozPrintCallback-shim .relative-progress {
+          clear: both;
+          float: right;
+        }
+        #mozPrintCallback-shim .progress-actions {
+          clear: both;
+        }
+      </style>
+      <div class="mozPrintCallback-dialog-box">
+        <!-- TODO: Localise the following strings -->
+        Preparing document for printing...
+        <div class="progress-row">
+          <progress value="0" max="100"></progress>
+          <span class="relative-progress">0%</span>
+        </div>
+        <div class="progress-actions">
+          <input type="button" value="Cancel" class="mozPrintCallback-cancel">
+        </div>
+      </div>
     </div>
-  </div>
-</div>
     <script type="text/javascript" src="${static.url('js/vendor/pdfjs/viewer.js')}"></script>
     <script type="text/javascript" src="${static.url('js/pdf-analytics.js')}"></script>
   </body>

lms/templates/static_pdfbook.html

@@ -19,79 +19,63 @@
 <%include file="/courseware/course_navigation.html" args="active_page='pdftextbook/{0}'.format(book_index)" />
 <script>
 $(function(){
-  function sanitizeUrl(url) {
-    var temp = $('<div>').text(url).html();
-    if (/^(javascript|data|vbscript|file):/i.test(temp)) {
-      return '';
-    }
-    // Check for external URLs
-    if (temp.startsWith('http://') || temp.startsWith('https://')) {
-      return '';
-    }
-    return temp;
-  }
+  var currentChapterUrl = null;
+  var currentChapterTitle = null;
 
-  function isDangerousSrc(src) {
-    if (!src) return false;
-    // Check for dangerous protocols
-    if (/^(javascript|data|vbscript|file):/i.test(src)) {
-      return true;
-    }
-    // Check if file parameter contains dangerous content
-    try {
-      var url = new URL(src, window.location.origin);
-      var fileParam = url.searchParams.get('file');
-      if (fileParam) {
-        if (/^(javascript|data|vbscript|file|http:\/\/|https:\/\/)/i.test(fileParam)) {
-          return true;
-        }
+  // Handle PDF URL requests from iframe (PostMessage API requires 'message' event type)
+  function handlePdfUrlRequest(event) {
+    // Verify this is a PDF URL request from our iframe
+    if (event.data && event.data.type === 'request_pdf_url') {
+      if (currentChapterUrl) {
+        // Send the selected chapter URL back to the PDF viewer iframe
+        event.source.postMessage({
+          type: 'pdf_url_response',
+          url: currentChapterUrl,
+          title: currentChapterTitle || '',
+          author: 'edX Course',
+          subject: 'Course Material',
+          keywords: 'education,textbook,course'
+        }, '*');
       }
-    } catch (e) {
-      return true;
     }
-    return false;
   }
 
-  // Security: Monitor iframe src changes to prevent XSS via inspect element
-  var iframe = $('#viewer-frame')[0];
-  if (iframe) {
-    var observer = new MutationObserver(function(mutations) {
-      mutations.forEach(function(mutation) {
-        if (mutation.type === 'attributes' && mutation.attributeName === 'src') {
-          var currentSrc = iframe.getAttribute('src');
-          if (isDangerousSrc(currentSrc)) {
-            iframe.setAttribute('src', '');
-          }
-        }
-      });
-    });
-
-    observer.observe(iframe, {
-      attributes: true,
-      attributeFilter: ['src']
-    });
-
-    // Also validate initial src
-    var initialSrc = iframe.getAttribute('src');
-    if (isDangerousSrc(initialSrc)) {
-      iframe.setAttribute('src', '');
-    }
-  }
+  // Listen for PostMessage communication from PDF viewer iframe
+  window.addEventListener('message', handlePdfUrlRequest);
 
   $('.chapter').click(function(e){
     e.preventDefault();
-    var url = sanitizeUrl($(this).attr('rel'));
-    if (!url) {
+    var $this = $(this);
+    var url = $this.attr('rel');
+    var chapterTitle = $this.text();
+
+    // Store the current chapter URL for postMessage
+    currentChapterUrl = url;
+    currentChapterTitle = chapterTitle;
+
+    if ($('#viewer-frame').attr('src').length !== 0) {
+      $('#viewer-frame')[0].contentWindow.postMessage({type: 'chapter_change'}, '*');
+      Logger.log("textbook.pdf.chapter.navigated", {
+        "name": "textbook.pdf.chapter.navigated",
+        "chapter": url,
+        "chapter_title": chapterTitle
+      });
       return;
     }
-    var title = $('<div>').text($(this).text()).html();
+
+    // Load iframe without file parameter - secure approach (first time only)
     $('#viewer-frame').attr({
-        'src': '${request.path | n, js_escaped_string}?viewer=true&file=' + encodeURIComponent(url) + '#zoom=page-fit&disableRange=true',
-        'title': title
-        });
+      'src': '${request.path | n, js_escaped_string}?viewer=true#zoom=page-fit&disableRange=true',
+      'title': chapterTitle
+    });
     $('#viewer-frame').focus();
-    Logger.log("textbook.pdf.chapter.navigated", {"name": "textbook.pdf.chapter.navigated", "chapter": url, "chapter_title": title});
+
+    Logger.log("textbook.pdf.chapter.navigated", {
+      "name": "textbook.pdf.chapter.navigated",
+      "chapter": url,
+      "chapter_title": chapterTitle
     });
+  });
 });
 </script>