Open Bug 1978985 Opened 7 months ago Updated 3 months ago

PDF.js does not enforce PRINT restrictions when permissions are enabled, can be used to strip other restrictions

Categories

(Firefox :: PDF Viewer, defect, P1)

Product:
Firefox
Component:
PDF Viewer
Version:
Firefox 140
Type:
defect

Tracking

()

Status:
REOPENED
Milestone:
143 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox-esr140 143+ fixed
firefox141 --- wontfix
firefox142 --- wontfix
firefox143 --- fixed
firefox144 --- fixed

People

(Reporter: hariomsingh0398, Assigned: calixte, NeedInfo)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main143-][adv-esr140.3-])

Attachments

(5 files)

Detailed Explanation Firefox Print to PDF Issue.pdf
720.55 KB, application/pdf
Details
[mozilla/pdf.js] Disable printing when enablePermission is true and the pdf isn't allowed to be printed (bug 1978985) (#20129)
44 bytes, text/x-github-pull-request
Details | Review
Bug 1978985 - Disable printing when enablePermission is true and the pdf isn't allowed to be printed
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review
Bug 1978985 - Disable printing when enablePermission is true and the pdf isn't allowed to be printed
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
screenshot.png
167.14 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Firefox for Android

Steps to reproduce:

  1. Create a Password Protected PDF file with all permissions disabled โ€” particularly:
    Printing (both low and high resolution)
    Content copying
    Modifying
    Annotations
    Accessibility extraction

  2. Open this PDF using Firefox (which uses the integrated PDF.js viewer).
    Enter the user password to view the document.
    Press Ctrl + P (Print).
    Select "Microsoft Print to PDF" as the printer.
    Save the file.

Actual results:

The newly saved PDF is fully unlocked:
You can print it.
You can copy text.
You can edit or annotate it using PDF editors.
All original restrictions (DRM) are completely removed.
This means PDF.js bypasses protection mechanisms meant to limit user actions like printing or extracting content. It directly violates author-specified usage permissions and has serious implications for confidential and rights-managed documents.

Expected results:

Firefox should respect the PDF's permission settings and:
Prevent access to the Ctrl + P (print) functionality if print is disabled.
At a minimum, warn the user that printing/exporting is not allowed.
The output file should retain original permission flags if saved/exported.

Other browsers like Chrome, Edge, and Brave correctly prevent printing when the PDF printing permission is disabled.

I reviewed the relevant source code in PDF.js:
The permission check is handled in https://github.com/mozilla/pdf.js/blob/master/web/pdf_viewer.js
Upon checking the source code in the repository, the file web/pdf_viewer.js contains a function #initializePermissions() that handles some permission flags like COPY, MODIFY_CONTENTS, and MODIFY_ANNOTATIONS, but does not handle the PRINT permission flag.

Why would Firefox want to be complicit in restricting what users can do with PDF content? (Don't mind me, just trying to get the bug to the right folks. Maybe this is a bug rather than intentional)

Component: Untriaged → PDF Viewer
Flags: needinfo?(cdenizet)

This may be a duplicate of bug 792816 where by default Firefox does not respect PDF DRM, but there is a pdfjs.enablePermissions pref that can be enabled (primarily so enterprise policies can enable enforcement). A decade later some folks might be reconsidering this stance (see bug 1823372)

But before we rush off and make this a dupe, your last comment said you could find where we honored some permissions but not the PRINT permission. Did you try it? I don't have a restricted PDF handy and telling me to create one requires me to go get software I don't have. Between entering the password and printing did you try copying, modifying, or annotating and were prevented? Or was printing allowed simply because no permissions were respected?

That is, if you

  1. open the page about:config
  2. change the value of pdfjs.enablePermissions to true
  3. perform your steps...

Was copying blocked but you could still print? Or did we respect the printing permission?

Flags: needinfo?(hariomsingh0398)
See Also: → 1823372

Hello Sir, I have attached a report that will make you understand what I what to highlight.

Flags: needinfo?(hariomsingh0398)

In the attached document HariHacks confirms:

In my case, I explicitly enabled pdfjs.enablePermissions = true and confirmed that some permissions like COPY and MODIFY are enforced โ€” but PRINT is still not respected.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-mitigation-bypass, sec-low
Summary: Firefox allows password-protected PDFs with restricted permissions (printing, copying, modification) to be bypassed using "Print to PDF" in Firefox's internal viewer (PDF.js), effectively stripping protection. → PDF.js does not enforce PRINT restrictions when permissions are enabled, can be used to strip other restrictions
Assignee: nobody → cdenizet
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(cdenizet)
Priority: -- → P1

Adding bounty request per reporter's mail.

Flags: sec-bounty?
Depends on: 1983548
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → 144 Branch

Did you want to nominate this for Beta & ESR140 uplift?

Group: firefox-core-security → core-security-release
status-firefox142: affectedwontfix
status-firefox144: --- → fixed
Flags: needinfo?(cdenizet)

Yes, I believe this issue could affect enterprise environments that rely on PDF permission enforcement. Iโ€™d like to nominate it for Beta and ESRย 140ย uplift.

[Tracking Requested - why for this release]:
This seems like the kind of feature enterprises would want, so we should add to ESR-140

tracking-firefox-esr140: --- → ?

This is a hidden off-by-default feature so this does not qualify for our bug bounty

Flags: sec-bounty? → sec-bounty-
Group: core-security-release
Attachment #9510321 - Flags: approval-mozilla-esr140?

firefox-esr140 Uplift Approval Request

  • User impact if declined: Some user could print an unprintable pdf whatever their company policy is
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: See comment 0
  • Risk associated with taking this patch: low
  • Explanation of risk level: Sef-contained and small change
  • String changes made/needed: no
  • Is Android affected?: yes
Flags: qe-verify+
Attachment #9510329 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined: Some user could print an unprintable pdf whatever their company policy is
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: See comment 0
  • Risk associated with taking this patch: low
  • Explanation of risk level: Self-contained and small change
  • String changes made/needed: No
  • Is Android affected?: yes
Flags: needinfo?(cdenizet)
Attachment #9510329 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9510321 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
No longer depends on: 1982249
No longer depends on: 1983432
Depends on: 1982249
Target Milestone: 144 Branch → 143 Branch
QA Whiteboard: [uplift][qa-ver-needed-c144/b143]
QA Contact: mchiorean

Issue still reproduces on Win11x64 using Firefox builds: 144.0a1(20250902210651) and 143.0b7(20250901090535). With pref "pdfjs.enablePermissions" set to true, Ctrl+P still opens and user can save the password pdf, although print option is not displayed on screen and on print preview document is cut (as in the attached screenshot). Also I used this tool to set printing and password.
Reopening issue.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached image screenshot.png โ€”

The patch seems to be only modifying the toolbar buttons.

There's already to handle printing being turned off for the entire browser. Can it be reused for this?

https://searchfox.org/firefox-main/source/toolkit/components/pdfjs/content/PdfStreamConverter.sys.mjs#448

The patch is removing the printing button but it disables the printing itself.
Here in using CTRL+P, it's just printing the content of the page as a "normal" webpage which explains why the toolbar is shown on the screenshot.
Anyway, only the visible pages of the pdf could be print with the UI around, which is more or less equivalent to screenshoting the pdf.
So if you've a pdf with 10 pages, you've to print, scroll, print, ... and the result will have a part of the UI, so the overall result isn't really great and again it isn't worse than making screenshots.

I was aware of this issue, since Rob pointed it while reviewing the patch, I'll write a follow-up asap in order to completely disable printing.

Whiteboard: [adv-main143-][adv-esr140.3-]

Hi Calixte, I would like to know weather the patch has been implemented or not, and kindly let me know if a CVE is getting assigned to this security issue.

Expecting an update from you at the earliest.

Thanks.

Flags: needinfo?(cdenizet)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: