1

We have a Java based web application deployed on WebLogic. We provide direct links to some PDF files, which the users can download/ open in their browser. Our security team is claiming that to allow opening PDF files in the browser is a security risk. So they want to force the users to download the PDF files first rather than opening them in the browser window.

  1. Is this really a security risk?

  2. If the PFD is a trogen/ vulnerable, how come downloading the file first and opening it could solve the problem?

  3. Is their a way to programmatically prevent the user from opening the PDF files in the browser window and to force downloading the PDF files first?

JIST
  • 1,139
  • 2
  • 8
  • 30
Fahim
  • 723
  • 1
  • 7
  • 11
  • 1
    Have you tried setting response content type as : response.setContentType("application/force-download"); http://stackoverflow.com/questions/6520231/how-to-force-browser-to-download-file – HRgiger Jul 27 '13 at 17:13
  • 1
    Thanx for the comment @HRgiger. The pdf files in the system are added by a CMS. This CMS places direct links to PDF. i.e. host:7001/contextroot/files/fileName.pdf. (Files are not written by an output stream.) So how can I set the content type. Writing a Servlet Filter would be a solution? – Fahim Jul 27 '13 at 19:13
  • Well I would give a shot:) – HRgiger Jul 28 '13 at 06:10
  • I'd expect downloading a PDF to be much more a security risk than opening it in the browser. – Tom Hawtin - tackline Jul 28 '13 at 08:12
  • 2> it doesn't prevent anything. An Adobe Reader vulnerability can be exploited in the browser or out. – Billy ONeal Jul 28 '13 at 17:45
  • Did you ask Q.2 to your security team? – Pradeep Pati Jul 29 '13 at 01:26

2 Answers2

1

To force the browser to give download option to the PDF :

response.setHeader ("Content-Disposition", "attachment;filename=\"" + filename + "\"");

Deepak N
  • 21
  • 2
0

Forcing the user to save a PDF file first and then open it is actually likely to be more risky than allowing it to be opened in the browser.

It's not better:

  • Any vulnerabilities in your PDF reader (probably Adobe Reader) will be triggered whether it is opened now or later.
  • Any decent virus scanner will be able to scan a PDF before it is opened, no matter if the pdf was downloaded to a temporary internet files folder, or some other user selected folder (e.g. downloads). (But if these are your PDF files, viruses probably aren't much of a concern.)

But it might be worse:

  • If the client is Firefox, then allowing the pdf to be opened directly will lead to PDF.js being used, which is likely to be more secure than Adobe Reader. In bypassing this client, you're exposing your users to greater risk.
  • You are conditioning users to download and open files from the internet. A minor point, but the more you can avoid this the better.
Community
  • 1
  • 1
Michael
  • 955
  • 4
  • 12