Backport pull request #5694 from jellyfin-web/release-10.9.z

Disable eval support in pdfjs Original-merge: 4bb0c67340 Merged-by: thornbill <thornbill@users.noreply.github.com> Backported-by: Joshua M. Boniface <joshua@boniface.me>
2025-03-30 19:56:21 +00:00 · 2024-06-23 11:42:26 -04:00 · 2024-06-23 11:42:26 -04:00 · 2cbc9e4abf
commit 2cbc9e4abf
parent 85b0697a19
1 changed files with 6 additions and 1 deletions
--- a/src/plugins/pdfPlayer/plugin.js
+++ b/src/plugins/pdfPlayer/plugin.js
@ -207,7 +207,12 @@ export class PdfPlayer {
            this.bindEvents();
            GlobalWorkerOptions.workerSrc = appRouter.baseUrl() + '/libraries/pdf.worker.js';

-            const downloadTask = getDocument(downloadHref);
+            const downloadTask = getDocument({
+                url: downloadHref,
+                // Disable for PDF.js XSS vulnerability
+                // https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
+                isEvalSupported: false
+            });
            return downloadTask.promise.then(book => {
                if (this.cancellationToken) return;
                this.book = book;