From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001

From: Ken Sharp <ken.sharp@artifex.com>

Date: Tue, 20 Aug 2019 10:10:28 +0100

Subject: make .forceput inaccessible

Bug #701343, #701344, #701345

More defensive programming. We don't want people to access .forecput

even though it is no longer sufficient to bypass SAFER. The exploit

in #701343 didn't work anyway because of earlier work to stop the error

handler being used, but nevertheless, prevent access to .forceput from

.setuserparams2.

diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps

index 4cc7f820f..0fd416465 100644

--- a/Resource/Init/gs_lev2.ps

+++ b/Resource/Init/gs_lev2.ps

@@ -158,7 +158,7 @@ end

     {

       pop pop

     } ifelse

-  } forall

+  } executeonly forall

         % A context switch might have occurred during the above loop,

         % causing the interpreter-level parameters to be reset.

         % Set them again to the new values.  From here on, we are safe,

@@ -229,9 +229,9 @@ end

        { pop pop

        }

       ifelse

-    }

+    } executeonly

    forall pop

-} .bind odef

+} .bind executeonly odef

 % Initialize the passwords.

 % NOTE: the names StartJobPassword and SystemParamsPassword are known to

diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps

index c158a8faf..422e66e1a 100644

--- a/Resource/Init/gs_pdfwr.ps

+++ b/Resource/Init/gs_pdfwr.ps

@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef

           systemdict /.pdf_hooked_DSC_Creator //true .forceput

         } executeonly if

         pop

-      } if

+      } executeonly if

     } {

       pop

     } ifelse

-  }

+  } executeonly

   {

     pop

   } ifelse