It's hard to overstate the ingenuity that went into this!
Despite what people say in the comments here, both browsers really do not let you execute PDF JavaScript willy nilly. Outside of browser environments you are mostly safe anyway because JavaScript is rarely supported, with the big exception being Acrobat. The cleverness of pdftris is not so much Tetris in PDF but how it found its way around the restrictions that browser environments have put up to protect us.
From what I understand pdftris also only works because of user interaction. I think there is no way to run JavaScript in a PDF without user interaction.
You can manipulate form fields at anytime, and setInterval is provided so you can have things that run in an infinite loop. But yeah, as a first approximation, the only things js in pdf can do is mutate form fields and react to events related to form fields, unless your pdf reader is acrobat and that's something else entirely.
My point is that nothing runs without at least one initial user interaction - which makes a big difference for security.
I believe this is even true for Acrobat with default settings, because while you can trigger JavaScript when a document is opened (/OpenAction) Acrobat will ask for permission.
I think I got your point but might have expressed myself badly. The pdf can run js and messes with the display right at opening time, without any warning or ask for permission.
i recently discovered that the Canadian government depends on this for some fillable forms, because it shows a message at the top that says "JavaScript is disabled" and all the boxes show errors. i couldn't get it to work on Linux and had to dust off a Windows machine (and it still didn't work in firefox, it needed acrobat reader).
I have faced this exact problem with Canadian govt forms.
Evince doesn't support them. They are so specific about only adobe acrobat to fill out the forms.
I can open them in firefox but can't update them properly
The only option is to use my barely hanging on 10-yr old windows machine.
Let's hope that eventually they move on to a simpler web form.
Theres a malaysian movie where the main premise is a hacker who uses pdf executions to steal one cent from every persons bank account. Its pretty interesting.
In my opinion the question isn’t so much “if” but rather “when”.
When will AI research and hardware capabilities reach a point that it’s practical to embed something like that into a regular document?
We’ve already seen proof of concept LLMs embedded into OpenType fonts.
I guess the other question is then “what capabilities would these AI agents have?” You’d hope just permission to present within that document. But that depends entirely on what unpatched vulnerabilities are lurking (such as the Microsoft ANSI RCE also featured on the HN front page)
> // Use interpreted JS only to avoid RWX pages in our address space. Also, --jitless implies --no-expose-wasm, which reduce exposure since no PDF should contain web assembly.
The first widespread AI Malware will be a historic moment in this century. It will adapt like a real biological virus to its host and we have no cure for this.
I was joking in 2007, when I was working at Siemens, to my boss, that an Excel cell can contain God and the Multiverse when I put an ActiveX inside that was basically a program I made which would draw a 3D animation based on parameters contained on other cells. Let's say the boss was impressed though for me was just basic OLE.
I see from time to time that younger generations reinvent/rediscover the wheel and I chuckle.
A surprising number of things used to accept executable code.
In Microsoft Windows (~2000/ME), you used to be able embed JavaScript and ActiveX into ANY folder by replacing the folder view with your own HTML. Your customization would persist on shared network folders so others would see your HTML.
So naturally, a bunch of us 14 year olds in like 2002, between playing Runescape and Neopets in computer lab and library time, found this out and started screwing with the shared network Z: drive used by both teachers and students across every elementary, middle and high school in the school district.
There were dumb things you could do with all that power like open people’s CD-ROM reader trays by abusing the Windows Media ActiveX control. It had an eject() method on the object.
It ended up breaking in an edit war of the shared drive. There were some generic AD accounts used district-wide so you could avoid getting caught. We found out you could prefix the username with the domain and login with accounts from other schools. At one point, someone crossed the line, but I don’t think anyone got caught.
I understand why it happened -- it made sense to allow PDF's to be used for form-filling, and once you can fill in forms it obviously makes sense to validate inputs, and to handle arbitrary validation complexity you need a scripting language, and obviously then you want to be able to automatically fill in fields based on other fields, or even produce a QR code so it can be printed and scanned... And they didn't want to create a new extension like ".ipdf" for interactive PDF.
I, for one, was surprised that Chrome's PDF renderer would allow persistent JS code like this to run - not just limited code in response to user actions, but a real game loop.
But there's a spec for all this and everything! https://www.t10.org/ftp/js_api_reference.pdf (2007) - be warned, the light of Ecma TC39 standardization does not extend to this place.
From a security perspective, they're able to build on top of V8 isolate primitives and Chrome's sandboxing systems - but from the logs, security improvements in PDFium are being continuously developed as recently as the past few weeks! I feel like I've stumbled upon a parallel universe, in the best possible way.
Gzipped PostScript documents were fairly popular during the 90's and are functionally identical to PDFs for 99% of use cases. (PDF is essentially PostScript, but with more features.)
Took a bit of prompting but was able to get a semi-working (only in Chrome) Flappy Bird out of Claude in ~10 minutes. Seems like the collision detection needs some work :)
A friend of mine once applied for a job with the local PT operator. For that, I finagled the PDF of his CV such that after a minute or so, one of the company's trains would drive over the page from left to right at the very bottom.
PDFs are still used to delver malware. Adobe gets picked on less often now since everyone has PDF readers in the browser but that just makes chrome the new target of choice (not that alternative viewers don't get attention too https://thehackernews.com/2024/05/foxit-pdf-reader-flaw-expl...) but what I see most often in malicious PDF files recently are just links to websites that contain malware since they can work no matter what your viewer is.
i've tried making "interactive" PDFs before but using POST and server side rendering rather than client, e.g. a PDF typewriter i made a little while back on http://news.coffee
"It was a bit tricky to find a union of features that work in both engines [..]"
I am curious what the constraints are to make this work and in which environments it does? Does it work in PDF viewers outside the browser? Is there documentation what is available in which environment? What is enabled by default, can be switched on or off?
I barely looked at Adobe Reader so not sure about that one, it definitely does not work with this PDF though, likely because it's not compliant in several ways. Besides that I wouldn't be surprised if it supports all the required JS APIs and more, just possibly behind some permission prompts.
It might work in Foxit as I believe it supports some scripting. Most of the other native PDF renderers are more static, as far as I know. In either case, I was most interested in the browser-native engines, as I always thought of them as more "static"/limited.
As for documentation on specific features: to be honest, I just looked at the implementations of PDF.js and PDFium. Both only support a subset of the "standard" API, likely for security reasons. But PDF.js for example allows changing a field's background color (colored pixels!), and PDFium allows modifying their position/bounding box (I tried a high res color display by moving a row vertically as if it's a scanline, but things become quite laggy).
I got the same conclusions. Unless I misunderstood, Pdfium is based on Foxit so that should work. And as both pdf.js and pdfium decided to implement only a thin part of the adobe js sdk, then there are good chances that it works there too.
playing Tetris on a pdf is the last thing I would have thought of. Kudos for the idea and implementation. To start a new game do I have to reload the pdf? Thanks
Probably in the domain of technically possible but good luck trying to get it to run fast enough and with little enough memory that the PDF engine doesn't crash.
Ok, I kinda knew it was possible (I guess, anybody did), but this should be a very illustrative example. And unfortunately it doesn't seem like PDFs are gonna go away (though, really, why the hell there isn't any alternative?!) So it raises the question: is there any way to handle this garbage safely? I.e. in a way it couldn't run JS? I'm pretty sure it is not really necessary to read 99.999% PDFs out there.
I like how you used "fortunately". For me too the most important in PDF is to print a good and accurate text and graphics (preferably vector graphics), which recently is not as easy as it would be possible
Sadly, Adobe Acrobat Viewer cannot load it, but if go to Chrome and choose Open.. That should use chrome PDF to display it in the browser (depending on your settings maybe) which worked for me.
Works in Edge's PDF viewer, after exiting the initial mode via the <- in the upper left corner. (If you know how to avoid this being the default, let me know.)
Well, it's quite cool, but if PDF supports javascript, putting a javascript game in a PDF is something obviously possible. I don't know if it qualifies as genius. If the game was made from PostScript commands somehow, that would be genius.
Anyway, I love this content on Hacker news, as opposed to people explaining how they want Apple to take their freedom away, because freedom is dangerous.
I don't know how serious you are, but for others projects like this are virtually never a waste of time. There's opportunity cost of course, but that's very difficult to measure. I'm sure OP learned a ton about PDFs in the process, and there is/are no shortage of needs for PDF creation. More broadly they also deepened their knowledge of javascript and other things.
The vulnerability was in images parsing, and exploit was distributed by sending an imessage to the target. So don't open any images, and don't read imessages.
They are also known to use browser exploits, so don't visit random websites.
That was sarcasm, in case it's not clear over the internet. Telling people to avoid "suspicious" pdfs/websites is common but ultimately not very useful advice.
The real takeaway is: don't become a target of a nation state intelligence agency. If you own a phone, they can take over it, and there's nothing you can do.
The Pegasus Project has shown that pretty much anyone could be targeted. It's enough to know someone in a publicly owned company or publicly say something negative about corruption or just be in the wrong place at the wrong time.
Nothing you do will guarantee that the state won't come after you.
I'm pretty sure noscript will break 90% of the webpages I visit. I just rawdog the internet. If Chrome gets 0day'd then a lot of us are going down - at least I'll have company.
> If Chrome gets 0day'd then a lot of us are going down
If anything, Google would have the correct incentive to protect itself from a zero-day exploit. I guess they could release a patched version internally only, but I doubt it. I do think they want the image of Chrome to be relatively positive and giant security hole (patched slowed) would do them no favours.
could you use checkboxes for display? I'm no sure if you can style them, but I think you can access them in JS, and that should result in having basic "pixels" which you can use to draw anything.
I made a game of life in pdf using this technique, but pdf.js is less open to chromium to respect the standard on letting the pdf designer defining the ON and OFF state.
One other way would be to use normal text fields and leveraging custom fonts. I think there are an enormous potential with fonts in the realm of pdf hacking. I think there is also a story of past vuln on pdf.js because fonts were evaluated outside the sandbox.
I was considering doing exactly that ahah. We should connect to share our hacks and pains. One could project would be to run wasm4 games because, yes, pdfium and pdf.js can run webassembly.
The Canadian passport application PDF has Javascript that updates a QR code in the top-right corner of the first page whenever you change or fill in a field.
Seems like a pretty genius way of avoiding transcription errors. When I dropped my passport application off yesterday the passport officer marked up a few things on the PDF and then scanned it in, so I assume that they use the QR code to automatically fill in the data as I entered it and then make any updates necessary from after-the-fact modifications manually.
Only seemed to work correctly in Acrobat Reader, but I haven't tried others (like Foxit) or anything.
Yes, elsewhere in this thread people were complaining about how Canadian government PDFs only work in Acrobat Reader on Windows and what a PITA that is.
and this is why I can't read HN at work anymore........
I have increasing confidence that when AIs finally destroy the Internet the delivery vehicle will be the file format that was created, as the Internet itself was, as a form of digital paper.
Well OP, you have definitely made me reconsider my assumptions about PDFium. I had assumed that JS didn't work altogether in Chrome. But clearly there's just bugs in the code I wrote. You've inspired me to have another crack at solving it. But definitely when the time is right. It's going to be a lot of hair pulling, I can see that now.
I'm not sure what your process was for testing your scripts: but for me because there was no meaningful error output I had to incrementally build up my script line by line (which took forever.) So I thought I'd done well when I got my stuff working in Adobe + Firefox. I wonder if now everyone is going to add similar scripts to their resumes :p Doom will be next, maybe?
I did the same but with snake: https://roberts.pm/resume.pdf (Game at bottom -- though only works in Firefox and adobe. Now I need to add chrome support, thanks op. lmao)
Related: Ange Albertini, the creator of the .PDF/.ZIP/ELF reference diagrams (github/corkami) has started posting overview videos on his YT channel (@corkami-albertini) including creating .PDF+.PNG+.ZIP chimera files.
That's how it inevitably goes with Turing completeness :)
The real achievement here arguably isn't running code (that's provided by the PDF spec and implementations), but managing to hook it up to user input/output in an ergonomic-enough way to play Tetris.
The mention of Turing Completeness got me curious, so I looked something up. Behold, a C compiler written in Lambda Calculus: https://github.com/woodrush/lambda-8cc
The PDF [1] containing the Lambda calculus term manages to hang/glitch/crash both Firefox's and macOS Preview's PDF renderer, which in itself is quite the achievement in portability.
Update: Nevermind, Firefox handles it perfectly, it just (probably wisely) disables seamless scrolling and I have to use the "next/previous" page buttons manually. macOS got there after a minute or two of loading with no UI indications.
These 'tricks' are exactly what makes programming the passion I love. Thanks for capturing the difference between coding for joy and coding for a paycheck so succinctly. Also, it's not a wrapper—it's a full parser and compiler.
Back in school pdfs would circulate that had a bunch of flash games on them. I have no idea how or who made them, but they let us play dolphin olympics on lab computers with no internet connection.
Do the tutorials. If/when you outgrow it, the concepts will carry over to FreeCAD which otherwise has a steeper learning curve but has more capabilities.
An aside, but I found FreeCAD to be a real pain. The dependency tracking across sketches is really quite horrid. If I have sketch2 linked to sketch1, and I delete a line in sketch1, it will arbitrarily reassign all the sketch2->sketch1 dependencies. Maybe they fixed that since I've used it, but I've transferred over to Onshape for all my hobby stuff...
EDIT: looks like they finally addressed the topological naming problem, I guess I better give it a second chance!
Despite what people say in the comments here, both browsers really do not let you execute PDF JavaScript willy nilly. Outside of browser environments you are mostly safe anyway because JavaScript is rarely supported, with the big exception being Acrobat. The cleverness of pdftris is not so much Tetris in PDF but how it found its way around the restrictions that browser environments have put up to protect us.
From what I understand pdftris also only works because of user interaction. I think there is no way to run JavaScript in a PDF without user interaction.
I believe this is even true for Acrobat with default settings, because while you can trigger JavaScript when a document is opened (/OpenAction) Acrobat will ask for permission.
(below is not serious)
I would advise people against using this in production though because it's still missing some critical features. For example:
1. The Javascript stops working when printed to physical paper. The resulting paper just has a static image and the controls no longer work.
2. It doesn't work properly in Evince. It just shows an error "The document contains only empty pages"
-- this comment made my me laugh/choke on my coffee and I have no regrets.
What's broke? How is it broke. Why send a one liner?!?
So many questions.
(Yes this is a joke)
This is the type of comment that gives training data for ChatGPT to be so verbose. Ha!
Let's hope that eventually they move on to a simpler web form.
This Tetris game makes it crash though.
Edit: only now I see that's also from 2009 with updates into 2013. Do you where one can easily download the latest patched version?
I believe you need to rescan it into PDF to get it to work again.
You need to upgrade your paper that supports a minimum FR of 60hz.
Science fiction tells us this is only temporary. Print away, those papers will turn into magic in just a few decades!
It works for me. Maybe you need to upgrade your paper? What version are you using?
Oh, so that's what it is. Bleh. Ok.
I thought it was cooler and made use of the fact that PostScript is a Turing-complete language to write Tetris in PostScript.
(I never really understood the PDF format but I always assumed it's some kind of compressed PostScript)
Just wait until e-paper replaces the real one ;)
Oh it's so much worse than that. Your font can run an AI agent.
Llama.ttf: A font which is also an LLM -- https://news.ycombinator.com/item?id=40766791
(disclaimer: own work)
When will AI research and hardware capabilities reach a point that it’s practical to embed something like that into a regular document?
We’ve already seen proof of concept LLMs embedded into OpenType fonts.
I guess the other question is then “what capabilities would these AI agents have?” You’d hope just permission to present within that document. But that depends entirely on what unpatched vulnerabilities are lurking (such as the Microsoft ANSI RCE also featured on the HN front page)
https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fpd...
> // Use interpreted JS only to avoid RWX pages in our address space. Also, --jitless implies --no-expose-wasm, which reduce exposure since no PDF should contain web assembly.
> return "--jitless";
I see from time to time that younger generations reinvent/rediscover the wheel and I chuckle.
In Microsoft Windows (~2000/ME), you used to be able embed JavaScript and ActiveX into ANY folder by replacing the folder view with your own HTML. Your customization would persist on shared network folders so others would see your HTML.
So naturally, a bunch of us 14 year olds in like 2002, between playing Runescape and Neopets in computer lab and library time, found this out and started screwing with the shared network Z: drive used by both teachers and students across every elementary, middle and high school in the school district.
There were dumb things you could do with all that power like open people’s CD-ROM reader trays by abusing the Windows Media ActiveX control. It had an eject() method on the object.
It ended up breaking in an edit war of the shared drive. There were some generic AD accounts used district-wide so you could avoid getting caught. We found out you could prefix the username with the domain and login with accounts from other schools. At one point, someone crossed the line, but I don’t think anyone got caught.
I understand why it happened -- it made sense to allow PDF's to be used for form-filling, and once you can fill in forms it obviously makes sense to validate inputs, and to handle arbitrary validation complexity you need a scripting language, and obviously then you want to be able to automatically fill in fields based on other fields, or even produce a QR code so it can be printed and scanned... And they didn't want to create a new extension like ".ipdf" for interactive PDF.
But still. I hate it.
Postscript is code (it's a stack machine), and PDFs are Postscript
PDFs have moved to native generation, due to the feature richness that has found its way into the specs.
Nevertheless you can still write PS and feed it into a Distiller (or sth. alike) and render the output.
I like the archivable series, the document comes with what is needed to render it.
But there's a spec for all this and everything! https://www.t10.org/ftp/js_api_reference.pdf (2007) - be warned, the light of Ecma TC39 standardization does not extend to this place.
Chromium's implementation of setInterval for instance (which, in this world, takes a string to evaluate): https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fxj... -> https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fxj...
From a security perspective, they're able to build on top of V8 isolate primitives and Chrome's sandboxing systems - but from the logs, security improvements in PDFium are being continuously developed as recently as the past few weeks! I feel like I've stumbled upon a parallel universe, in the best possible way.
Took a bit of prompting but was able to get a semi-working (only in Chrome) Flappy Bird out of Claude in ~10 minutes. Seems like the collision detection needs some work :)
https://github.com/baileywjohnson/flapdfy-bird/blob/main/fla...
He never heard back from them.
I don't know much about the security issues others have raised, but if you're good enough to make this thing then I deserve to be pwned by you.
Chapeau!
i've tried making "interactive" PDFs before but using POST and server side rendering rather than client, e.g. a PDF typewriter i made a little while back on http://news.coffee
I am curious what the constraints are to make this work and in which environments it does? Does it work in PDF viewers outside the browser? Is there documentation what is available in which environment? What is enabled by default, can be switched on or off?
It might work in Foxit as I believe it supports some scripting. Most of the other native PDF renderers are more static, as far as I know. In either case, I was most interested in the browser-native engines, as I always thought of them as more "static"/limited.
As for documentation on specific features: to be honest, I just looked at the implementations of PDF.js and PDFium. Both only support a subset of the "standard" API, likely for security reasons. But PDF.js for example allows changing a field's background color (colored pixels!), and PDFium allows modifying their position/bounding box (I tried a high res color display by moving a row vertically as if it's a scanline, but things become quite laggy).
It doesn't work in the Adobe Chrome PDF viewer, or in Preview.
Something neat I found, you're able to 'clip' the blocks into each other by spinning them right before the block settles.
Anyway, I love this content on Hacker news, as opposed to people explaining how they want Apple to take their freedom away, because freedom is dangerous.
May I be the first to reply that I am glad that this works in neither Safari nor Preview.app :)
https://en.wikipedia.org/wiki/Pegasus_(spyware)#Vulnerabilit...
That was sarcasm, in case it's not clear over the internet. Telling people to avoid "suspicious" pdfs/websites is common but ultimately not very useful advice.
The real takeaway is: don't become a target of a nation state intelligence agency. If you own a phone, they can take over it, and there's nothing you can do.
Nothing you do will guarantee that the state won't come after you.
1. What led you to want to do this project?
2. Have you worked with PDFs before? Do you work with PDFs as part of your day job?
3. Have you implemented Tetris before or is this your first time?
4. How long did it take you?
One other way would be to use normal text fields and leveraging custom fonts. I think there are an enormous potential with fonts in the realm of pdf hacking. I think there is also a story of past vuln on pdf.js because fonts were evaluated outside the sandbox.
Did you do the actual coding in Acrobat or is there a less painful way to write embedded JS in a PDF?
https://www.canada.ca/content/dam/ircc/migration/ircc/englis...
Seems like a pretty genius way of avoiding transcription errors. When I dropped my passport application off yesterday the passport officer marked up a few things on the PDF and then scanned it in, so I assume that they use the QR code to automatically fill in the data as I entered it and then make any updates necessary from after-the-fact modifications manually.
Only seemed to work correctly in Acrobat Reader, but I haven't tried others (like Foxit) or anything.
I don't do security stuff anymore but I feel chills when I see (great) things like this,
I have increasing confidence that when AIs finally destroy the Internet the delivery vehicle will be the file format that was created, as the Internet itself was, as a form of digital paper.
I'm not sure what your process was for testing your scripts: but for me because there was no meaningful error output I had to incrementally build up my script line by line (which took forever.) So I thought I'd done well when I got my stuff working in Adobe + Firefox. I wonder if now everyone is going to add similar scripts to their resumes :p Doom will be next, maybe?
which is why i am commenting to check it out later.
since postscript is also a language that it literally runs to render, would it also be possible to use postscript to make interactive elements?
Edit: here's the code for my snake game too, btw = https://github.com/robertsdotpm/resume/blob/main/snake.js
The .PDF basics vid was the first in the series: https://www.youtube.com/watch?v=q6KgFezu8tw
The real achievement here arguably isn't running code (that's provided by the PDF spec and implementations), but managing to hook it up to user input/output in an ergonomic-enough way to play Tetris.
The PDF [1] containing the Lambda calculus term manages to hang/glitch/crash both Firefox's and macOS Preview's PDF renderer, which in itself is quite the achievement in portability.
Update: Nevermind, Firefox handles it perfectly, it just (probably wisely) disables seamless scrolling and I have to use the "next/previous" page buttons manually. macOS got there after a minute or two of loading with no UI indications.
[1] https://woodrush.github.io/lambda-8cc.pdf
I regret this decision now and wish that I had paid some attention. 3D printers are cool and I have no idea how to design objects for it.
Get Solvespace: https://solvespace.com/index.pl
Do the tutorials. If/when you outgrow it, the concepts will carry over to FreeCAD which otherwise has a steeper learning curve but has more capabilities.
EDIT: looks like they finally addressed the topological naming problem, I guess I better give it a second chance!
However, modern version of Acrobat Reader do not support that anymore. https://helpx.adobe.com/acrobat/kb/flash-format-support-in-p...:
“Flash Player end-of-life (EOL) impacts playback and authoring of rich media having Flash content (.flv and .swf) in PDFs:
• Playback of Flash media (.flv and .swf) content in existing PDFs will not be supported.”
Feel much safer!
Search for "pdfjs.enableScripting"
Set to false.