Welcome to the Onshape forum! Ask questions and join in the discussions about everything Onshape.

First time visiting? Here are some places to start:
  1. Looking for a certain topic? Check out the categories filter or use Search (upper right).
  2. Need support? Ask a question to our Community Support category.
  3. Please submit support tickets for bugs but you can request improvements in the Product Feedback category.
  4. Be respectful, on topic and if you see a problem, Flag it.

If you would like to contact our Community Manager personally, feel free to send a private message or an email.

Rendering of PDFs in Onshape re-enabled

jakeramsleyjakeramsley Member, Moderator, Onshape Employees, Developers, csevp Posts: 661
edited March 5 in General
EDIT:

We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior below.



original:
As a result of recent activity, we are disabling rendering of PDFs inside of the product.  PDFs will now show as a file available for download when viewing inside of Onshape.  In order to view the PDF, users will have to download the file and open on their own system.  This is being done in order to protect the safety and security of our users.  It is strongly advised to only download files from sources that you trust.  It is strongly advised to only click on links from sources that you trust.

ex. PDFs will now appear in the product the same way other data types do, like STLs.



While we understand this is an inconvenience and disruptive to workflows, the safety and security of our users is of the utmost importance.

As a reminder:
* Only download files from sources that you trust
Only click on links from sources that you trust


Jake Ramsley

Director of Quality Engineering & Release Manager              onshape.com

Comments

  • shawn_crockershawn_crocker Member, OS Professional Posts: 865 PRO
    Is this for real? Where is this sudden thought of rendering PDF a security risk coming from? Have the customers been requesting this functionality to be removed?  I don't really rely on this as an implement into a workflow but there has got to be many that do.
  • shawn_crockershawn_crocker Member, OS Professional Posts: 865 PRO
    I see. I hadn't picked up on that there have been attempts on security breaches
  • shawn_crockershawn_crocker Member, OS Professional Posts: 865 PRO
    I don't really no the ins and outs of a Phishing attack. Just read a bit and I'm not certain how rendering PDF and phishing attack go together here. Has phishing hijacked some peoples pdfs and redirected them to a malicious site or something? I'm really just curious to know more about this issue.
  • fnxffnxf Member, User Group Leader Posts: 138 PRO
    @jakeramsley If a PDF is already in an Onshape document, how could that be a source I don't trust? Is there a CVE to this?
  • Jbohrer88Jbohrer88 Member, csevp Posts: 8 PRO
    edited March 4
    Is this a permanent change? Or will there be efforts to bring back this functionality in the near future?
    I don't know the specifics, but this seems like more of a security threat. At least before a fake, downloadable file with a .PDF would show like it is now, tipping someone off that it may not be a real pdf file. Now we have to download the file to see that.
  • john_mcclaryjohn_mcclary Member, Developers Posts: 3,935 PRO
    This f**ing sucks to put it mildly...

    Some users don't even get the option to download.
    even though they have export permission
  • Standard_BitsStandard_Bits Member Posts: 3 PRO
    this is rubbish, workers on the floor need to view the PDF , but we dont want them to download the document,
  • Theo_RTheo_R Member Posts: 81 PRO
    Quite frankly, this is unacceptable for us. We would happily contribute our time in finding an alternative or resolution with Onshape. If we can be of assistance in solving this, let us know.
  • robert_johnstonrobert_johnston Member Posts: 42 PRO
    This is a big issue for me, I keep reference PDF documents with the relevent parts. Needs to be fixed asap. Can you provide more information about how the phishing attempts are happening? Like the banks with security bulletin where they show screenshots of the scam websites and emails? Shows what people may need to look out for. 
  • kate_leipold_ritkate_leipold_rit Member Posts: 40 EDU
    We're using pdfs in the classroom for sharing design documentation and instructions with in an assignment!  This is a serious disruption. 😕
  • robert_johnstonrobert_johnston Member Posts: 42 PRO
    We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior outlined in the original post.

    We apologize for any inconvenience this may have caused but the security, safety, and privacy of our users are paramount.
    Great thanks, Appreciate it!
  • S1monS1mon Member Posts: 2,982 PRO
    We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior outlined in the original post.

    We apologize for any inconvenience this may have caused but the security, safety, and privacy of our users are paramount.
    This seems like a very reasonable compromise.

    Can you clarify anything else about why this was a security risk in the first place? Was the situation that someone would phish with a fake version of the Onshape site and a dangerous PDF which somehow exploited the browser? Or was the issue that the PDF viewer in Onshape is not secure enough to view malicious PDFs? I had assumed that the PDF viewing within Onshape was just leveraging the browser's PDF display technology.
  • Theo_RTheo_R Member Posts: 81 PRO
    Thank you Onshape team!
  • adrian_vlzkzadrian_vlzkz Member Posts: 266 PRO
    Outstanding! 
    Adrian V. | Onshape Ambassador
    CAD Engineering Manager
  • Urs_Egger_REACTUrs_Egger_REACT Member Posts: 93 PRO
    Hi, i wanted to linkshare a publication with product renderings (jpg) made in onshape. But jpg's are not rendered in the link-shared publication as well. Is this also affected by the pdf issue?
  • john_rousseaujohn_rousseau Member, Onshape Employees, Developers Posts: 392
    Yes, we have blocked rendering of all image types for anonymously shared documents. Is it possible to have your recipients sign up for a Free Onshape account? 

    We are not aware of any vulnerabilities in sharing JPEGs, so we are willing to revisit this decision for a few image file types. Please open a support ticket if this is blocking a workflow for you.
    John Rousseau / VP, Technical Operations / Onshape Inc.
  • chadstoltzfuschadstoltzfus Member, Developers, csevp Posts: 142 PRO
    Yes, we have blocked rendering of all image types for anonymously shared documents. Is it possible to have your recipients sign up for a Free Onshape account? 

    We are not aware of any vulnerabilities in sharing JPEGs, so we are willing to revisit this decision for a few image file types. Please open a support ticket if this is blocking a workflow for you.
    To my knowledge, this solution does not work if you have an Enterprise account, since the free Onshape account is on cad.onshape.com and not (your company domain).onshape.com. You could add them as guest/light users but that's a cost. Currently we are enabling link sharing and turning on exporting permissions but for more sensitive documents that will not be an option. 
    Applications Developer at Premier Custom Built
    chadstoltzfus@premiercb.com
  • john_allen289john_allen289 Member Posts: 38 PRO
    I've put a ticket into support for this.

    I don't understand why this applies to our Enterprise domain. I'm no expert, but the attack described above should not be repeatable from an Enterprise domain (unless we are hacked) as the Enterprise by design is natively not public and all anonymous link shares from our domain are under our control. I could turn them all off through our analytics right now if I wanted.

    This has seriously hampered our customer side collaboration and design reviews using Onshape for browser previewed Blob data alongside CAD data. The previewed Blob data is as important as the CAD data. If not more so in some cases.

    I get security is paramount and appreciate the intermediate improvement for signed in users, but we have customer Documents and Publication anonymous links with live customers right now on live projects, that do not have Export permissions, and have effectively just gone dark. This totally changes our design review workflow with Onshape and our customers.

    I look forward to Onshape having confidence to open this up again for Enterprise customers who are not on the cad.onshape.com domain.

  • james_chandler459james_chandler459 Member Posts: 2 PRO
    Is there a relationship between adobe and onshape? could there be a cloud connected solution with them?
  • aidan_cunningham762aidan_cunningham762 Member Posts: 4 EDU
    We've pushed a change to help restore critical workflows with PDFs.  PDF viewing has been restored for users that are signed in.  People who are viewing an Onshape document while not signed in will see the behavior outlined in the original post.

    We apologize for any inconvenience this may have caused but the security, safety, and privacy of our users are paramount.
    This has been implemented already, right? Does this feature exclude education accounts? When signed in, I am still not able to view PDFs. Should I open a support ticket to look into this further?
  • paolo_ciancipaolo_cianci Member Posts: 20 ✭✭
    The same, I am still not able to view PDFs
  • stg434stg434 Member Posts: 20 PRO
    The same, Iam still not able to view PDFs.
  • john_rousseaujohn_rousseau Member, Onshape Employees, Developers Posts: 392
    We've pushed an additional change that should restore PDF visibility for almost all users. This was the intent with the last change, but we didn't get it quite right. Our sincere apologies. Only documents owned by certain plans and shared via Link Sharing should have PDFs and other image types not display.
    John Rousseau / VP, Technical Operations / Onshape Inc.
Sign In or Register to comment.