Solutionunvalidated
passes the user-controlled IjsServer string directly to ijs_invoke_server (fork+exec) and forwards the OutputFile (ijsdev->fname) — Ghostscript's IJS device (devices/gdevijs.c, gsijs_open). Tension: with no gp_validate_path / SAFER check. Outcome: an attacker can supply ../ traversal or any absolute path.
38ba5c20-5d7a-450f-9e36-084788f70d34
passes the user-controlled IjsServer string directly to ijs_invoke_server (fork+exec) and forwards the OutputFile (ijsdev->fname) — Ghostscript's IJS device (devices/gdevijs.c, gsijs_open). Tension: with no gp_validate_path / SAFER check. Outcome: an attacker can supply ../ traversal or any absolute path.