CVE-2023-43115: Ghostscript IJS device SAFER bypass allowing path traversal and arbitrary command execution

In Ghostscript's gdevijs.c (ghostpdl-10.01.2), the IJS device handler fails to check the correct SAFER mode flag (path_control_active) in two key places:

1. gsijs_initialize_device() has NO check for path_control_active, so a malicious PostScript document can switch to the IJS device after SAFER has been activated (via setpagedevice).

2. gsijs_put_params() uses dev->LockSafetyParams (a PostScript-level parameter that can be manipulated from PostScript) instead of the C-level path_control_active flag to protect the IjsServer parameter.

The result: a crafted PostScript document can switch to the IJS device after SAFER is activated, potentially with a malicious IjsServer command. The IJS server is launched via sh -c server_cmd (in ijs/ijs_exec_unix.c lines 73-77), enabling arbitrary command execution. Additionally, when IjsUseOutputFD=false (default), the output file path (fname) is passed to the IJS server subprocess WITHOUT going through Ghostscript's SAFER-guarded gp_validate_path, allowing writes to arbitrary file paths (path traversal).