From 67329b95985b5e3d4c6be8477f6b64ddcbd8020e Mon Sep 17 00:00:00 2001
From: Erik Demaine <edemaine@mit.edu>
Date: Wed, 10 Jul 2024 12:14:48 -0400
Subject: [PATCH] pdfjs security fix

---
 CHANGELOG.md             | 4 ++++
 client/MessagePDF.coffee | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e9f55a5..9c633ea 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ To see every change with descriptions aimed at developers, see
 As a continuously updated web app, Coauthor uses dates
 instead of version numbers.
 
+## 2024-07-10
+
+* Security fix for pdfjs, fixing [vulnerability to malicious PDF](https://github.com/advisories/GHSA-wgrm-67xf-hhpq)
+
 ## 2023-12-21
 
 * You can now select and copy text from PDFs.
diff --git a/client/MessagePDF.coffee b/client/MessagePDF.coffee
index 27e216c..9911b2a 100644
--- a/client/MessagePDF.coffee
+++ b/client/MessagePDF.coffee
@@ -81,7 +81,9 @@ WrappedMessagePDF = React.memo ({file}) ->
     unless fileData?
       return setProgress 0
     size = fileData.length
-    loader = pdfjs.getDocument urlToInternalFile file
+    loader = pdfjs.getDocument
+      url: urlToInternalFile file
+      isEvalSupported: false
     loader.onProgress = (data) ->
       setProgress Math.round 100 * data.loaded / size
     loader.promise.then (pdfLoaded) ->