Generate the PDF, and the flag appears.
Use a whitelist of allowed domains, disable "follow redirects" in the PDF engine, and ensure the service runs with low-level permissions that cannot access the file:// scheme. pdfy htb writeup upd
→ Unsafe concatenation.
Once you have a shell as the www-data user, the goal is root access. Generate the PDF, and the flag appears