Permalink
Show file tree
Hide file tree
6 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Remove pre-processing of PHP code, disallow I/O streams as file input
- Loading branch information
Showing
2 changed files
with
4 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23a6939There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The removal of the pre-processing of PHP code is causing me issues:
Is there a workaround for my issue?
23a6939There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What the pre-processing did was
eval()the document/string prior to import into dompdf. We want to move away from that kind of functionality, which is secondary to the main purpose of dompdf, in order to limit the potential attack surface.How are you using dompdf? Based on the call stack it looks like you are using the class. If you need to pre-process your code you can just add a step to
eval()your code prior to passing it to dompdf. If that's not possible, you can add the removed code back in to dompdf.cls.php, it shouldn't affect anything otherwise.23a6939There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @bsweeney for your quick reply
I'd like to getaway from having that code if you've removed it from the master branch of dompdf
I'm a bit unsure how to
eval()my code prior to passing it to dompdf. I use this at the bottom of my PHP file which I convert to a PDF using dompdf:And I use this to run/call dompdf:
23a6939There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The inline script will still run, but as you've seen your code that generates the inline script will have to be modified. Since you're not doing anything with page numbering in that code you could just as easily re-write it using a fixed-position element. replace your inline script with something like the following:
If that doesn't work for you the easiest fix would be to run the string generation as part of the inline script. That would only work if the variables are available globally.
(You'll have to check that code ... I didn't).
23a6939There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again @bsweeney
I ended up just changing my call to be this:
23a6939There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's an easy way around the issue. Glad you were able to come to a quick resolution.