From 400dbd6f8b667ba59a2e363b14bd5868e7321d67 Mon Sep 17 00:00:00 2001 From: bsweeney Date: Thu, 6 Feb 2014 19:15:33 -0800 Subject: [PATCH 1/2] Updating php-font-lib to 0.2.2 --- lib/php-font-lib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/php-font-lib b/lib/php-font-lib index be508091a..c30c7fc00 160000 --- a/lib/php-font-lib +++ b/lib/php-font-lib @@ -1 +1 @@ -Subproject commit be508091a99bdc1ba3b05e32a268e824a69b0d6c +Subproject commit c30c7fc00a6b0d863e9bb4c5d5dd015298b2dc82 From 23a693993299e669306929e3d49a4a1f7b3fb028 Mon Sep 17 00:00:00 2001 From: bsweeney Date: Mon, 10 Mar 2014 18:57:58 -0700 Subject: [PATCH 2/2] Remove pre-processing of PHP code, disallow I/O streams as file input --- dompdf.php | 4 ++++ include/dompdf.cls.php | 7 ------- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/dompdf.php b/dompdf.php index e7c0a4e11..a9052fa46 100755 --- a/dompdf.php +++ b/dompdf.php @@ -227,6 +227,10 @@ function getoptions() { } } + if($file_parts['protocol'] === 'php://') { + throw new DOMPDF_Exception("Permission denied on $file. This script does not allow PHP streams."); + } + $outfile = "dompdf_out.pdf"; # Don't allow them to set the output file $save_file = false; # Don't save the file diff --git a/include/dompdf.cls.php b/include/dompdf.cls.php index a5658cb08..1be1f8284 100644 --- a/include/dompdf.cls.php +++ b/include/dompdf.cls.php @@ -580,13 +580,6 @@ function load_html($str, $encoding = null) { $str = substr($str, 3); } - // Parse embedded php, first-pass - if ( $this->get_option("enable_php") ) { - ob_start(); - eval("?" . ">$str"); - $str = ob_get_clean(); - } - // if the document contains non utf-8 with a utf-8 meta tag chars and was // detected as utf-8 by mbstring, problems could happen. // http://devzone.zend.com/article/8855