New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Information disclosure vulnerability in version 0.8.5 and earlier #2152
Comments
We'll review the information you provided and get back to you. |
Hey @bsweeney, is there any update with this? 🙂 |
Not yet but we are looking at it for the next release. Life is ... hectic ... right now. |
The parsing logic has been updated with extra security. The adapter class and the bundled CPDF library are excluded because the parsing logic intermediates calls to those classes. A user should only have access to the CPDF class/adapter if they can execute PHP directly, in which case the extra security we've added is pointless. |
@keksa thanks for bringing this issue to our attention. I have a few more things to look at related to resource handling, but the changes currently posted in PR #2215 should address your concerns. If you have time please take a look. I'll update this ticket with details on the issue once the 0.8.6 release is ready. |
@bsweeney I can confirm this fixes the issue with our usecase, thank you. |
This is a serious problem, but why did you break backward compatibility? You've broken a lot of your clients' code. Why was it impossible to add deprecation warnings and break backward compatibility at least in the minor version? |
@peter-gribanov this has been brought up elsewhere. This was an oversight on my part and I apologize. We will try to do better in the future. |
@bsweeney I have extended the documentation so that it is easier for users to spot their issues with this restriction: https://github.com/dompdf/dompdf/wiki/Usage#security-restrictions-for-local-files I hope this will help. |
Thanks for that @Naitsirch! I'm still hoping to build out a bit more documentation around the issue and any help is appreciated. |
Three further things may help:
|
There is a chroot option, which should prevent dompdf from accessing files outside of configured root. However this option affects only the check for initial load of HTML in the "loadHtmlFile" method.
I can use the file protocol to load images (and stylesheets) outside of configured root without problems. For example
<img src="file:///usr/lib/node_modules/npm/node_modules/qrcode-terminal/example/basic.png">
will load and display the image in generated PDF even though chroot is set to/usr/src/myapp/vendor/dompdf/dompdf
.This is a problem for us, because we allow (authenticated) users to configure their own PDF templates (for example for invoices). Meaning if someone inputs an image with a file protocol URL, they can access images that don't belong to them.
The text was updated successfully, but these errors were encountered: