-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Securing dompdf
The following is a list of options you have for securing your dompdf installation. Click through for more details and options related to each topic.
- Install dompdf to a location outside your website's document root
- Remove non-library code
- Restrict access to dompdf
- Disable embedded script support
Some of the files provided or generated by dompdf may expose your system to information disclosure, denial of service, and arbitrary code execution. Because the dompdf files do not need to be publicly accessible in order to make use of the library you should place them outside your website's document root.
Relevant to the first recommendation, a lot of the risk stems from non-library code. Non-library code includes the following files:
- dompdf.php
- load_font.php
- everything under www
Though the extras included with dompdf provide useful information and a way to get started quickly they are not required by dompdf during normal use.
Removing this code is not strictly necessary if you place dompdf outside the publicly accessible directories of your server. But to avoid the possibility of exploit we still recommend you remove these files.
If you place dompdf in a publicly accessible location you can still achieve some level of protection by restricting who has access to the files. There are two relatively common methods used to restrict access to files and/or paths:
- limiting the hosts and/or IP address allowed
- requiring a username and password
How you implement these restrictions is highly dependent on your system and beyond the scope of this document.
Restricting access is not as secure as making the dompdf files inaccessible. Systems implementing access restrictions may still be vulnerable to more targeted attacks that trick authorized users into clicking specially crafted links that exploit dompdf vulnerabilities.
Embedded script (or inline script) is simply PHP code that dompdf evaluates during the rendering process. This feature can expose your system to arbitrary code execution.
If you to use this functionality you can mitigate your risk by sanitizing user input or, preferably, replacing embedded script with calls to the class methods.
Sanitinzing user input can be difficult and a determined attacker can sometimes find a way around the protection. If you decide to go this route integrate an established library like HTML Purifier.
Instead of sanitizing user input we recommend using the class methods instead of embedded script. With the class method you can access the same functionality exposed through embedded script without the risk intrisic to enabling this functionality.
Class methods can be used after calling $dompdf->render() and before
calling $dompdf->stream() or $dompdf->output(). The class methods
give you access to the functionality exposed through the Canvas object.
As an example, consider adding text to every page in the document. With embedded script you could use the following HTML:
<html>
<body>
<script type="text/php">
if ( isset($pdf) ) {
$font = Font_Metrics::get_font("helvetica", "bold");
$pdf->page_text(72, 18, "Header: {PAGE_NUM} of {PAGE_COUNT}", $font, 6, array(0,0,0));
}
</script>
...
</body>
</html>
To do the same with the class methods you could use the following PHP:
$dompdf = new DOMPDF();
$domdpf->load_html($html);
$dompdf->render();
$font = Font_Metrics::get_font("helvetica", "bold");
$dompdf->get_canvas()->page_text(72, 18, "Header: {PAGE_NUM} of {PAGE_COUNT}", $font, 6, array(0,0,0));
$dompdf->stream();
There is one major limitation with the class methods. Because of the way dompdf renders documents you can not use objects to encapsulate varying content and place that content on all pages. The exception being page text and page scripts, which are rendered on all pages when the final PDF is compiled when the stream or output methods are called. Please see the usage documentation for more information.
| Vulnerability | Reference | Type | Severity |
|---|---|---|---|
| Arbitrary file read in dompdf using PHP stream filters | [CVE-2014-2383] | Information Disclosure | Medium |
| PHP remote file inclusion vulnerability in dompdf.php | [CVE-2010-4879] | Remote File Inclusion | Low; Critical (depending on configuration) |
| Information disclosure due to directory traversal | [yehg] | Information Disclosure | Medium |