Skip to content
Permalink
Browse files Browse the repository at this point in the history
security: prevent blind ssrf in pdf generation
Issue: one could set the src attribute of an img tag to anything they
want and the pdf generation will happily GET it. This means that one can
do arbitrary HTTP GET requests from the server itself. This doesn't work
in the browser context because of the restrictive CSP policy, which is
not applied during the pdf generation.

This is a MINOR vulnerability as other security measures in the PHP
configuration prevents prospective escalation.

The vulnerability was reported by @mgrRaf and @xoffense. Thank to them
for responsible disclosure. A bounty has been awarded.
  • Loading branch information
NicolasCARPi committed Jun 11, 2021
1 parent 9d6d1d0 commit 3d2db4d
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/services/MakePdf.php
Expand Up @@ -137,7 +137,11 @@ public function getContent(): string
'useCjk' => $this->Entity->Users->userData['cjk_fonts'],
);

return $this->getTwig(Config::getConfig())->render('pdf.html', $renderArr);
$html = $this->getTwig(Config::getConfig())->render('pdf.html', $renderArr);

// now remove any img src pointing to outside world
// prevent blind ssrf (thwarted by CSP on webpage, but not in pdf)
return preg_replace('/img src=("|\')(ht|f|)tp/i', 'nope', $html);
}

/**
Expand Down Expand Up @@ -218,7 +222,7 @@ public function tex2svg(Mpdf $mpdf, string $content): string
$contentDecode = html_entity_decode($content, ENT_HTML5, 'UTF-8');
file_put_contents($filename, $contentDecode);

// apsolute path to tex2svg app
// absolute path to tex2svg app
$appDir = dirname(__DIR__, 2) . '/src/node';

// convert tex to svg with mathjax nodejs script
Expand Down

0 comments on commit 3d2db4d

Please sign in to comment.