Allow image stream whitelist to be customised

Resolves #991
mpdf · Mar 29, 2019 · b69be38 · b69be38
1 parent 95dce25
commit b69be38
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 2 deletions.
diff --git a/src/Config/ConfigVariables.php b/src/Config/ConfigVariables.php
@@ -295,6 +295,10 @@ public function __construct()
 			// Default dpi to output images if size not defined
 			// See also above "dpi"
 			'img_dpi' => 96,
+			// Specify whitelisted PHP streams to be used for images
+			// Useful to add custom streams like `s3`
+			// Note: for security reasons the `phar` stream cannot be used @see https://github.com/mpdf/mpdf/issues/949
+			'whitelistStreamWrappers' => ['http', 'https', 'file'],
 
 			// TEXT SPACING & JUSTIFICATION
 

diff --git a/src/Image/ImageProcessor.php b/src/Image/ImageProcessor.php
@@ -1438,8 +1438,9 @@ private function hasBlacklistedStreamWrapper($filename)
 	{
 		if (strpos($filename, '://') > 0) {
 			$wrappers = stream_get_wrappers();
+			$whitelistStreamWrappers = array_diff($this->mpdf->whitelistStreamWrappers, ['phar']); /* remove `phar` (security issue) */
 			foreach ($wrappers as $wrapper) {
-				if (in_array($wrapper, ['http', 'https', 'file'])) {
+				if (in_array($wrapper, $whitelistStreamWrappers)) {
 					continue;
 				}
 

diff --git a/src/Mpdf.php b/src/Mpdf.php
@@ -190,6 +190,7 @@ class Mpdf implements \Psr\Log\LoggerAwareInterface
 	var $allow_html_optional_endtags;
 
 	var $img_dpi;
+	var $whitelistStreamWrappers;
 
 	var $defaultheaderfontsize;
 	var $defaultheaderfontstyle;

diff --git a/tests/Mpdf/Image/ImageProcessorTest.php b/tests/Mpdf/Image/ImageProcessorTest.php
@@ -33,6 +33,7 @@ protected function setUp()
 		$mpdf->shouldIgnoreMissing();
 
 		$mpdf->img_dpi = 72;
+		$mpdf->whitelistStreamWrappers = ['http', 'file', 's3', 'phar'];
 		$mpdf->showImageErrors = true;
 		$mpdf->PDFAXwarnings = [];
 
@@ -82,7 +83,7 @@ public function dataProviderStreamBlacklist()
 
 		$wrappers = stream_get_wrappers();
 		foreach ($wrappers as $wrapper) {
-			if (in_array($wrapper, ['http', 'https', 'file'])) {
+			if (in_array($wrapper, ['http', 'file', 's3'])) {
 				$testData[] = [$wrapper . '://', '/does not exist on this mock object/'];
 			} else {
 				$testData[] = [$wrapper . '://', '/File contains an invalid stream./'];
@@ -92,3 +93,17 @@ public function dataProviderStreamBlacklist()
 		return $testData;
 	}
 }
+
+function stream_get_wrappers()
+{
+	return [
+		'php',
+		'file',
+		'http',
+		'ftp',
+		'https',
+		's3',
+		'phar',
+		'compress.bzip2'
+	];
+}