Fix for security vulnerability: Using the phar:// wrapper it was poss…

…ible to trigger the unserialization of user provided data.
tecnickcom · Sep 14, 2018 · ac6e92f · ac6e92f
1 parent a3273af
commit ac6e92f
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 16 deletions.
diff --git a/composer.json b/composer.json
@@ -1,6 +1,6 @@
 {
   "name": "tecnickcom/tcpdf",
-  "version": "6.2.21",
+  "version": "6.2.22",
   "homepage": "http://www.tcpdf.org/",
   "type": "library",
   "description": "TCPDF is a PHP class for generating PDF documents and barcodes.",

diff --git a/include/tcpdf_images.php b/include/tcpdf_images.php
@@ -162,11 +162,7 @@ public static function _toJPEG($image, $quality, $tempfile) {
 	public static function _parsejpeg($file) {
 		// check if is a local file
 		if (!@TCPDF_STATIC::file_exists($file)) {
-			// try to encode spaces on filename
-			$tfile = str_replace(' ', '%20', $file);
-			if (@TCPDF_STATIC::file_exists($tfile)) {
-				$file = $tfile;
-			}
+			return false;
 		}
 		$a = getimagesize($file);
 		if (empty($a)) {

diff --git a/include/tcpdf_static.php b/include/tcpdf_static.php
@@ -55,7 +55,7 @@ class TCPDF_STATIC {
 	 * Current TCPDF version.
 	 * @private static
 	 */
-	private static $tcpdf_version = '6.2.21';
+	private static $tcpdf_version = '6.2.22';
 
 	/**
 	 * String alias for total number of pages.
@@ -1841,6 +1841,10 @@ public static function file_exists($filename) {
 				}
 			}
 		}
+		if (!@file_exists($filename)) {
+			// try to encode spaces on filename
+			$filename = str_replace(' ', '%20', $filename);
+		}
 		return @file_exists($filename);
 	}
 

diff --git a/tcpdf.php b/tcpdf.php
@@ -1,7 +1,7 @@
 <?php
 //============================================================+
 // File name   : tcpdf.php
-// Version     : 6.2.21
+// Version     : 6.2.22
 // Begin       : 2002-08-03
 // Last Update : 2018-09-14
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
@@ -104,7 +104,7 @@
  * Tools to encode your unicode fonts are on fonts/utils directory.</p>
  * @package com.tecnick.tcpdf
  * @author Nicola Asuni
- * @version 6.2.21
+ * @version 6.2.22
  */
 
 // TCPDF configuration
@@ -128,7 +128,7 @@
  * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
  * @package com.tecnick.tcpdf
  * @brief PHP class for generating PDF documents without requiring external extensions.
- * @version 6.2.21
+ * @version 6.2.22
  * @author Nicola Asuni - info@tecnick.com
  * @IgnoreAnnotation("protected")
  * @IgnoreAnnotation("public")
@@ -6845,13 +6845,9 @@ public function Image($file, $x='', $y='', $w=0, $h=0, $type='', $link='', $alig
 				$file = substr($file, 1);
 				$exurl = $file;
 			}
-			// check if is a local file
+			// check if file exist and it is valid
 			if (!@TCPDF_STATIC::file_exists($file)) {
-				// try to encode spaces on filename
-				$tfile = str_replace(' ', '%20', $file);
-				if (@TCPDF_STATIC::file_exists($tfile)) {
-					$file = $tfile;
-				}
+				return false;
 			}
 			if (($imsize = @getimagesize($file)) === FALSE) {
 				if (in_array($file, $this->imagekeys)) {