Upgrade tcpdf html tag encryption

tecnickcom · Mar 21, 2024 · f9fd218 · f9fd218
1 parent 8389cec
commit f9fd218
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 8 deletions.
diff --git a/CHANGELOG.TXT b/CHANGELOG.TXT
@@ -1,3 +1,6 @@
+6.7.4 (2024-03-21)
+	- Upgrade tcpdf tag encryption algorithm.
+
 6.7.3 (2024-03-20)
 	- Fix regression issue #699.
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-6.7.3
+6.7.4
diff --git a/composer.json b/composer.json
@@ -12,7 +12,7 @@
         "barcodes"
     ],
     "homepage": "http://www.tcpdf.org/",
-    "version": "6.7.3",
+    "version": "6.7.4",
     "license": "LGPL-3.0-or-later",
     "authors": [
         {

diff --git a/include/tcpdf_static.php b/include/tcpdf_static.php
@@ -55,7 +55,7 @@ class TCPDF_STATIC {
 	 * Current TCPDF version.
 	 * @private static
 	 */
-	private static $tcpdf_version = '6.7.3';
+	private static $tcpdf_version = '6.7.4';
 
 	/**
 	 * String alias for total number of pages.

diff --git a/tcpdf.php b/tcpdf.php
@@ -1,7 +1,7 @@
 <?php
 //============================================================+
 // File name   : tcpdf.php
-// Version     : 6.7.3
+// Version     : 6.7.4
 // Begin       : 2002-08-03
 // Last Update : 2024-03-18
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
@@ -128,7 +128,7 @@
  * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
  * @package com.tecnick.tcpdf
  * @brief PHP class for generating PDF documents without requiring external extensions.
- * @version 6.7.3
+ * @version 6.7.4
  * @author Nicola Asuni - info@tecnick.com
  * @IgnoreAnnotation("protected")
  * @IgnoreAnnotation("public")
@@ -838,6 +838,13 @@ class TCPDF {
 	 */
 	protected $file_id;
 
+	/**
+	 * Internal secret used to encrypt data.
+	 * @protected
+	 * @since 6.7.4 (2024-03-21)
+	 */
+	protected $hash_key;
+
 	// --- bookmark ---
 
 	/**
@@ -1880,10 +1887,10 @@ public function __construct($orientation='P', $unit='mm', $format='A4', $unicode
 		// set file ID for trailer
 		$serformat = (is_array($format) ? json_encode($format) : $format);
 		$this->file_id = md5(TCPDF_STATIC::getRandomSeed('TCPDF'.$orientation.$unit.$serformat.$encoding));
+		$this->hash_key = hash_hmac('sha256', TCPDF_STATIC::getRandomSeed($this->file_id), TCPDF_STATIC::getRandomSeed('TCPDF'), false);
 		$this->font_obj_ids = array();
 		$this->page_obj_id = array();
 		$this->form_obj_id = array();
-
 		// set pdf/a mode
 		if ($pdfa != false) {
 			$this->pdfa_mode = true;
@@ -17217,6 +17224,16 @@ protected function getSpaceString() {
 		return $spacestr;
 	}
 
+	/**
+	 * Calculates the hash value of the given data.
+	 *
+	 * @param string $data The data to be hashed.
+	 * @return string The hashed value of the data.
+	 */
+	protected function hashTCPDFtag($data) {
+		return hash_hmac('sha256', $data, $this->hash_key, false);
+	}
+
 	/**
 	 * Serialize data to be used with TCPDF tag in HTML code.
 	 * @param string $method TCPDF method name
@@ -17227,7 +17244,7 @@ protected function getSpaceString() {
 	public function serializeTCPDFtag($method, $params=array()) {
 		$data = array('m' => $method, 'p' => $params);
 		$encoded = urlencode(json_encode($data));
-		$hash = password_hash($encoded.'+'.$this->file_id, PASSWORD_DEFAULT);
+		$hash = $this->hashTCPDFtag($encoded);
 		return strlen($hash).'+'.$hash.'+'.$encoded;
 	}
 
@@ -17242,7 +17259,7 @@ protected function unserializeTCPDFtag($data) {
 		$hlen = intval(substr($data, 0, $hpos));
 		$hash = substr($data, $hpos + 1, $hlen);
 		$encoded = substr($data, $hpos + 2 + $hlen);
-		if (!password_verify($encoded.'+'.$this->file_id, $hash)) {
+		if ($hash != $this->hashTCPDFtag($encoded)) {
 			$this->Error('Invalid parameters');
 		}
 		return json_decode(urldecode($encoded), true);