diff --git a/src/driver/gd.php b/src/driver/gd.php index 70e5e108..3cad2040 100644 --- a/src/driver/gd.php +++ b/src/driver/gd.php @@ -1170,6 +1170,22 @@ public function renderToOutput() */ public function render( $file ) { + // Path traversal guard: resolve the destination directory and verify + // it exists and is reachable without escaping via '..' sequences. + if ( $file !== null ) + { + if ( strpos( $file, "\0" ) !== false ) + { + throw new ezcBaseValueException( 'file', $file, 'a valid filesystem path (no null bytes)' ); + } + $dir = realpath( dirname( $file ) ); + if ( $dir === false ) + { + throw new ezcBaseFileNotFoundException( dirname( $file ), 'directory' ); + } + $file = $dir . DIRECTORY_SEPARATOR . basename( $file ); + } + $destination = imagecreatetruecolor( $this->options->width, $this->options->height ); // Default to a transparent white background diff --git a/src/driver/svg.php b/src/driver/svg.php index 34176932..5bc2d5b2 100644 --- a/src/driver/svg.php +++ b/src/driver/svg.php @@ -1266,12 +1266,25 @@ public function renderToOutput() */ public function render( $file ) { + // Path traversal guard: resolve the destination directory and verify + // it exists and is reachable without escaping via '..' sequences. + if ( strpos( $file, "\0" ) !== false ) + { + throw new ezcBaseValueException( 'file', $file, 'a valid filesystem path (no null bytes)' ); + } + $dir = realpath( dirname( $file ) ); + if ( $dir === false ) + { + throw new ezcBaseFileNotFoundException( dirname( $file ), 'directory' ); + } + $safeFile = $dir . DIRECTORY_SEPARATOR . basename( $file ); + $this->createDocument(); $this->drawAllTexts(); // Embed used glyphs $this->font->addFontToDocument( $this->dom ); - $this->dom->save( $file ); + $this->dom->save( $safeFile ); } /**