From: Brian Sweeney Date: Fri, 1 Dec 2023 13:09:24 -0500 Subject: Add basic protection against PHAR deserialization This also includes an option to disable external file references. This applies to images and fonts. External file references are allowed by default, but future version will disallow by default. Origin: upstream Fixes: CVE-2023-50251, CVE-2023-50252 Bug-Debian: https://bugs.debian.org/1058641 --- src/Svg/Document.php | 2 ++ src/Svg/Style.php | 10 ++++++++++ src/Svg/Tag/Image.php | 4 ++++ 3 files changed, 16 insertions(+) diff --git a/src/Svg/Document.php b/src/Svg/Document.php index 4de226e..309875b 100644 --- a/src/Svg/Document.php +++ b/src/Svg/Document.php @@ -53,6 +53,8 @@ class Document extends AbstractTag /** @var \Sabberworm\CSS\CSSList\Document[] */ protected $styleSheets = array(); + public $allowExternalReferences = true; + public function loadFile($filename) { $this->filename = $filename; diff --git a/src/Svg/Style.php b/src/Svg/Style.php index 14b11e9..514f546 100644 --- a/src/Svg/Style.php +++ b/src/Svg/Style.php @@ -139,6 +139,16 @@ class Style break; } } + + if ( + \array_key_exists("font-family", $styles) + && ( + \strtolower(\substr($this->href, 0, 7)) === "phar://" + || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:") + ) + ) { + unset($style["font-family"]); + } } } diff --git a/src/Svg/Tag/Image.php b/src/Svg/Tag/Image.php index bda17ea..8cbfccd 100644 --- a/src/Svg/Tag/Image.php +++ b/src/Svg/Tag/Image.php @@ -58,6 +58,10 @@ class Image extends AbstractTag $this->document->getSurface()->transform(1, 0, 0, -1, 0, $height); + if (\strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5) !== "data:"))) { + return; + } + $this->document->getSurface()->drawImage($this->href, $this->x, $this->y, $this->width, $this->height); }