Description: Hotfix based on 0.6.2 This patch fixes: * CVE-2014-2383 * CVE-2014-5011 * CVE-2014-5012 * CVE-2014-5013 . The patch bundles code changes from 0.6.2 Author: Brian Sweeney Origin: upstream Applied-Upstream: 0.6.2 Reviewed-by: Markus Frosch Last-Update: 2016-02-27 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/dompdf.php +++ b/dompdf.php @@ -130,6 +130,8 @@ $sapi = php_sapi_name(); $options = array(); +$dompdf = new DOMPDF(); + switch ( $sapi ) { case "cli": @@ -169,7 +171,7 @@ if ( $file === "-" ) $outfile = "dompdf_out.pdf"; else - $outfile = str_ireplace(array(".html", ".htm", ".php"), "", $file) . ".pdf"; + $outfile = str_ireplace(array(".html", ".htm"), "", $file) . ".pdf"; } if ( isset($opts["v"]) ) @@ -194,6 +196,8 @@ default: + $dompdf->set_option('enable_php', false); + if ( isset($_GET["input_file"]) ) $file = rawurldecode($_GET["input_file"]); else @@ -220,26 +224,12 @@ $file_parts = explode_url($file); - /* Check to see if the input file is local and, if so, that the base path falls within that specified by DOMDPF_CHROOT */ - if(($file_parts['protocol'] == '' || $file_parts['protocol'] === 'file://')) { - $file = realpath($file); - if ( strpos($file, DOMPDF_CHROOT) !== 0 ) { - throw new DOMPDF_Exception("Permission denied on $file. The file could not be found under the directory specified by DOMPDF_CHROOT."); - } - } - - if($file_parts['protocol'] === 'php://') { - throw new DOMPDF_Exception("Permission denied on $file. This script does not allow PHP streams."); - } - $outfile = "dompdf_out.pdf"; # Don't allow them to set the output file $save_file = false; # Don't save the file break; } -$dompdf = new DOMPDF(); - if ( $file === "-" ) { $str = ""; while ( !feof(STDIN) ) --- a/dompdf_config.custom.inc.php +++ b/dompdf_config.custom.inc.php @@ -1,6 +1,7 @@ -_dompdf->get_http_context()); if (!isset($img_w) || $img_w == 0 || !isset($img_h) || $img_h == 0) { return; } --- a/include/cpdf_adapter.cls.php +++ b/include/cpdf_adapter.cls.php @@ -604,7 +604,7 @@ } function image($img, $x, $y, $w, $h, $resolution = "normal") { - list($width, $height, $type) = dompdf_getimagesize($img); + list($width, $height, $type) = dompdf_getimagesize($img, $this->_dompdf->get_http_context()); $debug_png = $this->_dompdf->get_option("debug_png"); --- a/include/dompdf.cls.php +++ b/include/dompdf.cls.php @@ -184,6 +184,25 @@ * @var bool */ private $_quirksmode = false; + + /** + * Protocol whitelist + * + * Protocols and PHP wrappers allowed in URLs. Full support is not + * guarantee for the protocols/wrappers contained in this array. + * + * @var array + */ + private $_allowed_protocols = array(null, "", "file://", "http://", "https://"); + + /** + * Local file extension whitelist + * + * File extensions supported by dompdf for local files. + * + * @var array + */ + private $_allowed_local_file_extensions = array("htm", "html"); /** * The list of built-in fonts @@ -474,6 +493,10 @@ list($this->_protocol, $this->_base_host, $this->_base_path) = explode_url($file); } + if ( !in_array($this->_protocol, $this->_allowed_protocols) ) { + throw new DOMPDF_Exception("Permission denied on $file. The communication protocol is not supported."); + } + if ( !$this->get_option("enable_remote") && ($this->_protocol != "" && $this->_protocol !== "file://" ) ) { throw new DOMPDF_Exception("Remote file requested, but DOMPDF_ENABLE_REMOTE is false."); } @@ -482,23 +505,24 @@ // Get the full path to $file, returns false if the file doesn't exist $realfile = realpath($file); - if ( !$realfile ) { - throw new DOMPDF_Exception("File '$file' not found."); - } $chroot = $this->get_option("chroot"); if ( strpos($realfile, $chroot) !== 0 ) { throw new DOMPDF_Exception("Permission denied on $file. The file could not be found under the directory specified by DOMPDF_CHROOT."); } - - // Exclude dot files (e.g. .htaccess) - if ( substr(basename($realfile), 0, 1) === "." ) { + + $ext = pathinfo($realfile, PATHINFO_EXTENSION); + if (!in_array($ext, $this->_allowed_local_file_extensions)) { throw new DOMPDF_Exception("Permission denied on $file."); } - + + if ( !$realfile ) { + throw new DOMPDF_Exception("File '$file' not found."); + } + $file = $realfile; } - + $contents = file_get_contents($file, null, $this->_http_context); $encoding = null; --- a/include/font_metrics.cls.php +++ b/include/font_metrics.cls.php @@ -217,10 +217,18 @@ */ static function save_font_families() { // replace the path to the DOMPDF font directories with the corresponding constants (allows for more portability) - $cache_data = var_export(self::$_font_lookup, true); - $cache_data = str_replace('\''.DOMPDF_FONT_DIR , 'DOMPDF_FONT_DIR . \'' , $cache_data); - $cache_data = str_replace('\''.DOMPDF_DIR , 'DOMPDF_DIR . \'' , $cache_data); - $cache_data = "<"."?php return $cache_data ?".">"; + $cache_data = sprintf(" $variants) { + $cache_data .= sprintf(" '%s' => array(%s", addslashes($family), PHP_EOL); + foreach ($variants as $variant => $path) { + $path = sprintf("'%s'", $path); + $path = str_replace('\'' . DOMPDF_FONT_DIR , 'DOMPDF_FONT_DIR . \'' , $path); + $path = str_replace('\'' . DOMPDF_DIR , 'DOMPDF_DIR . \'' , $path); + $cache_data .= sprintf(" '%s' => %s,%s", $variant, $path, PHP_EOL); + } + $cache_data .= sprintf(" ),%s", PHP_EOL); + } + $cache_data .= ") ?>"; file_put_contents(self::CACHE_FILE, $cache_data); } @@ -249,13 +257,18 @@ return; } - self::$_font_lookup = require_once self::CACHE_FILE; + $cache_data = require_once self::CACHE_FILE; // If the font family cache is still in the old format if ( self::$_font_lookup === 1 ) { $cache_data = file_get_contents(self::CACHE_FILE); file_put_contents(self::CACHE_FILE, "<"."?php return $cache_data ?".">"); - self::$_font_lookup = require_once self::CACHE_FILE; + $cache_data = require_once self::CACHE_FILE; + } + + self::$_font_lookup = array(); + foreach ($cache_data as $key => $value) { + self::$_font_lookup[stripslashes($key)] = $value; } // Merge provided fonts @@ -318,7 +331,7 @@ self::$_font_lookup[mb_strtolower($fontname)] = $entry; } - static function register_font($style, $remote_file) { + static function register_font($style, $remote_file, $context = null) { $fontname = mb_strtolower($style["family"]); $families = Font_Metrics::get_font_families(); @@ -328,6 +341,7 @@ } $local_file = DOMPDF_FONT_DIR . md5($remote_file); + $local_temp_file = DOMPDF_TEMP_DIR . "/" . md5($remote_file); $cache_entry = $local_file; $local_file .= ".ttf"; @@ -336,23 +350,28 @@ if ( !isset($entry[$style_string]) ) { $entry[$style_string] = $cache_entry; - Font_Metrics::set_font_family($fontname, $entry); - // Download the remote file - if ( !is_file($local_file) ) { - file_put_contents($local_file, file_get_contents($remote_file)); - } + file_put_contents($local_temp_file, file_get_contents($remote_file, null, $context)); - $font = Font::load($local_file); + $font = Font::load($local_temp_file); if (!$font) { + unlink($local_temp_file); return false; } $font->parse(); $font->saveAdobeFontMetrics("$cache_entry.ufm"); + unlink($local_temp_file); + + if ( !file_exists("$cache_entry.ufm") ) { + return false; + } + // Save the changes + file_put_contents($local_file, file_get_contents($remote_file, null, $context)); + Font_Metrics::set_font_family($fontname, $entry); Font_Metrics::save_font_families(); } --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -128,47 +128,45 @@ * is appended (o.k. also for Windows) */ function build_url($protocol, $host, $base_path, $url) { - if ( strlen($url) == 0 ) { + $protocol = mb_strtolower($protocol); + if (strlen($url) == 0) { //return $protocol . $host . rtrim($base_path, "/\\") . "/"; return $protocol . $host . $base_path; } - // Is the url already fully qualified or a Data URI? - if ( mb_strpos($url, "://") !== false || mb_strpos($url, "data:") === 0 ) { + if (mb_strpos($url, "://") !== false || mb_strpos($url, "data:") === 0) { return $url; } - $ret = $protocol; - - if ( !in_array(mb_strtolower($protocol), array("http://", "https://", "ftp://", "ftps://")) ) { + if (!in_array(mb_strtolower($protocol), array("http://", "https://", "ftp://", "ftps://"))) { //On Windows local file, an abs path can begin also with a '\' or a drive letter and colon //drive: followed by a relative path would be a drive specific default folder. //not known in php app code, treat as abs path //($url[1] !== ':' || ($url[2]!=='\\' && $url[2]!=='/')) - if ( $url[0] !== '/' && (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN' || ($url[0] !== '\\' && $url[1] !== ':')) ) { + if ($url[0] !== '/' && (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN' || ($url[0] !== '\\' && $url[1] !== ':'))) { // For rel path and local acess we ignore the host, and run the path through realpath() - $ret .= realpath($base_path).'/'; + $ret .= realpath($base_path) . '/'; } $ret .= $url; $ret = preg_replace('/\?(.*)$/', "", $ret); return $ret; } - - //remote urls with backslash in html/css are not really correct, but lets be genereous - if ( $url[0] === '/' || $url[0] === '\\' ) { + // Protocol relative urls (e.g. "//example.org/style.css") + if (strpos($url, '//') === 0) { + $ret .= substr($url, 2); + //remote urls with backslash in html/css are not really correct, but lets be genereous + } elseif ($url[0] === '/' || $url[0] === '\\') { // Absolute path $ret .= $host . $url; - } - else { + } else { // Relative path //$base_path = $base_path !== "" ? rtrim($base_path, "/\\") . "/" : ""; $ret .= $host . $base_path . $url; } - return $ret; - } + /** * parse a full url or pathname and return an array(protocol, host, path, * file + query + fragment) @@ -183,7 +181,10 @@ $file = ""; $arr = parse_url($url); - + if ( isset($arr["scheme"])) { + $arr["scheme"] == mb_strtolower($arr["scheme"]); + } + // Exclude windows drive letters... if ( isset($arr["scheme"]) && $arr["scheme"] !== "file" && strlen($arr["scheme"]) > 1 ) { $protocol = $arr["scheme"] . "://"; @@ -229,7 +230,7 @@ } else { - $i = mb_strpos($url, "file://"); + $i = mb_stripos($url, "file://"); if ( $i !== false ) { $url = mb_substr($url, $i + 7); } @@ -400,6 +401,12 @@ } } + if (!function_exists('mb_stripos')) { + function mb_stripos($haystack, $needle, $offset = 0) { + return stripos($haystack, $needle, $offset); + } + } + if (!function_exists('mb_strrpos')) { function mb_strrpos($haystack, $needle, $offset = 0) { return strrpos($haystack, $needle, $offset); @@ -748,7 +755,7 @@ * @param string $filename * @return array The same format as getimagesize($filename) */ -function dompdf_getimagesize($filename) { +function dompdf_getimagesize($filename, $context = null) { static $cache = array(); if ( isset($cache[$filename]) ) { @@ -758,7 +765,7 @@ list($width, $height, $type) = getimagesize($filename); if ( $width == null || $height == null ) { - $data = file_get_contents($filename, null, null, 0, 26); + $data = file_get_contents($filename, null, $context, 0, 26); if ( substr($data, 0, 2) === "BM" ) { $meta = unpack('vtype/Vfilesize/Vreserved/Voffset/Vheadersize/Vwidth/Vheight', $data); @@ -1005,31 +1012,6 @@ } } -if ( function_exists("curl_init") ) { - function DOMPDF_fetch_url($url, &$headers = null) { - $ch = curl_init($url); - curl_setopt($ch, CURLOPT_TIMEOUT, 10); - curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); - curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); - curl_setopt($ch, CURLOPT_HEADER, true); - - $data = curl_exec($ch); - $raw_headers = substr($data, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE)); - $headers = preg_split("/[\n\r]+/", trim($raw_headers)); - $data = substr($data, curl_getinfo($ch, CURLINFO_HEADER_SIZE)); - curl_close($ch); - - return $data; - } -} -else { - function DOMPDF_fetch_url($url, &$headers = null) { - $data = file_get_contents($url); - $headers = $http_response_header; - - return $data; - } -} /** * Affect null to the unused objects --- a/include/gd_adapter.cls.php +++ b/include/gd_adapter.cls.php @@ -553,7 +553,7 @@ * @internal param string $img_type the type (e.g. extension) of the image */ function image($img_url, $x, $y, $w, $h, $resolution = "normal") { - $img_type = Image_Cache::detect_type($img_url); + $img_type = Image_Cache::detect_type($img_url, $this->_dompdf->get_http_context()); $img_ext = Image_Cache::type_to_ext($img_type); if ( !$img_ext ) { --- a/include/image_cache.cls.php +++ b/include/image_cache.cls.php @@ -45,6 +45,7 @@ * @return array An array with two elements: The local path to the image and the image extension */ static function resolve_url($url, $protocol, $host, $base_path, DOMPDF $dompdf) { + $protocol = mb_strtolower($protocol); $parsed_url = explode_url($url); $message = null; @@ -84,7 +85,7 @@ } else { set_error_handler("record_warnings"); - $image = file_get_contents($full_url); + $image = file_get_contents($full_url, null, $dompdf->get_http_context()); restore_error_handler(); } @@ -118,7 +119,7 @@ // Check is the file is an image else { - list($width, $height, $type) = dompdf_getimagesize($resolved_url); + list($width, $height, $type) = dompdf_getimagesize($resolved_url, $dompdf->get_http_context()); // Known image type if ( $width && $height && in_array($type, array(IMAGETYPE_GIF, IMAGETYPE_PNG, IMAGETYPE_JPEG, IMAGETYPE_BMP)) ) { @@ -138,7 +139,8 @@ catch(DOMPDF_Image_Exception $e) { $resolved_url = self::$broken_image; $type = IMAGETYPE_PNG; - $message = $e->getMessage()." \n $url"; + $message = "Image not found or type unknown"; + $_dompdf_warnings[] = $e->getMessage()." :: $url"; } return array($resolved_url, $type, $message); @@ -159,8 +161,8 @@ self::$_cache = array(); } - static function detect_type($file) { - list(, , $type) = dompdf_getimagesize($file); + static function detect_type($file, $context = null) { + list(, , $type) = dompdf_getimagesize($file, $context); return $type; } --- a/include/image_frame_reflower.cls.php +++ b/include/image_frame_reflower.cls.php @@ -41,7 +41,7 @@ function get_min_max_width() { if (DEBUGPNG) { // Determine the image's size. Time consuming. Only when really needed? - list($img_width, $img_height) = dompdf_getimagesize($this->_frame->get_image_url()); + list($img_width, $img_height) = dompdf_getimagesize($this->_frame->get_image_url(), $this->get_dompdf()->get_http_context()); print "get_min_max_width() ". $this->_frame->get_style()->width.' '. $this->_frame->get_style()->height.';'. @@ -104,7 +104,7 @@ if ($width == 0 || $height == 0) { // Determine the image's size. Time consuming. Only when really needed! - list($img_width, $img_height) = dompdf_getimagesize($this->_frame->get_image_url()); + list($img_width, $img_height) = dompdf_getimagesize($this->_frame->get_image_url(), $this->get_dompdf()->get_http_context()); // don't treat 0 as error. Can be downscaled or can be catched elsewhere if image not readable. // Resample according to px per inch --- a/include/list_bullet_image_frame_decorator.cls.php +++ b/include/list_bullet_image_frame_decorator.cls.php @@ -48,7 +48,7 @@ $frame->get_node()->setAttribute("src", $url); $this->_img = new Image_Frame_Decorator($frame, $dompdf); parent::__construct($this->_img, $dompdf); - list($width, $height) = dompdf_getimagesize($this->_img->get_image_url()); + list($width, $height) = dompdf_getimagesize($this->_img->get_image_url(), $dompdf->get_http_context()); // Resample the bullet image to be consistent with 'auto' sized images // See also Image_Frame_Reflower::get_min_max_width --- a/include/list_bullet_renderer.cls.php +++ b/include/list_bullet_renderer.cls.php @@ -141,7 +141,7 @@ // Tested php ver: value measured in px, suffix "px" not in value: rtrim unnecessary. //$w = $frame->get_width(); //$h = $frame->get_height(); - list($width, $height) = dompdf_getimagesize($img); + list($width, $height) = dompdf_getimagesize($img, $this->_dompdf->get_http_context()); $dpi = $this->_dompdf->get_option("dpi"); $w = ((float)rtrim($width, "px") * 72) / $dpi; $h = ((float)rtrim($height, "px") * 72) / $dpi; --- a/include/pdflib_adapter.cls.php +++ b/include/pdflib_adapter.cls.php @@ -770,7 +770,7 @@ $w = (int)$w; $h = (int)$h; - $img_type = Image_Cache::detect_type($img_url); + $img_type = Image_Cache::detect_type($img_url, $this->_dompdf->get_http_context()); $img_ext = Image_Cache::type_to_ext($img_type); if ( !isset($this->_imgs[$img_url]) ) { --- a/include/stylesheet.cls.php +++ b/include/stylesheet.cls.php @@ -1250,7 +1250,7 @@ "path" => build_url($this->_protocol, $this->_base_host, $this->_base_path, $src[2][$i]), ); - if ( !$source["local"] && in_array($source["format"], array("", "woff", "opentype", "truetype")) ) { + if ( !$source["local"] && in_array($source["format"], array("", "truetype")) ) { $valid_sources[] = $source; } @@ -1268,7 +1268,7 @@ "style" => $descriptors->font_style, ); - Font_Metrics::register_font($style, $valid_sources[0]["path"]); + Font_Metrics::register_font($style, $valid_sources[0]["path"], $this->_dompdf->get_http_context()); } /** --- a/lib/class.pdf.php +++ b/lib/class.pdf.php @@ -749,7 +749,7 @@ EOT; $res = "<>\n"; - $res .= "stream\n" . $stream . "endstream"; + $res .= "stream\n" . $stream . "\nendstream"; $this->objects[$toUnicodeId]['c'] = $res; @@ -1875,7 +1875,7 @@ $tmp = 'o_'.$v['t']; $cont = $this->$tmp($k, 'out'); $content.= $cont; - $xref[] = $pos; + $xref[] = $pos+1; //+1 to account for \n at the start of each object $pos+= mb_strlen($cont, '8bit'); } @@ -2426,7 +2426,7 @@ $flags+= pow(2, 5); // assume non-sybolic $list = array( 'Ascent' => 'Ascender', - 'CapHeight' => 'CapHeight', + 'CapHeight' => 'Ascender', //FIXME: php-font-lib is not grabbing this value, so we'll fake it and use the Ascender value // 'CapHeight' 'MissingWidth' => 'MissingWidth', 'Descent' => 'Descender', 'FontBBox' => 'FontBBox', --- a/www/debugger.php +++ b/www/debugger.php @@ -1,4 +1,12 @@ - @@ -6,6 +14,7 @@ dompdf debugger + --- a/www/setup.php +++ b/www/setup.php @@ -1,5 +1,9 @@ + +

Setup

@@ -296,5 +300,12 @@ + + + \ No newline at end of file