Comments (8)
Hi @williamdes, thank you for your response.
We are unable to modify the library (or eliminate the unused function) because it is used in our proprietary software.
A new release with the function taken out would be greatly appreciated!
from tcpdf.
Thanks for your reply williamdes. We believe the following call (and ones like it) may be used to expose sensitive information from the file system:
TCPDF_STATIC::fileGetContents('../../../etc/passwd');
If you disagree with our belief, please let us know why the behavior I described isn't possible.
For reference, you can find information about path traversal vulnerabilities, including attack examples and mitigation strategies at OWASP website here: https://owasp.org/www-community/attacks/Path_Traversal
Thanks Again.
from tcpdf.
The LGPL argument is a strange one. Do the work, send your changes upstream. Just as for any other open source software.
The mentioned function is used by the file content cache:
Lines 24765 to 24771 in d4adef4
It is called from:
_putEmbeddedFiles()
getHtmlDomArray($html)
Image($file, ...)
ImageEps($file, ...)
ImageSVG($file, ...)
I've not investigated thoroughly, but it looks difficult to get data out of /random/secret/file using these functions.
from tcpdf.
We have discovered that the "HOST" header of an HTTP request is immutable by the end user. The host will be whatever the domain name is that the HTTP request is being sent to. The TCPDF_STATIC::fileGetContents function is not subject to any mutable HTTP header information and therefore, this can be classified as a false positive.
from tcpdf.
We are unable to modify the library due to the LGPL license.
I do not understand why this is an issue, can you elaborate ?
The function seems not used by the code as far as my research confirms it.
See: https://github.com/search?q=repo%3Atecnickcom%2FTCPDF%20fileGetContents&type=code
Ref:
TCPDF/include/tcpdf_static.php
Line 1894 in d4adef4
@nicolaasuni what about deleting it and some more stuff like tcpdf import and releasing a major version ?
from tcpdf.
If removal of the offending function is not possible or undesirable, I recommend considering the use of the realpath and basename functions to prevent possible path traversal.
If you believe that path traversal is not possible within this function, can you please let us know why it is not possible?
Thanks!
from tcpdf.
Well, I will let @nicolaasuni take the decisions needed or not. I am only a contributor to this project.
For me this is a theoretical security issue. If you can provide proof of a real one I may work on a fix
from tcpdf.
Thanks d-javu. We will plan to submit a pull request soon.
from tcpdf.
Related Issues (20)
- Using form fields relies on helvetica font
- Baroce label design look weird. NEED HELP
- Disappeared 6.7.x tags HOT 10
- TCPDF vulnerable to Regular Expression Denial of Service
- setPageFormat() HOT 4
- missing Documentation on K_ALLOWED_TCPDF_TAGS HOT 2
- Exclude indents from the nested tables HOT 1
- Some kanji characters cannot be displayed HOT 1
- Why SVG images using <path> elements create larger file sizes than those using <defs> elements?
- SetProtection() with hashed string
- Get PDF attachment
- getNumPages returns only current page in Header() function
- Wrong /Length calculation in xobjects
- CVE-2024-22641 HOT 5
- Issue: CJK Characters Not Displaying After Adding Noto Sans Fonts in TCPDF 6.7.5
- preg_replace - NULL for 3rd parameter on tcpdf.php:16560
- getting TCPDF ERROR: Please explicitly set action attribute path!
- Special font (βΈ§) error using writeHtml write error: Undefined array key 11815 HOT 1
- HTML table cells have wrong width after column break in writeHTML method
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tcpdf.