Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inserting Image into a Cell #4241

Closed
wjycoder opened this issue Nov 25, 2024 · 1 comment · Fixed by #4244
Closed

Inserting Image into a Cell #4241

wjycoder opened this issue Nov 25, 2024 · 1 comment · Fixed by #4244

Comments

@wjycoder
Copy link

wjycoder commented Nov 25, 2024

Inserting images fails without any error messages since version 1.29.2. However, version 1.29.1 works normally

$filename = "path_to_file.jpg";
$drawing = new Drawing();
$drawing->setWorksheet($worksheet);
$drawing->setPath($filename);
$drawing->setResizeProportional(true);
$drawing->setCoordinates('A2');
@oleibman
Copy link
Collaborator

A number of security patches were added in 1.29.2 (and other supported branches that were patched at the same time). One of those involved the addition of invalid images to a worksheet which could be used in exploits. Part of the solution is to validate the path as an image when a drawing is added to a worksheet. For that reason, you need to invoke setWorksheet after setPath. My apologies that this wasn't made clear in the release notes. Also for the absence of, say, an exception - that was a deliberate, admittedly arguable, decision.

oleibman added a commit to oleibman/PhpSpreadsheet that referenced this issue Nov 26, 2024
Fix PHPOffice#4241. Some security batches caused a minor break in Drawings, forcing `setWorksheet` to come after `setPath`. Although the problem is easily fixed in user code, this was not an intended change. Some slight recoding restores the earlier functionality where the order of calls was not important, without sacrificing the security gains. This change will be back-ported to the other active branches to which the security patch had been applied.
oleibman added a commit that referenced this issue Nov 26, 2024
Backport of #4241. Some security batches caused a minor break in Drawings, forcing `setWorksheet` to come after `setPath`. Although the problem is easily fixed in user code, this was not an intended change. Some slight recoding restores the earlier functionality where the order of calls was not important, without sacrificing the security gains.
oleibman added a commit that referenced this issue Nov 26, 2024
Backport of #4241. Some security batches caused a minor break in Drawings, forcing `setWorksheet` to come after `setPath`. Although the problem is easily fixed in user code, this was not an intended change. Some slight recoding restores the earlier functionality where the order of calls was not important, without sacrificing the security gains.
oleibman added a commit that referenced this issue Nov 26, 2024
Backport of #4241. Some security batches caused a minor break in Drawings, forcing `setWorksheet` to come after `setPath`. Although the problem is easily fixed in user code, this was not an intended change. Some slight recoding restores the earlier functionality where the order of calls was not important, without sacrificing the security gains.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

2 participants