add security on scheme of css and image paths

CHANGELOG.md

@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file.
 ## [5.2.4](https://github.com/spipu/html2pdf/compare/v5.2.3...master) - unreleased
 
   * revert fix multibyte aware substr when setting newline position - it causes pbs on some specific cases
+  * add security on scheme of css and image paths 
 
 ## [5.2.3](https://github.com/spipu/html2pdf/compare/v5.2.2...v5.2.3) - 2021-10-19
 

src/Html2Pdf.php

@@ -1511,6 +1511,7 @@ protected function _drawImage($src, $subLi = false)
             $infos = @getimagesizefromstring($src);
             $src = "@{$src}";
         } else {
+            $this->parsingCss->checkValidPath($src);
             $infos = @getimagesize($src);
         }
 

src/Parsing/Css.php

@@ -13,6 +13,7 @@
 namespace Spipu\Html2Pdf\Parsing;
 
 use Spipu\Html2Pdf\CssConverter;
+use Spipu\Html2Pdf\Exception\HtmlParsingException;
 use Spipu\Html2Pdf\MyPdf;
 
 class Css
@@ -42,6 +43,8 @@ class Css
     public $cssKeys      = array(); // css key, for the execution order
     public $table        = array(); // level history
 
+    protected $unauthorizedSchemes = ['php://', 'zlib://', 'data://', 'glob://', 'phar://'];
+
     /**
      * Constructor
      *
@@ -195,7 +198,7 @@ public function initStyle()
      */
     public function resetStyle($tagName = '')
     {
-        // prepare somme values
+        // prepare some values
         $border = $this->readBorder('solid 1px #000000');
         $units = array(
             '1px' => $this->cssConverter->convertToMM('1px'),
@@ -536,7 +539,7 @@ public function getSvgStyle($tagName, &$param)
         $class = array();
         $tmp = isset($param['class']) ? strtolower(trim($param['class'])) : '';
         $tmp = explode(' ', $tmp);
-        foreach ($tmp as $k => $v) {
+        foreach ($tmp as $v) {
             $v = trim($v);
             if ($v) {
                 $class[] = $v;
@@ -606,7 +609,7 @@ public function getSvgStyle($tagName, &$param)
      */
     public function analyse($tagName, &$param, $legacy = null)
     {
-        // prepare the informations
+        // prepare the information
         $tagName = strtolower($tagName);
         $id   = isset($param['id'])   ? strtolower(trim($param['id']))    : null;
         if (!$id) {
@@ -627,7 +630,7 @@ public function analyse($tagName, &$param, $legacy = null)
             '[[page_cu]]' => $this->pdf->getMyNumPage()
         );
 
-        foreach ($tmp as $k => $v) {
+        foreach ($tmp as $v) {
             $v = trim($v);
             if (strlen($v)>0) {
                 $v = str_replace(array_keys($toReplace), array_values($toReplace), $v);
@@ -1661,7 +1664,7 @@ protected function analyseStyle($code)
             }
         }
 
-        // get he list of the keys
+        // get the list of the keys
         $this->cssKeys = array_flip(array_keys($this->css));
     }
 
@@ -1693,6 +1696,7 @@ public function extractStyle($html)
                 $url = $tmp['href'];
 
                 // get the content of the css file
+                $this->checkValidPath($url);
                 $content = @file_get_contents($url);
 
                 // if "http://" in the url
@@ -1750,4 +1754,19 @@ private function removeStyleTag(array $match)
 
         return str_pad('', $nbLines, "\n");
     }
+
+    /**
+     * @param string $path
+     * @return void
+     * @throws HtmlParsingException
+     */
+    public function checkValidPath($path)
+    {
+        $path = trim(strtolower($path));
+        foreach ($this->unauthorizedSchemes as $unauthorizedScheme) {
+            if (substr($path, 0, strlen($unauthorizedScheme)) === $unauthorizedScheme) {
+                throw new HtmlParsingException('Unauthorized path scheme');
+            }
+        }
+    }
 }

src/Tests/Html2PdfTest.php

@@ -27,4 +27,15 @@ public function testExtensionTag()
         Phake::verify($tag, Phake::times(4))->open;
         Phake::verify($tag, Phake::times(2))->close;
     }
+
+    /**
+     * @expectedException \Spipu\Html2Pdf\Exception\HtmlParsingException
+     * @expectedExceptionMessage Unauthorized path scheme
+     */
+    public function testSecurity()
+    {
+        $object = $this->getObject();
+
+        $object->writeHTML('<div><img src="phar://test.com/php.phar" alt="" /></div>');
+    }
 }