-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #780 from tecnickcom/imgpath
Forbid access to parent folders in SVG images path.
- Loading branch information
Showing
8 changed files
with
18 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ | |
|
|
||
| * **category** Library | ||
| * **author** Nicola Asuni <[email protected]> | ||
| * **copyright** 2002-2024 Nicola Asuni - Tecnick.com LTD | ||
| * **copyright** 2002-2025 Nicola Asuni - Tecnick.com LTD | ||
| * **license** http://www.gnu.org/copyleft/lesser.html GNU-LGPL v3 (see LICENSE.TXT) | ||
| * **link** http://www.tcpdf.org | ||
| * **source** https://github.com/tecnickcom/TCPDF | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 6.8.0 | ||
| 6.8.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,7 +7,7 @@ | |
| // Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - [email protected] | ||
| // License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html) | ||
| // ------------------------------------------------------------------- | ||
| // Copyright (C) 2008-2024 Nicola Asuni - Tecnick.com LTD | ||
| // Copyright (C) 2008-2025 Nicola Asuni - Tecnick.com LTD | ||
| // | ||
| // This file is part of TCPDF software library. | ||
| // | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,7 +7,7 @@ | |
| // Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - [email protected] | ||
| // License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html) | ||
| // ------------------------------------------------------------------- | ||
| // Copyright (C) 2002-2024 Nicola Asuni - Tecnick.com LTD | ||
| // Copyright (C) 2002-2025 Nicola Asuni - Tecnick.com LTD | ||
| // | ||
| // This file is part of TCPDF software library. | ||
| // | ||
|
|
@@ -55,7 +55,7 @@ class TCPDF_STATIC { | |
| * Current TCPDF version. | ||
| * @private static | ||
| */ | ||
| private static $tcpdf_version = '6.8.0'; | ||
| private static $tcpdf_version = '6.8.1'; | ||
|
|
||
| /** | ||
| * String alias for total number of pages. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,13 @@ | ||
| <?php | ||
| //============================================================+ | ||
| // File name : tcpdf.php | ||
| // Version : 6.8.0 | ||
| // Version : 6.8.1 | ||
| // Begin : 2002-08-03 | ||
| // Last Update : 2024-12-23 | ||
| // Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - [email protected] | ||
| // License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html) | ||
| // ------------------------------------------------------------------- | ||
| // Copyright (C) 2002-2024 Nicola Asuni - Tecnick.com LTD | ||
| // Copyright (C) 2002-2025 Nicola Asuni - Tecnick.com LTD | ||
| // | ||
| // This file is part of TCPDF software library. | ||
| // | ||
|
|
@@ -104,7 +104,7 @@ | |
| * Tools to encode your unicode fonts are on fonts/utils directory.</p> | ||
| * @package com.tecnick.tcpdf | ||
| * @author Nicola Asuni | ||
| * @version 6.8.0 | ||
| * @version 6.8.1 | ||
| */ | ||
|
|
||
| // TCPDF configuration | ||
|
|
@@ -128,7 +128,7 @@ | |
| * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br> | ||
| * @package com.tecnick.tcpdf | ||
| * @brief PHP class for generating PDF documents without requiring external extensions. | ||
| * @version 6.8.0 | ||
| * @version 6.8.1 | ||
| * @author Nicola Asuni - [email protected] | ||
| * @IgnoreAnnotation("protected") | ||
| * @IgnoreAnnotation("public") | ||
|
|
@@ -24467,6 +24467,10 @@ protected function startSVGElementHandler($parser, $name, $attribs, $ctm=array() | |
| $img = '@'.base64_decode(substr($img, strlen($m[0]))); | ||
| } else { | ||
| // fix image path | ||
| if (strpos($img, '../') !== false) { | ||
| // accessing parent folders is not allowed | ||
| break; | ||
| } | ||
| if (!TCPDF_STATIC::empty_string($this->svgdir) AND (($img[0] == '.') OR (basename($img) == $img))) { | ||
| // replace relative path with full server path | ||
| $img = $this->svgdir.'/'.$img; | ||
|
|
||