Complex gmbh file proto main (#342)

* Allow enabling local file:// protocol the option is disabled for security reasons by default, since it might be exploited, when a PDF is generated based on HTML provided by the enduser. * Update tcpdf.php Co-authored-by: William Desportes <williamdes@wdes.fr> * Update tcpdf.php Co-authored-by: William Desportes <williamdes@wdes.fr> * fix whitespaces Co-authored-by: Markus Staab <m.staab@complex-it.de> Co-authored-by: Markus Staab <47448731+clxmstaab@users.noreply.github.com> Co-authored-by: William Desportes <williamdes@wdes.fr>
2025-03-22 15:09:40 +01:00 · 2021-03-27 09:13:54 +00:00 · 2021-03-27 09:13:54 +00:00 · 0fb31c9ddd
commit 0fb31c9ddd
parent 978eb8c824
1 changed files with 26 additions and 1 deletions
--- a/tcpdf.php
+++ b/tcpdf.php
@ -1833,6 +1833,15 @@ class TCPDF {
     */
 	protected $fileContentCache = array();

+	/**
+	 * Whether to allow local file path in image html tags, when prefixed with file://
+	 *
+	 * @var bool
+	 * @protected
+	 * @since 6.4 (2020-07-23)
+	 */
+	protected $allowLocalFiles = false;
+
 	//------------------------------------------------------------
 	// METHODS
 	//------------------------------------------------------------
@ -2956,6 +2965,18 @@ class TCPDF {
 		$this->creator = $creator;
 	}

+	/**
+	 * Whether to allow local file path in image html tags, when prefixed with file://
+	 * 
+	 * @param $allowLocalFiles bool true, when local files should be allowed. Otherwise false.
+	 * @public
+	 * @since 6.4
+	 */
+	public function SetAllowLocalFiles($allowLocalFiles) {
+		$this->allowLocalFiles = (bool) $allowLocalFiles;
+	}
+
+
 	/**
 	 * Throw an exception or print an error message and die if the K_TCPDF_PARSER_THROW_EXCEPTION_ERROR constant is set to true.
 	 * @param $msg (string) The error message
@ -18928,7 +18949,11 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
 					// data stream
 					$imgsrc = '@'.base64_decode(substr($imgsrc, 1));
 					$type = '';
-				} else {
+				} elseif ( $this->allowLocalFiles && substr($imgsrc, 0, 7) === 'file://') {
+                    // get image type from a local file path
+                    $imgsrc = substr($imgsrc, 7);
+                    $type = TCPDF_IMAGES::getImageFileType($imgsrc);
+                } else {
 					if (($imgsrc[0] === '/') AND !empty($_SERVER['DOCUMENT_ROOT']) AND ($_SERVER['DOCUMENT_ROOT'] != '/')) {
 						// fix image path
 						$findroot = strpos($imgsrc, $_SERVER['DOCUMENT_ROOT']);