Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data.

2025-03-24 16:09:40 +01:00 · 2018-09-14 16:26:29 +01:00 · 2018-09-14 16:26:29 +01:00 · ac6e92fccc
commit ac6e92fccc
parent a3273af312
4 changed files with 12 additions and 16 deletions
--- a/composer.json
+++ b/composer.json
@ -1,6 +1,6 @@
 {
  "name": "tecnickcom/tcpdf",
-  "version": "6.2.21",
+  "version": "6.2.22",
  "homepage": "http://www.tcpdf.org/",
  "type": "library",
  "description": "TCPDF is a PHP class for generating PDF documents and barcodes.",
--- a/include/tcpdf_images.php
+++ b/include/tcpdf_images.php
@ -162,11 +162,7 @@ class TCPDF_IMAGES {
 	public static function _parsejpeg($file) {
 		// check if is a local file
 		if (!@TCPDF_STATIC::file_exists($file)) {
-			// try to encode spaces on filename
-			$tfile = str_replace(' ', '%20', $file);
-			if (@TCPDF_STATIC::file_exists($tfile)) {
-				$file = $tfile;
-			}
+			return false;
 		}
 		$a = getimagesize($file);
 		if (empty($a)) {
--- a/include/tcpdf_static.php
+++ b/include/tcpdf_static.php
@ -55,7 +55,7 @@ class TCPDF_STATIC {
 	 * Current TCPDF version.
 	 * @private static
 	 */
-	private static $tcpdf_version = '6.2.21';
+	private static $tcpdf_version = '6.2.22';

 	/**
 	 * String alias for total number of pages.
@ -1841,6 +1841,10 @@ class TCPDF_STATIC {
 				}
 			}
 		}
+		if (!@file_exists($filename)) {
+			// try to encode spaces on filename
+			$filename = str_replace(' ', '%20', $filename);
+		}
 		return @file_exists($filename);
 	}

--- a/tcpdf.php
+++ b/tcpdf.php
@ -1,7 +1,7 @@
 <?php
 //============================================================+
 // File name   : tcpdf.php
-// Version     : 6.2.21
+// Version     : 6.2.22
 // Begin       : 2002-08-03
 // Last Update : 2018-09-14
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
@ -104,7 +104,7 @@
 * Tools to encode your unicode fonts are on fonts/utils directory.</p>
 * @package com.tecnick.tcpdf
 * @author Nicola Asuni
- * @version 6.2.21
+ * @version 6.2.22
 */

 // TCPDF configuration
@ -128,7 +128,7 @@ require_once(dirname(__FILE__).'/include/tcpdf_static.php');
 * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
 * @package com.tecnick.tcpdf
 * @brief PHP class for generating PDF documents without requiring external extensions.
- * @version 6.2.21
+ * @version 6.2.22
 * @author Nicola Asuni - info@tecnick.com
 * @IgnoreAnnotation("protected")
 * @IgnoreAnnotation("public")
@ -6845,13 +6845,9 @@ class TCPDF {
 				$file = substr($file, 1);
 				$exurl = $file;
 			}
-			// check if is a local file
+			// check if file exist and it is valid
 			if (!@TCPDF_STATIC::file_exists($file)) {
-				// try to encode spaces on filename
-				$tfile = str_replace(' ', '%20', $file);
-				if (@TCPDF_STATIC::file_exists($tfile)) {
-					$file = $tfile;
-				}
+				return false;
 			}
 			if (($imsize = @getimagesize($file)) === FALSE) {
 				if (in_array($file, $this->imagekeys)) {