* Allow enabling local file:// protocol
the option is disabled for security reasons by default, since it might be exploited, when a PDF is generated based on HTML provided by the enduser.
* Update tcpdf.php
Co-authored-by: William Desportes <williamdes@wdes.fr>
* Update tcpdf.php
Co-authored-by: William Desportes <williamdes@wdes.fr>
* fix whitespaces
Co-authored-by: Markus Staab <m.staab@complex-it.de>
Co-authored-by: Markus Staab <47448731+clxmstaab@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
* check if file exists before calling unlink
file_exists has a known vulnerability.
Replacing with the internal one.
Co-authored-by: Nicola Asuni <nicolaasuni@users.noreply.github.com>
When creating PNG files, temporary file are not removed (search for __tcpdf_* in your temp directory). After this changes temp directory never has temporary files created by tcpdf
Co-authored-by: Nicola Asuni <nicolaasuni@users.noreply.github.com>
In `include/tcpdf_static.php` file, there are couple Curl calls that could use some additional Curl hardening.
1. Limit the maximum number of redirects Curl is allowed to follow. Currently, it is configured in PHP source code to 20. However, as a [security precaution, limit it to 5](https://php.watch/articles/php-curl-security-hardening#infinite-redirects).
2. Curl is used here for HTTP, HTTPS, and in one instance, for FTP URLs. With `CURLOPT_FOLLOWLOCATION` option enabled, this allows a malicious remote server to perform SSRF attacks and utilize all protocols Curl supports, such as LDAP, FTP, etc that are highly undesired. Setting a restricted [`CURLOPT_PROTOCOLS` value mitigates this vulnerability](https://php.watch/articles/php-curl-security-hardening#ssrf). In older Curl versions, it even allows local file inclusion attacks with `file:///etc/passwd` style redirect URLs.
This prevents the cloned object from removing temporary files
owned by the original object during cleanup, potentially
leaving some that were created during the transaction,
but these should be cleaned with the original object
Fixes#205
