* Update tcpdf.php
Since the version 6.7.4, the "0" is considered like empty string and not displayed
* Update tcpdf.php
Co-authored-by: William Desportes <williamdes@wdes.fr>
* Fixed handling of transparency in PDF/A mode in addExtGState method
The condition allowed to add ExtGState in all PDF/A modes and disallowed
in default mode.
This fix inlines the condition with setExtGState to allow transparency
parameters for non-PDF/A and PDF/A > 1 documents.
The state condition is copied from 'setExtGState'.
* Encrypt /DA string when document is encrypted
When document is encrypted then /DA string must be encrypted,
without this Acrobat cannot allow fill form fields.
* Improve quality of generated seed, avoid potential security pitfall
* Try to use random_bytes() first if it's available
* Do not include the server parameters in the generated seed, as
they might contain sensitive data
As all current usages of getRandomSeed() directly hash the seed,
there should be no BC breaking changes.
The main source of entropy is more than enough on its own if
random_bytes() or openssl_random_pseudo_bytes() are available.
* Fix bug on _getannotsrefs when there are empty signature appearances but not other annot on a page
* Fix SVG coordinate parser that caused drawing artifacts
* Remove usage of xml_set_object() function
The xml_set_object() function will be deprecated in PHP 8.4 as well as
passing non-callable strings to the xml_set_*_handler() functions.
Instead of using xml_set_object(), the string method names in
xml_set_element_handler() and xml_set_character_data_handler() should be
replaced with callables.
- https://wiki.php.net/rfc/deprecations_php_8_4#xml_set_object_and_xml_set_handler_with_string_method_names
Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
---------
Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
Co-authored-by: jlouche <61839660+jlouche@users.noreply.github.com>
Co-authored-by: William Desportes <williamdes@wdes.fr>
Co-authored-by: stollr <christian.stoller@mail.de>
Co-authored-by: Robert Jędrzejczyk <robert@prog.olsztyn.pl>
Co-authored-by: Andreas Erhard <andreas.erhard@i-med.ac.at>
Co-authored-by: Alejandro Precioso <aprecioso@bigtree.com.ar>
Co-authored-by: davidrod <david@gassiotllobet.com>
Co-authored-by: sslldavid <119080321+sslldavid@users.noreply.github.com>
Co-authored-by: Alejandro <aprecioso@gmail.com>
Co-authored-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
PHP Deprecated: Implicit conversion from float 31.5 to int loses precision in /var/www/html/vendor/tecnickcom/tcpdf/include/barcodes/qrcode.php on line 891
PHP Deprecated: Implicit conversion from float 3.5 to int loses precision in /var/www/html/vendor/tecnickcom/tcpdf/include/barcodes/qrcode.php on line 895
Co-authored-by: Nicola Asuni <nicolaasuni@users.noreply.github.com>
* Fix call signatures on example 12 for PHP 8.1 strpos null errors
* Fix#401 - PHP 8.1 casts to int - getGDgamma - CoonsPatchMesh
Fixes: tecnickcom/TCPDF#401
* PHP 8.1 - cast in _RC4 before sending to str_repeat
* Enable back extensions on PHP 5.{3,4,5}
* Improve the test script to allow testing other PHP versions locally
* Fix typo on "parametrs" -> "parameters"
* Reduce possible side effects with the OS
* Fix#461 - fix barcodes handling using false, PHP 8.1 deprecation
Fixes: tecnickcom/TCPDF#461
* Fix#401 - PHP 8.1 casts to int - CoonsPatchMesh
Fixes: tecnickcom/TCPDF#401
Co-authored-by: Nicola Asuni <nicolaasuni@users.noreply.github.com>
* Fix phpdoc and prefer null as default value
Co-authored-by: Michael Voříšek <mvorisek@mvorisek.cz>
Co-authored-by: Nicola Asuni <nicolaasuni@users.noreply.github.com>
* Fix type hints
* More accurate type hint
Co-authored-by: William Desportes <williamdes@wdes.fr>
* document void return
* document void return
* Update include/tcpdf_fonts.php
Co-authored-by: William Desportes <williamdes@wdes.fr>
* Fix type hints
Co-authored-by: William Desportes <williamdes@wdes.fr>
Co-authored-by: Nicola Asuni <nicolaasuni@users.noreply.github.com>
* Add a @since on a function
* Refresh phpdoc blocks
Using `@param (\$[a-zA-Z0-9_]+)\s\(([a-z]+)\)`
* Fix phpdoc blocks
* Fix typos and phpdoc mistakes
* More phpdoc block fixes
Co-authored-by: Nicola Asuni <nicolaasuni@users.noreply.github.com>
In `include/tcpdf_static.php` file, there are couple Curl calls that could use some additional Curl hardening.
1. Limit the maximum number of redirects Curl is allowed to follow. Currently, it is configured in PHP source code to 20. However, as a [security precaution, limit it to 5](https://php.watch/articles/php-curl-security-hardening#infinite-redirects).
2. Curl is used here for HTTP, HTTPS, and in one instance, for FTP URLs. With `CURLOPT_FOLLOWLOCATION` option enabled, this allows a malicious remote server to perform SSRF attacks and utilize all protocols Curl supports, such as LDAP, FTP, etc that are highly undesired. Setting a restricted [`CURLOPT_PROTOCOLS` value mitigates this vulnerability](https://php.watch/articles/php-curl-security-hardening#ssrf). In older Curl versions, it even allows local file inclusion attacks with `file:///etc/passwd` style redirect URLs.
