add security on scheme of css and image paths

spipu · Dec 16, 2021 · 2e6bab9 · textrixx · Dec 30, 2021 · 2e6bab9
1 parent 100a4d5
commit 2e6bab9
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 ## [5.2.4](https://github.com/spipu/html2pdf/compare/v5.2.3...master) - unreleased
 
   * revert fix multibyte aware substr when setting newline position - it causes pbs on some specific cases
-  * add security on scheme of css and image paths 
+  * add security on scheme of css and image paths - thanks to Clément Amic and Antoine Gicquel from [Synacktiv](https://www.synacktiv.com/)
 
 ## [5.2.3](https://github.com/spipu/html2pdf/compare/v5.2.2...v5.2.3) - 2021-10-19
 

diff --git a/src/Parsing/Css.php b/src/Parsing/Css.php
@@ -43,7 +43,7 @@ class Css
     public $cssKeys      = array(); // css key, for the execution order
     public $table        = array(); // level history
 
-    protected $unauthorizedSchemes = ['php://', 'zlib://', 'data://', 'glob://', 'phar://'];
+    protected $authorizedSchemes = ['file', 'http', 'https'];
 
     /**
      * Constructor
@@ -1763,10 +1763,9 @@ private function removeStyleTag(array $match)
     public function checkValidPath($path)
     {
         $path = trim(strtolower($path));
-        foreach ($this->unauthorizedSchemes as $unauthorizedScheme) {
-            if (substr($path, 0, strlen($unauthorizedScheme)) === $unauthorizedScheme) {
-                throw new HtmlParsingException('Unauthorized path scheme');
-            }
+        $scheme = parse_url($path, PHP_URL_SCHEME);
+        if ($scheme !== null && !in_array($scheme, $this->authorizedSchemes)) {
+            throw new HtmlParsingException('Unauthorized path scheme');
         }
     }
 }