Merge pull request #780 from tecnickcom/imgpath

nicolaasuni · web-flow · commit 79bfbb448ad6 · 2025-01-26T13:44:35.000Z
Forbid access to parent folders in SVG images path.
diff --git a/CHANGELOG.TXT b/CHANGELOG.TXT
@@ -1,3 +1,6 @@
+6.8.1 (2025-01-26)
+	- Check relative paths on SVG images.
+
 6.8.0 (2024-12-23)
 	- Requires PHP 7.1+ and curl extension.
 	- Escape error message.
diff --git a/LICENSE.TXT b/LICENSE.TXT
@@ -7,7 +7,7 @@
   published by the Free Software Foundation, either version 3 of the
   License, or (at your option) any later version.
   
-  2002-2024 Nicola Asuni - Tecnick.com LTD
+  2002-2025 Nicola Asuni - Tecnick.com LTD
 
 **********************************************************************
 **********************************************************************
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 
 * **category**    Library
 * **author**      Nicola Asuni <info@tecnick.com>
-* **copyright**   2002-2024 Nicola Asuni - Tecnick.com LTD
+* **copyright**   2002-2025 Nicola Asuni - Tecnick.com LTD
 * **license**     http://www.gnu.org/copyleft/lesser.html GNU-LGPL v3 (see LICENSE.TXT)
 * **link**        http://www.tcpdf.org
 * **source**      https://github.com/tecnickcom/TCPDF
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-6.8.0
+6.8.1
diff --git a/composer.json b/composer.json
@@ -12,7 +12,7 @@
         "barcodes"
     ],
     "homepage": "http://www.tcpdf.org/",
-    "version": "6.8.0",
+    "version": "6.8.1",
     "license": "LGPL-3.0-or-later",
     "authors": [
         {
diff --git a/include/tcpdf_fonts.php b/include/tcpdf_fonts.php
@@ -7,7 +7,7 @@
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
 // License     : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
 // -------------------------------------------------------------------
-// Copyright (C) 2008-2024 Nicola Asuni - Tecnick.com LTD
+// Copyright (C) 2008-2025 Nicola Asuni - Tecnick.com LTD
 //
 // This file is part of TCPDF software library.
 //
diff --git a/include/tcpdf_static.php b/include/tcpdf_static.php
@@ -7,7 +7,7 @@
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
 // License     : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
 // -------------------------------------------------------------------
-// Copyright (C) 2002-2024 Nicola Asuni - Tecnick.com LTD
+// Copyright (C) 2002-2025 Nicola Asuni - Tecnick.com LTD
 //
 // This file is part of TCPDF software library.
 //
@@ -55,7 +55,7 @@ class TCPDF_STATIC {
 	 * Current TCPDF version.
 	 * @private static
 	 */
-	private static $tcpdf_version = '6.8.0';
+	private static $tcpdf_version = '6.8.1';
 
 	/**
 	 * String alias for total number of pages.
diff --git a/tcpdf.php b/tcpdf.php
@@ -1,13 +1,13 @@
 <?php
 //============================================================+
 // File name   : tcpdf.php
-// Version     : 6.8.0
+// Version     : 6.8.1
 // Begin       : 2002-08-03
 // Last Update : 2024-12-23
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
 // License     : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
 // -------------------------------------------------------------------
-// Copyright (C) 2002-2024 Nicola Asuni - Tecnick.com LTD
+// Copyright (C) 2002-2025 Nicola Asuni - Tecnick.com LTD
 //
 // This file is part of TCPDF software library.
 //
@@ -104,7 +104,7 @@
  * Tools to encode your unicode fonts are on fonts/utils directory.</p>
  * @package com.tecnick.tcpdf
  * @author Nicola Asuni
- * @version 6.8.0
+ * @version 6.8.1
  */
 
 // TCPDF configuration
@@ -128,7 +128,7 @@
  * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
  * @package com.tecnick.tcpdf
  * @brief PHP class for generating PDF documents without requiring external extensions.
- * @version 6.8.0
+ * @version 6.8.1
  * @author Nicola Asuni - info@tecnick.com
  * @IgnoreAnnotation("protected")
  * @IgnoreAnnotation("public")
@@ -24467,6 +24467,10 @@ protected function startSVGElementHandler($parser, $name, $attribs, $ctm=array()
 						$img = '@'.base64_decode(substr($img, strlen($m[0])));
 					} else {
 						// fix image path
+						if (strpos($img, '../') !== false) {
+							// accessing parent folders is not allowed
+							break;
+						}
 						if (!TCPDF_STATIC::empty_string($this->svgdir) AND (($img[0] == '.') OR (basename($img) == $img))) {
 							// replace relative path with full server path
 							$img = $this->svgdir.'/'.$img;

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`"barcodes"`
`13`	`13`	`],`
`14`	`14`	`"homepage": "http://www.tcpdf.org/",`
`15`		`- "version": "6.8.0",`
	`15`	`+ "version": "6.8.1",`
`16`	`16`	`"license": "LGPL-3.0-or-later",`
`17`	`17`	`"authors": [`
`18`	`18`	`{`