When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.
Details
php-svg-lib, when run in isolation, does not support SVG references for image elements. An SVG document can, however, be referenced and Dompdf will run that reference through the same validation. Dompdf currently includes validation to prevent self-referential image references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion in the validation process by chaining references between two or more SVG images.
PoC
This following sources can be used to bypass validation provided by Dompdf:
When Dompdf parses the above payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.
Release Notes
dompdf/dompdf (dompdf/dompdf)
### [`v2.0.4`](https://togithub.com/dompdf/dompdf/releases/tag/v2.0.4): Dompdf 2.0.4
[Compare Source](https://togithub.com/dompdf/dompdf/compare/v2.0.3...v2.0.4)
**Change highlights since 2.0.3**
This release addresses the following announced vulnerability:
| Vulnerability | References | Type | Severity |
| --- | --- | --- | --- |
Possible DoS caused by infinite recursion when validating SVG images | [GHSA-3qx2-6f78-w2j2][GHSA-3qx2-6f78-w2j2] | Resource Exhaustion | Moderate
[GHSA-3qx2-6f78-w2j2]: https://togithub.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2
**2.0.x highlights**
- Modifies callback and page_script/page_text handling
- Switches the HTML5 parser to Masterminds/HTML5
- Improves CSS property parsing and representation
- Switches installed fonts and font metrics cache file format to JSON
View all changes since the previous release in the [commit history](https://togithub.com/dompdf/dompdf/compare/v2.0.3...v2.0.4).
We would like to extend our gratitude to the [community members](https://togithub.com/dompdf/dompdf/graphs/contributors) who helped make this release possible.
**Requirements**
Dompdf 2.0.4 requires the following:
- PHP 7.1 or greater
- html5-php v2.0.0 or greater
- php-font-lib v0.5.4 or greater
- php-svg-lib v0.3.3 or greater
Note that some dependencies may have further dependencies (notably php-svg-lib requires sabberworm/php-css-parser).
Additionally, the following are recommended for optimal use:
- GD (for image processing)
- `allow_url_fopen` set to true or the curl PHP extension (for retrieving stylesheets, images, etc via http)
For full requirements and recommendations see the [requirements page on the wiki](https://togithub.com/dompdf/dompdf/wiki/Requirements).
**Download Instructions**
The dompdf team recommends that you use Composer for easier dependency management.
If you're not yet using Composer you can download a packaged release of dompdf which includes all the files you need to use the library. Click the link labeled "dompdf\_2-0-4.zip" for the packaged release. The download options labeled "Source code" are auto-generated by github and do not include all the dependencies.
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
2.0.3->2.0.4GitHub Vulnerability Alerts
CVE-2023-50262
Summary
When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.
Details
php-svg-lib, when run in isolation, does not support SVG references for
imageelements. An SVG document can, however, be referenced and Dompdf will run that reference through the same validation. Dompdf currently includes validation to prevent self-referentialimagereferences, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion in the validation process by chaining references between two or more SVG images.PoC
This following sources can be used to bypass validation provided by Dompdf:
recurse.html
one.svg
two.svg
Impact
When Dompdf parses the above payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.
Release Notes
dompdf/dompdf (dompdf/dompdf)
### [`v2.0.4`](https://togithub.com/dompdf/dompdf/releases/tag/v2.0.4): Dompdf 2.0.4 [Compare Source](https://togithub.com/dompdf/dompdf/compare/v2.0.3...v2.0.4) **Change highlights since 2.0.3** This release addresses the following announced vulnerability: | Vulnerability | References | Type | Severity | | --- | --- | --- | --- | Possible DoS caused by infinite recursion when validating SVG images | [GHSA-3qx2-6f78-w2j2][GHSA-3qx2-6f78-w2j2] | Resource Exhaustion | Moderate [GHSA-3qx2-6f78-w2j2]: https://togithub.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2 **2.0.x highlights** - Modifies callback and page_script/page_text handling - Switches the HTML5 parser to Masterminds/HTML5 - Improves CSS property parsing and representation - Switches installed fonts and font metrics cache file format to JSON View all changes since the previous release in the [commit history](https://togithub.com/dompdf/dompdf/compare/v2.0.3...v2.0.4). We would like to extend our gratitude to the [community members](https://togithub.com/dompdf/dompdf/graphs/contributors) who helped make this release possible. **Requirements** Dompdf 2.0.4 requires the following: - PHP 7.1 or greater - html5-php v2.0.0 or greater - php-font-lib v0.5.4 or greater - php-svg-lib v0.3.3 or greater Note that some dependencies may have further dependencies (notably php-svg-lib requires sabberworm/php-css-parser). Additionally, the following are recommended for optimal use: - GD (for image processing) - `allow_url_fopen` set to true or the curl PHP extension (for retrieving stylesheets, images, etc via http) For full requirements and recommendations see the [requirements page on the wiki](https://togithub.com/dompdf/dompdf/wiki/Requirements). **Download Instructions** The dompdf team recommends that you use Composer for easier dependency management. If you're not yet using Composer you can download a packaged release of dompdf which includes all the files you need to use the library. Click the link labeled "dompdf\_2-0-4.zip" for the packaged release. The download options labeled "Source code" are auto-generated by github and do not include all the dependencies.Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.