Allow phar urls usage in file_exists method to fix font loading from phar app

tecnickcom / TCPDF

Official clone of PHP library to generate PDF documents and barcodes

https://tcpdf.org

Other

4.22k stars 1.52k forks source link

Allow phar urls usage in file_exists method to fix font loading from phar app #438

Closed petitj closed 2 years ago

petitj commented 3 years ago

As it is referred by issue #371, TCPF breaks inside phar because the internal file_exist method disallow anything except local, http and https protocols. Whenever TCPDF tries to load a font, it then fails with message "Could not include font definition file: helvetica". This P.R solves the problem by including the phar protocol to the list (phar://).

CLAassistant commented 3 years ago

All committers have signed the CLA.

nicolaasuni commented 2 years ago

Unfortunately this change appears to introduce a security issue related to the phar file format. A better implementation should be introduced in tc-lib-file and https://github.com/tecnickcom/tc-lib-pdf.

petitj commented 2 years ago

Hi and thanks for the review. I'm curious to know what security issue is introduced by the use of phar protocol as i can not see on the top of my head how it can be worse than http. Do you have any details or pointers ?