Possible Path Manipulation vulnerability

[enferas]

Hello.

I would like to report for possible Path Manipulation vulnerability.

The source in this file https://github.com/tecnickcom/TCPDF/blob/main/include/tcpdf_static.php. Line 1957

$host = $protocol.'://'.$_SERVER['HTTP_HOST'];

and the sink in line 1979

$ret = @file_get_contents($path);

[williamdes]

Hi,

How to you trigger this vulnerability ?

[enferas]

Hello,

Thank you for your response.

After some deeper checking, I had a mistake that there is no vulnerability.

In this line

$tmp = str_replace($host, $_SERVER['DOCUMENT_ROOT'], $url);

$host is the search word and not replacement word.

I am going to close the issue.