search

vikrambalye / dompdf

Automatically exported from code.google.com/p/dompdf
0 stars 0 forks source link

sanitize... #279

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.  try   
http://[server]/dompdf/dompdf.php?base_path=&options[Attachment]=0&input_file=do
mpdf.php
2.  ...
3. profit!

What is the expected output? What do you see instead?

does exactly what expected. but it is wrong.
It returns the source of any code. this is a very serious security issue.  
As any experienced coder can tell, this was a common mistake years ago, until 
php-coders realized that it's is pretty stupid to allow user-input without 
sanitizing the string.

Original issue reported on code.google.com by alex....@gmail.com on 11 May 2011 at 2:33

GoogleCodeExporter commented 9 years ago 
I don't see anything to profit from in your sample. There's nothing in the 
dompdf code that can't be seen publicly already (except *maybe* some info in 
dompdf_config.inc.php). Yes, in 0.5.1 there are some serious security problems, 
but we are working to improve the hardening of DOMPDF as a whole. In 0.5.2+ we 
have already provided the ability for users to restrict the directory from 
which files can be pulled for rendering (see DOMPDF_CHROOT).

Additionally, while we are working on making dompdf.php more secure we're 
leaning towards recommending that users not expose it publicly. Once 0.6.0 
final is released we will complete the documentation, including information 
regarding security considerations.

If you have any suggestions for how to further improve security we'd be happy 
to hear them.

Original comment by eclecticgeek on 11 May 2011 at 4:20

GoogleCodeExporter commented 9 years ago

Original comment by eclecticgeek on 30 May 2013 at 5:15