Merge remote-tracking branch 'upstream/main' into main

Author: kristof-ringleff

.github/workflows/tests.yml

@@ -22,16 +22,16 @@ jobs:
         strategy:
             fail-fast: false
             matrix:
-                php-version: ["7.1", "7.2", "7.3", "7.4", "8.0", "8.1", "8.2"]
+                php-version: ["7.1", "7.2", "7.3", "7.4", "8.0", "8.1", "8.2", "8.3"]
                 os: [ubuntu-latest]
                 experimental: [false]
                 php-extensions: ["bcmath, curl, imagick, gd"]
                 coverage-extension: ["none"]
                 # Add more specific tests
                 include:
-                 #- { php-version: '8.2', experimental: false, os: macos-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'none' }
-                  - { php-version: '8.3', experimental: false, os: windows-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'none' }
-                  - { php-version: '8.3', experimental: false, os: ubuntu-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'pcov' }
+                  #- { php-version: '8.2', experimental: false, os: macos-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'none' }
+                  - { php-version: '8.2', experimental: false, os: windows-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'none' }
+                  - { php-version: '8.4', experimental: true, os: ubuntu-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'pcov' }
                   - { php-version: 'nightly', experimental: true, os: ubuntu-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'pcov' }
         env:
             PDFINFO_BINARY: ${{ (matrix.os == 'ubuntu-latest') && '/usr/bin/pdfinfo' || ((matrix.os == 'macos-latest') && '/usr/local/bin/pdfinfo' || 'C:\ProgramData\Chocolatey\bin\pdfinfo.exe') }}
@@ -113,4 +113,4 @@ jobs:
             - name: Install phpstan
               run: composer require --dev phpstan/phpstan
             - name: Analyse files
-              run: ./vendor/bin/phpstan --memory-limit=6G
+              run: ./vendor/bin/phpstan --memory-limit=6G

CHANGELOG.TXT

@@ -1,3 +1,11 @@
+6.9.0 (2025-04-03)
+	- Fixed Path Traversal security vulnerability reported by Positive Technologies.
+
+6.9.0 (2025-03-30)
+	- Added PHP 8.4 testing.
+	- Removed tcpdf_import.php and tcpdf_parser.php files (for a parser check the tc-lib-pdf-parser project instead).
+	- Fix composer.json.
+
 6.8.2 (2025-01-26)
 	- Fix some annotation flags values.
 	- Remove examples from packaging.

VERSION

@@ -1 +1 @@
-6.8.2
+6.9.1

composer.json

@@ -12,7 +12,7 @@
         "barcodes"
     ],
     "homepage": "http://www.tcpdf.org/",
-    "version": "6.8.2-p1",
+    "version": "6.9.1-p1",
     "license": "LGPL-3.0-or-later",
     "authors": [
         {
@@ -30,8 +30,6 @@
         "classmap": [
             "include",
             "tcpdf.php",
-            "tcpdf_parser.php",
-            "tcpdf_import.php",
             "tcpdf_barcodes_1d.php",
             "tcpdf_barcodes_2d.php",
             "include/tcpdf_colors.php",
@@ -50,5 +48,10 @@
     },
     "conflict": {
         "fooman/pdfcore-m2": "<22.0.0"
+    },
+    "archive": {
+        "exclude": [
+            "/examples"
+        ]
     }
 }

include/tcpdf_static.php

@@ -55,7 +55,7 @@ class TCPDF_STATIC {
 	 * Current TCPDF version.
 	 * @private static
 	 */
-	private static $tcpdf_version = '6.8.2-p1';
+	private static $tcpdf_version = '6.9.1-p1';
 
 	/**
 	 * String alias for total number of pages.
@@ -2648,7 +2648,6 @@ public static function getPageMode($mode='UseNone') {
 		return $page_mode;
 	}
 
-
 } // END OF TCPDF_STATIC CLASS
 
 //============================================================+

tcpdf.php

@@ -1,9 +1,9 @@
 <?php
 //============================================================+
 // File name   : tcpdf.php
-// Version     : 6.8.2
+// Version     : 6.9.1
 // Begin       : 2002-08-03
-// Last Update : 2024-12-23
+// Last Update : 2025-04-03
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
 // License     : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
 // -------------------------------------------------------------------
@@ -104,7 +104,7 @@
  * Tools to encode your unicode fonts are on fonts/utils directory.</p>
  * @package com.tecnick.tcpdf
  * @author Nicola Asuni
- * @version 6.8.2
+ * @version 6.9.1
  */
 
 // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ -115,7 +115,7 @@
  * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
  * @package com.tecnick.tcpdf
  * @brief PHP class for generating PDF documents without requiring external extensions.
- * @version 6.8.2
+ * @version 6.9.1
  * @author Nicola Asuni - info@tecnick.com
  * @IgnoreAnnotation("protected")
  * @IgnoreAnnotation("public")
@@ -18922,6 +18922,17 @@ public function writeHTML($html, $ln=true, $fill=false, $reseth=false, $cell=fal
 		unset($dom);
 	}
 
+	/**
+	 * Check if the path is relative.
+	 * @param string $path path to check
+	 * @return boolean true if the path is relative
+	 * @protected
+	 * @since 6.9.1
+	 */
+	 protected function isRelativePath($path) {
+		return (strpos(str_ireplace('%2E', '.', $this->unhtmlentities($path)), '..') !== false);
+	}
+
 	/**
 	 * Process opening tags.
 	 * @param array $dom html dom array
@@ -19114,7 +19125,7 @@ protected function openHTMLTagHandler($dom, $key, $cell) {
 				} else if (preg_match('@^data:image/([^;]*);base64,(.*)@', $imgsrc, $reg)) {
 					$imgsrc = '@'.base64_decode($reg[2]);
 					$type = $reg[1];
-				} elseif (strpos($imgsrc, '../') !== false) {
+				} elseif ($this->isRelativePath($imgsrc)) {
 					// accessing parent folders is not allowed
 					break;
 				} elseif ( $this->allowLocalFiles && substr($imgsrc, 0, 7) === 'file://') {
@@ -24523,7 +24534,7 @@ protected function startSVGElementHandler($parser, $name, $attribs, $ctm=array()
 						$img = '@'.base64_decode(substr($img, strlen($m[0])));
 					} else {
 						// fix image path
-						if (strpos($img, '../') !== false) {
+						if ($this->isRelativePath($img)) {
 							// accessing parent folders is not allowed
 							break;
 						}