Add basic protection against PHAR deserialization

bsweeney · bsweeney · commit 8a8a1ebcf6ae · 2023-12-11T15:56:08.000-05:00
This also includes an option to disable external file references. This applies to images and fonts. External file references are allowed by default, but future version will disallow by default.
diff --git a/src/Svg/Document.php b/src/Svg/Document.php
@@ -53,6 +53,8 @@ class Document extends AbstractTag
     /** @var \Sabberworm\CSS\CSSList\Document[] */
     protected $styleSheets = array();
 
+    public $allowExternalReferences = true;
+
     public function loadFile($filename)
     {
         $this->filename = $filename;
diff --git a/src/Svg/Style.php b/src/Svg/Style.php
@@ -139,6 +139,16 @@ public function fromStyleSheets(AbstractTag $tag, $attributes) {
                         break;
                     }
                 }
+
+                if (
+                    \array_key_exists("font-family", $styles)
+                    && (
+                        \strtolower(\substr($this->href, 0, 7)) === "phar://"
+                        || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
+                    )
+                ) {
+                    unset($style["font-family"]);
+                }
             }
         }
 
diff --git a/src/Svg/Tag/Image.php b/src/Svg/Tag/Image.php
@@ -58,6 +58,10 @@ public function start($attributes)
 
         $this->document->getSurface()->transform(1, 0, 0, -1, 0, $height);
 
+        if (\strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5) !== "data:"))) {
+            return;
+        }
+
         $this->document->getSurface()->drawImage($this->href, $this->x, $this->y, $this->width, $this->height);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,8 @@ class Document extends AbstractTag`
`53`	`53`	`/** @var \Sabberworm\CSS\CSSList\Document[] */`
`54`	`54`	`protected $styleSheets = array();`
`55`	`55`
	`56`	`+ public $allowExternalReferences = true;`
	`57`	`+`
`56`	`58`	`public function loadFile($filename)`
`57`	`59`	`{`
`58`	`60`	`$this->filename = $filename;`
Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,16 @@ public function fromStyleSheets(AbstractTag $tag, $attributes) {`
`139`	`139`	`break;`
`140`	`140`	`}`
`141`	`141`	`}`
	`142`	`+`
	`143`	`+ if (`
	`144`	`+ \array_key_exists("font-family", $styles)`
	`145`	`+ && (`
	`146`	`+ \strtolower(\substr($this->href, 0, 7)) === "phar://"`
	`147`	`+ \|\| ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")`
	`148`	`+ )`
	`149`	`+ ) {`
	`150`	`+ unset($style["font-family"]);`
	`151`	`+ }`
`142`	`152`	`}`
`143`	`153`	`}`
`144`	`154`
Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,10 @@ public function start($attributes)`
`58`	`58`
`59`	`59`	`$this->document->getSurface()->transform(1, 0, 0, -1, 0, $height);`
`60`	`60`
	`61`	`+ if (\strtolower(\substr($this->href, 0, 7)) === "phar://" \|\| ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5) !== "data:"))) {`
	`62`	`+ return;`
	`63`	`+ }`
	`64`	`+`
`61`	`65`	`$this->document->getSurface()->drawImage($this->href, $this->x, $this->y, $this->width, $this->height);`
`62`	`66`	`}`
`63`	`67`