32
1
mirror of https://github.com/vdm-io/tcpdf.git synced 2024-10-31 18:52:35 +00:00

6.0.093 (2014-09-02)

- Security fix: some serialize/unserialize methods were replaced with json_encode/json_decode to avoid a potential object injection with user supplied content. Thanks to ownCloud Inc. for reporting this issue.
- K_TIMEZONE constant was added to the default configuration to supress date-time warnings.
This commit is contained in:
nicolaasuni 2014-09-02 20:31:33 +01:00
parent 8debbff6b4
commit 8ec040b3cc
7 changed files with 79 additions and 41 deletions

View File

@ -1,3 +1,7 @@
6.0.093 (2014-09-02)
- Security fix: some serialize/unserialize methods were replaced with json_encode/json_decode to avoid a potential object injection with user supplied content. Thanks to ownCloud Inc. for reporting this issue.
- K_TIMEZONE constant was added to the default configuration to supress date-time warnings.
6.0.092 (2014-09-01) 6.0.092 (2014-09-01)
- Bug item #956 "Monospaced fonts are not alignd at the baseline" was fixed. - Bug item #956 "Monospaced fonts are not alignd at the baseline" was fixed.
- Bug item #964 "Problem when changing font size" was fixed. - Bug item #964 "Problem when changing font size" was fixed.

View File

@ -8,8 +8,8 @@ http://sourceforge.net/donate/index.php?group_id=128076
------------------------------------------------------------ ------------------------------------------------------------
Name: TCPDF Name: TCPDF
Version: 6.0.092 Version: 6.0.093
Release date: 2014-09-01 Release date: 2014-09-02
Author: Nicola Asuni Author: Nicola Asuni
Copyright (c) 2002-2014: Copyright (c) 2002-2014:

View File

@ -1,6 +1,6 @@
{ {
"name": "tecnick.com/tcpdf", "name": "tecnick.com/tcpdf",
"version": "6.0.092", "version": "6.0.093",
"homepage": "http://www.tcpdf.org/", "homepage": "http://www.tcpdf.org/",
"type": "library", "type": "library",
"description": "TCPDF is a PHP class for generating PDF documents and barcodes.", "description": "TCPDF is a PHP class for generating PDF documents and barcodes.",

View File

@ -2,7 +2,7 @@
//============================================================+ //============================================================+
// File name : tcpdf_config.php // File name : tcpdf_config.php
// Begin : 2004-06-11 // Begin : 2004-06-11
// Last Update : 2014-01-25 // Last Update : 2014-09-02
// //
// Description : Configuration file for TCPDF. // Description : Configuration file for TCPDF.
// Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com // Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
@ -217,6 +217,11 @@ define('K_TCPDF_CALLS_IN_HTML', true);
*/ */
define('K_TCPDF_THROW_EXCEPTION_ERROR', false); define('K_TCPDF_THROW_EXCEPTION_ERROR', false);
/**
* Default timezone for datetime functions
*/
define('K_TIMEZONE', 'UTC');
//============================================================+ //============================================================+
// END OF FILE // END OF FILE
//============================================================+ //============================================================+

View File

@ -1,9 +1,9 @@
<?php <?php
//============================================================+ //============================================================+
// File name : tcpdf_static.php // File name : tcpdf_static.php
// Version : 1.0.003 // Version : 1.0.004
// Begin : 2002-08-03 // Begin : 2002-08-03
// Last Update : 2014-08-08 // Last Update : 2014-09-02
// Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com // Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
// License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html) // License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
// ------------------------------------------------------------------- // -------------------------------------------------------------------
@ -38,7 +38,7 @@
* This is a PHP class that contains static methods for the TCPDF class.<br> * This is a PHP class that contains static methods for the TCPDF class.<br>
* @package com.tecnick.tcpdf * @package com.tecnick.tcpdf
* @author Nicola Asuni * @author Nicola Asuni
* @version 1.0.003 * @version 1.0.004
*/ */
/** /**
@ -46,7 +46,7 @@
* Static methods used by the TCPDF class. * Static methods used by the TCPDF class.
* @package com.tecnick.tcpdf * @package com.tecnick.tcpdf
* @brief PHP class for generating PDF documents without requiring external extensions. * @brief PHP class for generating PDF documents without requiring external extensions.
* @version 1.0.003 * @version 1.0.004
* @author Nicola Asuni - info@tecnick.com * @author Nicola Asuni - info@tecnick.com
*/ */
class TCPDF_STATIC { class TCPDF_STATIC {
@ -55,7 +55,7 @@ class TCPDF_STATIC {
* Current TCPDF version. * Current TCPDF version.
* @private static * @private static
*/ */
private static $tcpdf_version = '6.0.092'; private static $tcpdf_version = '6.0.093';
/** /**
* String alias for total number of pages. * String alias for total number of pages.
@ -2450,13 +2450,23 @@ class TCPDF_STATIC {
/** /**
* Serialize an array of parameters to be used with TCPDF tag in HTML code. * Serialize an array of parameters to be used with TCPDF tag in HTML code.
* @param $pararray (array) parameters array * @param $data (array) parameters array
* @return sting containing serialized data * @return string containing serialized data
* @since 4.9.006 (2010-04-02) * @since 4.9.006 (2010-04-02)
* @public static * @public static
*/ */
public static function serializeTCPDFtagParameters($pararray) { public static function serializeTCPDFtagParameters($data) {
return urlencode(serialize($pararray)); return urlencode(json_encode($data));
}
/**
* Unserialize parameters to be used with TCPDF tag in HTML code.
* @param $data (string) serialized data
* @return array containing unserialized data
* @public static
*/
public static function unserializeTCPDFtagParameters($data) {
return json_decode(urldecode($data), true);
} }
/** /**

View File

@ -1,9 +1,9 @@
<?php <?php
//============================================================+ //============================================================+
// File name : tcpdf.php // File name : tcpdf.php
// Version : 6.0.092 // Version : 6.0.093
// Begin : 2002-08-03 // Begin : 2002-08-03
// Last Update : 2014-09-01 // Last Update : 2014-09-02
// Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com // Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
// License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html) // License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
// ------------------------------------------------------------------- // -------------------------------------------------------------------
@ -104,7 +104,7 @@
* Tools to encode your unicode fonts are on fonts/utils directory.</p> * Tools to encode your unicode fonts are on fonts/utils directory.</p>
* @package com.tecnick.tcpdf * @package com.tecnick.tcpdf
* @author Nicola Asuni * @author Nicola Asuni
* @version 6.0.092 * @version 6.0.093
*/ */
// TCPDF configuration // TCPDF configuration
@ -128,7 +128,7 @@ require_once(dirname(__FILE__).'/include/tcpdf_static.php');
* TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br> * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
* @package com.tecnick.tcpdf * @package com.tecnick.tcpdf
* @brief PHP class for generating PDF documents without requiring external extensions. * @brief PHP class for generating PDF documents without requiring external extensions.
* @version 6.0.092 * @version 6.0.093
* @author Nicola Asuni - info@tecnick.com * @author Nicola Asuni - info@tecnick.com
*/ */
class TCPDF { class TCPDF {
@ -1848,6 +1848,9 @@ class TCPDF {
$this->internal_encoding = mb_internal_encoding(); $this->internal_encoding = mb_internal_encoding();
mb_internal_encoding('ASCII'); mb_internal_encoding('ASCII');
} }
// set file ID for trailer
$serformat = (is_array($format) ? json_encode($format) : $format);
$this->file_id = md5(TCPDF_STATIC::getRandomSeed('TCPDF'.$orientation.$unit.$serformat.$encoding));
$this->font_obj_ids = array(); $this->font_obj_ids = array();
$this->page_obj_id = array(); $this->page_obj_id = array();
$this->form_obj_id = array(); $this->form_obj_id = array();
@ -1982,9 +1985,6 @@ class TCPDF {
$this->setSpacesRE('/[^\S\xa0]/'); $this->setSpacesRE('/[^\S\xa0]/');
} }
$this->default_form_prop = array('lineWidth'=>1, 'borderStyle'=>'solid', 'fillColor'=>array(255, 255, 255), 'strokeColor'=>array(128, 128, 128)); $this->default_form_prop = array('lineWidth'=>1, 'borderStyle'=>'solid', 'fillColor'=>array(255, 255, 255), 'strokeColor'=>array(128, 128, 128));
// set file ID for trailer
$serformat = (is_array($format) ? serialize($format) : $format);
$this->file_id = md5(TCPDF_STATIC::getRandomSeed('TCPDF'.$orientation.$unit.$serformat.$encoding));
// set document creation and modification timestamp // set document creation and modification timestamp
$this->doc_creation_timestamp = time(); $this->doc_creation_timestamp = time();
$this->doc_modification_timestamp = $this->doc_creation_timestamp; $this->doc_modification_timestamp = $this->doc_creation_timestamp;
@ -16372,7 +16372,7 @@ class TCPDF {
$matches = array(); $matches = array();
if (preg_match_all('/<cssarray>([^\<]*)<\/cssarray>/isU', $html, $matches) > 0) { if (preg_match_all('/<cssarray>([^\<]*)<\/cssarray>/isU', $html, $matches) > 0) {
if (isset($matches[1][0])) { if (isset($matches[1][0])) {
$css = array_merge($css, unserialize($this->unhtmlentities($matches[1][0]))); $css = array_merge($css, json_decode($this->unhtmlentities($matches[1][0]), true));
} }
$html = preg_replace('/<cssarray>(.*?)<\/cssarray>/isU', '', $html); $html = preg_replace('/<cssarray>(.*?)<\/cssarray>/isU', '', $html);
} }
@ -16414,7 +16414,7 @@ class TCPDF {
} }
} }
// create a special tag to contain the CSS array (used for table content) // create a special tag to contain the CSS array (used for table content)
$csstagarray = '<cssarray>'.htmlentities(serialize($css)).'</cssarray>'; $csstagarray = '<cssarray>'.htmlentities(json_encode($css)).'</cssarray>';
// remove head and style blocks // remove head and style blocks
$html = preg_replace('/<head([^\>]*)>(.*?)<\/head>/siU', '', $html); $html = preg_replace('/<head([^\>]*)>(.*?)<\/head>/siU', '', $html);
$html = preg_replace('/<style([^\>]*)>([^\<]*)<\/style>/isU', '', $html); $html = preg_replace('/<style([^\>]*)>([^\<]*)<\/style>/isU', '', $html);
@ -19393,7 +19393,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
$tcpdf_method = $tag['attribute']['method']; $tcpdf_method = $tag['attribute']['method'];
if (method_exists($this, $tcpdf_method)) { if (method_exists($this, $tcpdf_method)) {
if (isset($tag['attribute']['params']) AND (!empty($tag['attribute']['params']))) { if (isset($tag['attribute']['params']) AND (!empty($tag['attribute']['params']))) {
$params = unserialize(urldecode($tag['attribute']['params'])); $params = TCPDF_STATIC::unserializeTCPDFtagParameters($tag['attribute']['params']);
call_user_func_array(array($this, $tcpdf_method), $params); call_user_func_array(array($this, $tcpdf_method), $params);
} else { } else {
$this->$tcpdf_method(); $this->$tcpdf_method();
@ -20766,10 +20766,11 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
* @param $filename (string) file name * @param $filename (string) file name
* @param $data (mixed) data to write on file * @param $data (mixed) data to write on file
* @param $append (boolean) if true append data, false replace. * @param $append (boolean) if true append data, false replace.
* @param $serialize (boolean) if true serialize data.
* @since 4.5.000 (2008-12-31) * @since 4.5.000 (2008-12-31)
* @protected * @protected
*/ */
protected function writeDiskCache($filename, $data, $append=false) { protected function writeDiskCache($filename, $data, $append=false, $serialize=false) {
if ($append) { if ($append) {
$fmode = 'ab+'; $fmode = 'ab+';
} else { } else {
@ -20778,10 +20779,12 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
$f = @fopen($filename, $fmode); $f = @fopen($filename, $fmode);
if (!$f) { if (!$f) {
$this->Error('Unable to write cache file: '.$filename); $this->Error('Unable to write cache file: '.$filename);
} else {
fwrite($f, $data);
fclose($f);
} }
if ($serialize) {
$data = $this->file_id.serialize($data);
}
fwrite($f, $data);
fclose($f);
// update file length (needed for transactions) // update file length (needed for transactions)
if (!isset($this->cache_file_length['_'.$filename])) { if (!isset($this->cache_file_length['_'.$filename])) {
$this->cache_file_length['_'.$filename] = strlen($data); $this->cache_file_length['_'.$filename] = strlen($data);
@ -20793,12 +20796,23 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
/** /**
* Read data from a temporary file on filesystem. * Read data from a temporary file on filesystem.
* @param $filename (string) file name * @param $filename (string) file name
* @param $unserialize (boolean) if true unserialize data.
* @return mixed retrieved data * @return mixed retrieved data
* @since 4.5.000 (2008-12-31) * @since 4.5.000 (2008-12-31)
* @protected * @protected
*/ */
protected function readDiskCache($filename) { protected function readDiskCache($filename, $unserialize=false) {
return file_get_contents($filename); $data = file_get_contents($filename);
if ($data === FALSE) {
$this->Error('Unable to read the file: '.$filename);
}
if ($unserialize) {
if (substr($data, 0, 32) != $this->file_id) {
$this->Error('Invalid cache file: '.$filename);
}
$data = unserialize(substr($data, 32));
}
return $data;
} }
/** /**
@ -20813,7 +20827,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
if (!isset($this->buffer) OR TCPDF_STATIC::empty_string($this->buffer)) { if (!isset($this->buffer) OR TCPDF_STATIC::empty_string($this->buffer)) {
$this->buffer = TCPDF_STATIC::getObjFilename('buf'); $this->buffer = TCPDF_STATIC::getObjFilename('buf');
} }
$this->writeDiskCache($this->buffer, $data, true); $this->writeDiskCache($this->buffer, $data, true, false);
} else { } else {
$this->buffer .= $data; $this->buffer .= $data;
} }
@ -20831,7 +20845,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
if (!isset($this->buffer) OR TCPDF_STATIC::empty_string($this->buffer)) { if (!isset($this->buffer) OR TCPDF_STATIC::empty_string($this->buffer)) {
$this->buffer = TCPDF_STATIC::getObjFilename('buf'); $this->buffer = TCPDF_STATIC::getObjFilename('buf');
} }
$this->writeDiskCache($this->buffer, $data, false); $this->writeDiskCache($this->buffer, $data, false, false);
} else { } else {
$this->buffer = $data; $this->buffer = $data;
} }
@ -20845,7 +20859,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
*/ */
protected function getBuffer() { protected function getBuffer() {
if ($this->diskcache) { if ($this->diskcache) {
return $this->readDiskCache($this->buffer); return $this->readDiskCache($this->buffer, false);
} else { } else {
return $this->buffer; return $this->buffer;
} }
@ -20864,7 +20878,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
if (!isset($this->pages[$page])) { if (!isset($this->pages[$page])) {
$this->pages[$page] = TCPDF_STATIC::getObjFilename('page'); $this->pages[$page] = TCPDF_STATIC::getObjFilename('page');
} }
$this->writeDiskCache($this->pages[$page], $data, $append); $this->writeDiskCache($this->pages[$page], $data, $append, false);
} else { } else {
if ($append) { if ($append) {
$this->pages[$page] .= $data; $this->pages[$page] .= $data;
@ -20888,7 +20902,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
*/ */
protected function getPageBuffer($page) { protected function getPageBuffer($page) {
if ($this->diskcache) { if ($this->diskcache) {
return $this->readDiskCache($this->pages[$page]); return $this->readDiskCache($this->pages[$page], false);
} elseif (isset($this->pages[$page])) { } elseif (isset($this->pages[$page])) {
return $this->pages[$page]; return $this->pages[$page];
} }
@ -20913,7 +20927,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
if (!isset($this->images[$image])) { if (!isset($this->images[$image])) {
$this->images[$image] = TCPDF_STATIC::getObjFilename('img'); $this->images[$image] = TCPDF_STATIC::getObjFilename('img');
} }
$this->writeDiskCache($this->images[$image], serialize($data)); $this->writeDiskCache($this->images[$image], $data, false, true);
} else { } else {
$this->images[$image] = $data; $this->images[$image] = $data;
} }
@ -20935,7 +20949,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
if ($this->diskcache) { if ($this->diskcache) {
$tmpimg = $this->getImageBuffer($image); $tmpimg = $this->getImageBuffer($image);
$tmpimg[$key] = $data; $tmpimg[$key] = $data;
$this->writeDiskCache($this->images[$image], serialize($tmpimg)); $this->writeDiskCache($this->images[$image], $tmpimg, false, true);
} else { } else {
$this->images[$image][$key] = $data; $this->images[$image][$key] = $data;
} }
@ -20950,7 +20964,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
*/ */
protected function getImageBuffer($image) { protected function getImageBuffer($image) {
if ($this->diskcache AND isset($this->images[$image])) { if ($this->diskcache AND isset($this->images[$image])) {
return unserialize($this->readDiskCache($this->images[$image])); return $this->readDiskCache($this->images[$image], true);
} elseif (isset($this->images[$image])) { } elseif (isset($this->images[$image])) {
return $this->images[$image]; return $this->images[$image];
} }
@ -20969,7 +20983,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
if (!isset($this->fonts[$font])) { if (!isset($this->fonts[$font])) {
$this->fonts[$font] = TCPDF_STATIC::getObjFilename('font'); $this->fonts[$font] = TCPDF_STATIC::getObjFilename('font');
} }
$this->writeDiskCache($this->fonts[$font], serialize($data)); $this->writeDiskCache($this->fonts[$font], $data, false, true);
} else { } else {
$this->fonts[$font] = $data; $this->fonts[$font] = $data;
} }
@ -20997,7 +21011,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
if ($this->diskcache) { if ($this->diskcache) {
$tmpfont = $this->getFontBuffer($font); $tmpfont = $this->getFontBuffer($font);
$tmpfont[$key] = $data; $tmpfont[$key] = $data;
$this->writeDiskCache($this->fonts[$font], serialize($tmpfont)); $this->writeDiskCache($this->fonts[$font], $tmpfont, false, true);
} else { } else {
$this->fonts[$font][$key] = $data; $this->fonts[$font][$key] = $data;
} }
@ -21012,7 +21026,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
*/ */
protected function getFontBuffer($font) { protected function getFontBuffer($font) {
if ($this->diskcache AND isset($this->fonts[$font])) { if ($this->diskcache AND isset($this->fonts[$font])) {
return unserialize($this->readDiskCache($this->fonts[$font])); return $this->readDiskCache($this->fonts[$font], true);
} elseif (isset($this->fonts[$font])) { } elseif (isset($this->fonts[$font])) {
return $this->fonts[$font]; return $this->fonts[$font];
} }

View File

@ -3,7 +3,7 @@
// File name : tcpdf_autoconfig.php // File name : tcpdf_autoconfig.php
// Version : 1.0.000 // Version : 1.0.000
// Begin : 2013-05-16 // Begin : 2013-05-16
// Last Update : 2014-01-25 // Last Update : 2014-09-02
// Authors : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com // Authors : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
// License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html) // License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
// ------------------------------------------------------------------- // -------------------------------------------------------------------
@ -232,6 +232,11 @@ if (!defined('K_TCPDF_THROW_EXCEPTION_ERROR')) {
define('K_TCPDF_THROW_EXCEPTION_ERROR', false); define('K_TCPDF_THROW_EXCEPTION_ERROR', false);
} }
if (!defined('K_TIMEZONE')) {
define('K_TIMEZONE', @date_default_timezone_get());
}
date_default_timezone_set(K_TIMEZONE);
//============================================================+ //============================================================+
// END OF FILE // END OF FILE
//============================================================+ //============================================================+