Security: Prevents not allowed wrapper issue when loading images

See: - mpdf/mpdf#949 - https://github.com/mpdf/mpdf/pull/950/files
chamilo · Mar 2, 2022 · 640ba55 · 640ba55
1 parent ab5ce13
commit 640ba55
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/main/inc/lib/api.lib.php b/main/inc/lib/api.lib.php
@@ -10197,3 +10197,22 @@ function api_protect_webservices()
         exit;
     }
 }
+
+function api_filename_has_blacklisted_stream_wrapper(string $filename) {
+    if (strpos($filename, '://') > 0) {
+        $wrappers = stream_get_wrappers();
+        $allowedWrappers = ['http', 'https', 'file'];
+
+        foreach ($wrappers as $wrapper) {
+            if (in_array($wrapper, $allowedWrappers)) {
+                continue;
+            }
+
+            if (stripos($filename, $wrapper . '://') === 0) {
+                return true;
+            }
+        }
+    }
+
+    return false;
+}
diff --git a/main/inc/lib/pdf.lib.php b/main/inc/lib/pdf.lib.php
@@ -973,11 +973,25 @@ private static function fixImagesPaths($documentHtml, array $courseInfo, $dirNam
 
         $documentPath = $courseInfo ? $sysCoursePath.$courseInfo['path'].'/document/' : '';
 
+        $notFoundImagePath = Display::return_icon(
+            'closed-circle.png',
+            get_lang('FileNotFound'),
+            [],
+            ICON_SIZE_TINY,
+            false,
+            true
+        );
+
         /** @var \DOMElement $element */
         foreach ($elements as $element) {
             $src = $element->getAttribute('src');
             $src = trim($src);
 
+            if (api_filename_has_blacklisted_stream_wrapper($src)) {
+                $element->setAttribute('src', $notFoundImagePath);
+                continue;
+            }
+
             if (strpos($src, $protocol) !== false) {
                 continue;
             }