From 406e56aa0133447d05f1670599bceee94dabec6c Mon Sep 17 00:00:00 2001 From: "Barry vd. Heuvel" Date: Mon, 13 May 2024 15:13:02 +0200 Subject: [PATCH] Only support DomPDF 3 (#1049) * Allow Dompdf3, add new options * Drop support for pre 9.x * Bump dev version * Disable remote access by default * Update changelog --- .github/workflows/run-static-analysis.yml | 2 +- .github/workflows/run-tests.yml | 47 ++--------------- CHANGELOG.md | 7 +++ composer.json | 14 ++--- config/dompdf.php | 64 +++++++++++------------ readme.md | 8 ++- 6 files changed, 54 insertions(+), 88 deletions(-) diff --git a/.github/workflows/run-static-analysis.yml b/.github/workflows/run-static-analysis.yml index bd25c7b..b2f6796 100644 --- a/.github/workflows/run-static-analysis.yml +++ b/.github/workflows/run-static-analysis.yml @@ -23,7 +23,7 @@ jobs: fail-fast: false matrix: php: [8.1, 8.2, 8.3] - laravel: [10.*, 11.*] + laravel: [9.*, 10.*, 11.*] dependency-version: [prefer-stable] exclude: - laravel: 11.* diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index f048c61..f9818bb 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -22,53 +22,12 @@ jobs: strategy: fail-fast: false matrix: - php: [7.2, 7.3, 7.4, 8.0, 8.2] - laravel: ['6.*', '7.*', '8.*', '11.*'] + php: [8.1, 8.2, 8.3] + laravel: ['9.*', '10.*', '11.*'] dependency-version: [prefer-lowest, prefer-stable] - include: - - laravel: 11.* - php: 8.3 - dependency-version: prefer-stable - - laravel: 11.* - php: 8.2 - dependency-version: prefer-stable - - laravel: 10.* - php: 8.3 - dependency-version: prefer-stable - - laravel: 10.* - php: 8.2 - dependency-version: prefer-stable - - laravel: 10.* - php: 8.1 - dependency-version: prefer-stable - - laravel: 9.* - php: 8.2 - dependency-version: prefer-stable - - laravel: 9.* - php: 8.1 - dependency-version: prefer-stable - - laravel: 9.* - php: 8.0 - dependency-version: prefer-stable exclude: - - laravel: 8.* - php: 7.2 - - laravel: 6.* - php: 8.2 - - laravel: 7.* - php: 8.2 - - laravel: 8.* - php: 8.2 - - php: 8.0 - dependency-version: prefer-lowest - laravel: 11.* - php: 7.2 - - laravel: 11.* - php: 7.3 - - laravel: 11.* - php: 7.4 - - laravel: 11.* - php: 8.0 + php: 8.1 name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.dependency-version }} diff --git a/CHANGELOG.md b/CHANGELOG.md index df796b1..c651e32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +[3.0.0] +Version 3.x supports DomPDF version 3.x. See the changelog in https://github.com/dompdf/dompdf/releases/tag/v3.0.0 + +The most notable change in laravel-dompdf are the changed defaults, to be more secure; + - `enable_remote` is now `false` by default. Change with caution. + - `allowedRemoteHosts` and `artifactPathValidation` are added the the config. +Also, support for Laravel < 9 and PHP < 8.1 is dropped. [2.2.0] ## What's Changed diff --git a/composer.json b/composer.json index 797e657..5422d18 100644 --- a/composer.json +++ b/composer.json @@ -14,15 +14,15 @@ } ], "require": { - "php": "^7.2 || ^8.0", - "dompdf/dompdf": "^2.0.7 || ^3.0", - "illuminate/support": "^6|^7|^8|^9|^10|^11" + "php": "^8.1", + "dompdf/dompdf": "^3.0", + "illuminate/support": "^9|^10|^11" }, "require-dev": { - "orchestra/testbench": "^4|^5|^6|^7|^8|^9", + "orchestra/testbench": "^7|^8|^9", "squizlabs/php_codesniffer": "^3.5", - "phpro/grumphp": "^1 || ^2.5", - "larastan/larastan": "^1.0|^2.7.0" + "phpro/grumphp": "^2.5", + "larastan/larastan": "^2.7.0" }, "autoload": { "psr-4": { @@ -36,7 +36,7 @@ }, "extra": { "branch-alias": { - "dev-master": "2.2-dev" + "dev-master": "3.0-dev" }, "laravel": { "providers": [ diff --git a/config/dompdf.php b/config/dompdf.php index 5278b7d..5a6df19 100644 --- a/config/dompdf.php +++ b/config/dompdf.php @@ -141,20 +141,6 @@ */ "pdf_backend" => "CPDF", - /** - * PDFlib license key - * - * If you are using a licensed, commercial version of PDFlib, specify - * your license key here. If you are using PDFlib-Lite or are evaluating - * the commercial version of PDFlib, comment out this setting. - * - * @link http://www.pdflib.com - * - * If pdflib present in web server and auto or selected explicitely above, - * a real license code must exist! - */ - //"DOMPDF_PDFLIB_LICENSE" => "your license key here", - /** * html target media view which should be rendered into pdf. * List of types and parsing rules for future extensions: @@ -229,24 +215,31 @@ "dpi" => 96, /** - * Enable inline PHP + * Enable embedded PHP * - * If this setting is set to true then DOMPDF will automatically evaluate - * inline PHP contained within tags. + * If this setting is set to true then DOMPDF will automatically evaluate embedded PHP contained + * within tags. * - * Enabling this for documents you do not trust (e.g. arbitrary remote html - * pages) is a security risk. Set this option to false if you wish to process - * untrusted documents. + * ==== IMPORTANT ==== Enabling this for documents you do not trust (e.g. arbitrary remote html pages) + * is a security risk. + * Embedded scripts are run with the same level of system access available to dompdf. + * Set this option to false (recommended) if you wish to process untrusted documents. + * This setting may increase the risk of system exploit. + * Do not change this settings without understanding the consequences. + * Additional documentation is available on the dompdf wiki at: + * https://github.com/dompdf/dompdf/wiki * * @var bool */ "enable_php" => false, /** - * Enable inline Javascript + * Rnable inline JavaScript * - * If this setting is set to true then DOMPDF will automatically insert - * JavaScript code contained within tags. + * If this setting is set to true then DOMPDF will automatically insert JavaScript code contained + * within tags as written into the PDF. + * NOTE: This is PDF-based JavaScript to be executed by the PDF viewer, + * not browser-based JavaScript executed by Dompdf. * * @var bool */ @@ -255,21 +248,24 @@ /** * Enable remote file access * - * If this setting is set to true, DOMPDF will access remote sites for - * images and CSS files as required. - * This is required for part of test case www/test/image_variants.html through www/examples.php + * If this setting is set to true, DOMPDF will access remote sites for + * images and CSS files as required. + * + * ==== IMPORTANT ==== + * This can be a security risk, in particular in combination with isPhpEnabled and + * allowing remote html code to be passed to $dompdf = new DOMPDF(); $dompdf->load_html(...); + * This allows anonymous users to download legally doubtful internet content which on + * tracing back appears to being downloaded by your server, or allows malicious php code + * in remote html pages to be executed by your server with your account privileges. * - * Attention! - * This can be a security risk, in particular in combination with DOMPDF_ENABLE_PHP and - * allowing remote access to dompdf.php or on allowing remote html code to be passed to - * $dompdf = new DOMPDF(, $dompdf->load_html(..., - * This allows anonymous users to download legally doubtful internet content which on - * tracing back appears to being downloaded by your server, or allows malicious php code - * in remote html pages to be executed by your server with your account privileges. + * This setting may increase the risk of system exploit. Do not change + * this settings without understanding the consequences. Additional + * documentation is available on the dompdf wiki at: + * https://github.com/dompdf/dompdf/wiki * * @var bool */ - "enable_remote" => true, + "enable_remote" => false, /** * List of allowed remote hosts diff --git a/readme.md b/readme.md index 89eb328..2de314d 100644 --- a/readme.md +++ b/readme.md @@ -91,9 +91,10 @@ Available options and their defaults: * __dpi__: 96 _(available in config/dompdf.php)_ * __fontHeightRatio__: 1.1 _(available in config/dompdf.php)_ * __isPhpEnabled__: false _(available in config/dompdf.php)_ -* __isRemoteEnabled__: true _(available in config/dompdf.php)_ +* __isRemoteEnabled__: false _(available in config/dompdf.php)_ * __isJavascriptEnabled__: true _(available in config/dompdf.php)_ -* __isHtml5ParserEnabled__: false _(available in config/dompdf.php)_ +* __isHtml5ParserEnabled__: true _(available in config/dompdf.php)_ +* __allowedRemoteHosts__: null _(available in config/dompdf.php)_ * __isFontSubsettingEnabled__: false _(available in config/dompdf.php)_ * __debugPng__: false * __debugKeepTemp__: false @@ -107,6 +108,9 @@ Available options and their defaults: * __pdflibLicense__: "" * __adminUsername__: "user" * __adminPassword__: "password" +* __artifactPathValidation__: null _(available in config/dompdf.php)_ + +#### Note: Since 3.x the remote access is disabled by default, to provide more security. Use with caution! ### Tip: UTF-8 support In your templates, set the UTF-8 Metatag: