Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[12.x] Fix image support in PDF invoices #1045

Merged
merged 2 commits into from
Jan 14, 2021
Merged

[12.x] Fix image support in PDF invoices #1045

merged 2 commits into from
Jan 14, 2021

Conversation

thijskok
Copy link
Contributor

This PR fixes (local) image support when using the invoice PDF feature.

Background

With the release of Dompdf 0.8.6, a disclosure vulnerability was fixed. By doing so, a breaking change was introduced: when generating a PDF without the proper configuration, only resources within the dompdf folder itself are accessible. As a result, when using Cashier to generate a PDF invoice, the use of a local image (for example, a logo) is blocked.

Example

Consider this example:

// receipt.blade.php

...
<img src="{{ public_path('images/logo.png' }}" class="logo"/>
...

Before 0.8.6, this worked fine. As of 0.8.6, only resources in the vendor/dompdf directory are allowed, causing any file in public_path (or any other path in your Laravel app, for that matter) to be rejected.

Solution

The solution is to configure Dompdf using the new chroot setting. This PR sets the chroot to base_path. As a side effect, the version constraint for dompdf has to be set to 0.8.6 - earlier versions lack this setting.

There's no test available for handling PDF's in general, so I refrained from writing one. If this is required, I am willing to take a stab at it.

Workarounds

  • You can use a remote image instead of a local one, but that's not an option for everyone.
  • You can lock dompdf to 0.8.4 in your application, which doesn't come with the restriction (but also lacks PHP 8 support and obviously, the security fix).

@taylorotwell taylorotwell merged commit 26ed561 into laravel:12.x Jan 14, 2021
@driesvints
Copy link
Member

@thijskok shouldn't ^1.0 also be bumped to ^1.0.1?

@thijskok
Copy link
Contributor Author

@thijskok shouldn't ^1.0 also be bumped to ^1.0.1?

That's an interesting question. I didn't change anything about the 1.0 constraint. It might be safer, but then again, they did introduce a "breaking" change in a patch version (0.8.5 => 0.8.6)...

I'd bump it to be on the safe side. @taylorotwell did merge it already though (with my eternal thanks 👍 ).

@thijskok shouldn't ^1.0 also be bumped to ^1.0.1?

@driesvints
Copy link
Member

Yeah seems this security fix was also patched for 1.x in 1.0.1 so I'll bump it. Will tag these changes on Tuesday.

@thijskok
Copy link
Contributor Author

Yeah seems this security fix was also patched for 1.x in 1.0.1 so I'll bump it. Will tag these changes on Tuesday.

Awesome! Thanks @driesvints .

@thijskok thijskok deleted the fixed-chroot-restriction branch January 14, 2021 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thijskok @driesvints @taylorotwell