Added untrusted server fetching control

WKHTMLtoPDF provides limited control for external fetching so that will now be disabled by default unless ALLOW_UNTRUSTED_SERVER_FETCHING=true is specifically set. This new option will also control DOMPDF fetching.
2025-07-30 04:23:11 +03:00 · 2021-08-31 20:22:42 +01:00
parent 8f12c8bc99
commit bee5e2c7ca
7 changed files with 52 additions and 18 deletions
--- a/app/Config/app.php
+++ b/app/Config/app.php
@ -36,6 +36,11 @@ return [
    // Even when overridden the WYSIWYG editor may still escape script content.
    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),

+    # Allow server-side fetches to be performed to potentially unknown
+    # and user-provided locations. Primarily used in exports when loading
+    # in externally referenced assets.
+    'allow_untrusted_server_fetching' => env('ALLOW_UNTRUSTED_SERVER_FETCHING', false),
+
    // Override the default behaviour for allowing crawlers to crawl the instance.
    // May be ignored if view has be overridden or modified.
    // Defaults to null since, if not set, 'app-public' status used instead.
--- a/app/Config/dompdf.php
+++ b/app/Config/dompdf.php
@ -37,7 +37,7 @@ return [
         * Times-Roman, Times-Bold, Times-BoldItalic, Times-Italic,
         * Symbol, ZapfDingbats.
         */
-        'DOMPDF_FONT_DIR' => storage_path('fonts/'),  // advised by dompdf (https://github.com/dompdf/dompdf/pull/782)
+        'font_dir' => storage_path('fonts/'),  // advised by dompdf (https://github.com/dompdf/dompdf/pull/782)

        /**
         * The location of the DOMPDF font cache directory.
@ -47,7 +47,7 @@ return [
         *
         * Note: This directory must exist and be writable by the webserver process.
         */
-        'DOMPDF_FONT_CACHE' => storage_path('fonts/'),
+        'font_cache' => storage_path('fonts/'),

        /**
         * The location of a temporary directory.
@ -56,7 +56,7 @@ return [
         * The temporary directory is required to download remote images and when
         * using the PFDLib back end.
         */
-        'DOMPDF_TEMP_DIR' => sys_get_temp_dir(),
+        'temp_dir' => sys_get_temp_dir(),

        /**
         * ==== IMPORTANT ====.
@ -70,7 +70,7 @@ return [
         * direct class use like:
         * $dompdf = new DOMPDF();  $dompdf->load_html($htmldata); $dompdf->render(); $pdfdata = $dompdf->output();
         */
-        'DOMPDF_CHROOT' => realpath(base_path()),
+        'chroot' => realpath(base_path()),

        /**
         * Whether to use Unicode fonts or not.
@ -81,12 +81,12 @@ return [
         * When enabled, dompdf can support all Unicode glyphs. Any glyphs used in a
         * document must be present in your fonts, however.
         */
-        'DOMPDF_UNICODE_ENABLED' => true,
+        'unicode_enabled' => true,

        /**
         * Whether to enable font subsetting or not.
         */
-        'DOMPDF_ENABLE_FONTSUBSETTING' => false,
+        'enable_fontsubsetting' => false,

        /**
         * The PDF rendering backend to use.
@ -115,7 +115,7 @@ return [
         * @link http://www.ros.co.nz/pdf
         * @link http://www.php.net/image
         */
-        'DOMPDF_PDF_BACKEND' => 'CPDF',
+        'pdf_backend' => 'CPDF',

        /**
         * PDFlib license key.
@ -141,7 +141,7 @@ return [
         * the desired content might be different (e.g. screen or projection view of html file).
         * Therefore allow specification of content here.
         */
-        'DOMPDF_DEFAULT_MEDIA_TYPE' => 'print',
+        'default_media_type' => 'print',

        /**
         * The default paper size.
@ -150,7 +150,7 @@ return [
         *
         * @see CPDF_Adapter::PAPER_SIZES for valid sizes ('letter', 'legal', 'A4', etc.)
         */
-        'DOMPDF_DEFAULT_PAPER_SIZE' => 'a4',
+        'default_paper_size' => 'a4',

        /**
         * The default font family.
@ -159,7 +159,7 @@ return [
         *
         * @var string
         */
-        'DOMPDF_DEFAULT_FONT' => 'dejavu sans',
+        'default_font' => 'dejavu sans',

        /**
         * Image DPI setting.
@ -194,7 +194,7 @@ return [
         *
         * @var int
         */
-        'DOMPDF_DPI' => 96,
+        'dpi' => 96,

        /**
         * Enable inline PHP.
@ -208,7 +208,7 @@ return [
         *
         * @var bool
         */
-        'DOMPDF_ENABLE_PHP' => false,
+        'enable_php' => false,

        /**
         * Enable inline Javascript.
@ -218,7 +218,7 @@ return [
         *
         * @var bool
         */
-        'DOMPDF_ENABLE_JAVASCRIPT' => false,
+        'enable_javascript' => false,

        /**
         * Enable remote file access.
@ -237,12 +237,12 @@ return [
         *
         * @var bool
         */
-        'DOMPDF_ENABLE_REMOTE' => true,
+        'enable_remote' => env('ALLOW_UNTRUSTED_SERVER_FETCHING', false),

        /**
         * A ratio applied to the fonts height to be more like browsers' line height.
         */
-        'DOMPDF_FONT_HEIGHT_RATIO' => 1.1,
+        'font_height_ratio' => 1.1,

        /**
         * Enable CSS float.
@ -251,12 +251,12 @@ return [
         *
         * @var bool
         */
-        'DOMPDF_ENABLE_CSS_FLOAT' => true,
+        'enable_css_float' => true,

        /**
         * Use the more-than-experimental HTML5 Lib parser.
         */
-        'DOMPDF_ENABLE_HTML5PARSER' => true,
+        'enable_html5parser' => true,

    ],