Details
Description
TCPDF uses cURL calls in which the possibility of being behind a proxy is not taken into account, which causes, for example, that when creating a pdf with remote images, they are not displayed.
Example of a call to cURL in which the proxy factor is not taken into account:
./lib/tcpdf/include/tcpdf_static.php
$crs = curl_init();
|
curl_setopt($crs, CURLOPT_URL, $path);
|
curl_setopt($crs, CURLOPT_BINARYTRANSFER, true); |
curl_setopt($crs, CURLOPT_FAILONERROR, true); |
curl_setopt($crs, CURLOPT_RETURNTRANSFER, true); |
if ((ini_get('open_basedir') == '') && (!ini_get('safe_mode'))) { |
curl_setopt($crs, CURLOPT_FOLLOWLOCATION, true); |
}
|
curl_setopt($crs, CURLOPT_CONNECTTIMEOUT, 5); |
curl_setopt($crs, CURLOPT_TIMEOUT, 30); |
curl_setopt($crs, CURLOPT_SSL_VERIFYPEER, false); |
curl_setopt($crs, CURLOPT_SSL_VERIFYHOST, false); |
curl_setopt($crs, CURLOPT_USERAGENT, 'tc-lib-file'); |
$ret = curl_exec($crs);
|
curl_close($crs);
|
if ($ret !== false) { |
return $ret; |
}
|
In the same way, calls to the "file_get_contents()" function are used, where neither a context is instantiated to work behind the proxy.
Example : ./lib/tcpdf/include/tcpdf_static.php
$ret = @file_get_contents($path); |
if ( $ret != false ) { |
return $ret; |
}
|
Another function used, which is not proxy-ready, is getimagesize()
Example : ./lib/tcpdf/tcpdf.php
if (($imsize = @getimagesize($file)) === FALSE) { |
if (in_array($file, $this->imagekeys)) { |
// get existing image data |
$info = $this->getImageBuffer($file); |
$imsize = array($info['w'], $info['h']); |
} elseif (strpos($file, '__tcpdf_'.$this->file_id.'_img') === FALSE) { |
$imgdata = TCPDF_STATIC::fileGetContents($file);
|
}
|
}
|
Attachments
Issue Links
- has a non-specific relationship to
-
MDL-72486 Add developer options to warn when making unsafe unproxied requests
-
- Closed
-