Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect file handling for symlinked paths #3373

Open
verybigelephants opened this issue Jan 9, 2024 · 3 comments
Open

Incorrect file handling for symlinked paths #3373

verybigelephants opened this issue Jan 9, 2024 · 3 comments

Comments

@verybigelephants
Copy link

Describe the bug
dompdf/src/Img/Cache.php method resolve_url tries to validate paths. however, it uses dompdf/src/Helpers.php's build_url method and on line 115 there is this nasty bug $filepath = realpath($ret); where realpath will unwrap any symlink into actual full path, (like when you symlink a mounted extra disk space from /mnt/ to hold all of your images for example)

then, the resolve_url continues to check the rules in

                foreach ($allowed_protocols[$protocol]["rules"] as $rule) {
                    [$result, $message] = $rule($full_url);
                    if (!$result) {
                        throw new ImageException("Error loading $url: $message", E_WARNING);
                    }
                }

and then of course it's throwing an error message, saying
The file could not be found under the paths specified by Options::chroot.
because the unwrapped symlink may be outside of the website's allowed directory, even though it is fully valid path accessible by the rest of the appliation

To Reproduce
Steps to reproduce the behavior:

  • Laravel and package version
    "barryvdh/laravel-dompdf": "^2.0",
  • Input HTML/CSS
    "trying to render any image behind a symlink" like <img src="/home/www/somedomain.com/public/media/id/something.jpg"/> where /home/www/somedomain.com/public/media is a symlink to a directory outside /home/www/somedomain.com/

Expected behavior
not unwrapping the symlink into real path, thus failing the rule for allowed directories
@bsweeney
Copy link
Member

bsweeney commented Jan 9, 2024

I'm not sure I would classify this as unexpected behavior, though it may be undesirable. To make it possible to not resolve symlinks we'd have to write our own path parsing logic.

You can work around the problem by adding the target of the symlink to your chroot (it's a collection of paths). The other option would be to replace the validation logic for the file:// scheme.

@verybigelephants
Copy link
Author

verybigelephants commented Jan 10, 2024
edited

Hi, thanks for the reply!

I have teporarily modified vendor src files to not unwrap symlinks with the realpath, as i definitely do not think that you should change chroot for every symlinked subirectory that's inside your app. That would just break the whole concept of symlinks in nix systems.

If a directory is present within the chroot it should be valid, no matter wheter it's a real directory or symlink

@bsweeney
Copy link
Member

Feel free to submit a PR if you have a better method for resolving a path for chroot checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bsweeney @verybigelephants