');
$sBlockId = 'block_fake_'.$this->sId.($bEditMode ? '_edit' : ''); // make a unique id (edition occuring in the same DOM)
@@ -2336,7 +2336,7 @@ class DashletBadge extends Dashlet
$oPage->add('
');
$oPage->add('
');
- $oPage->add(' 
'.$sClassLabel.': 947');
+ $oPage->add(' .')
'.$sClassLabel.': 947');
$oPage->add('
');
$oPage->add('
');
$oPage->add(' '.Dict::Format('UI:ClickToCreateNew', $sClassLabel).'');
diff --git a/application/utils.inc.php b/application/utils.inc.php
index f7f63b7ac..5208c7e3f 100644
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -62,11 +62,11 @@ class utils
{
if (!file_exists($sParamFile))
{
- throw new Exception("Could not find the parameter file: '$sParamFile'");
+ throw new Exception("Could not find the parameter file: '".utils::HtmlEntities($sParamFile)."'");
}
if (!is_readable($sParamFile))
{
- throw new Exception("Could not load parameter file: '$sParamFile'");
+ throw new Exception("Could not load parameter file: '".utils::HtmlEntities($sParamFile)."'");
}
$sParams = file_get_contents($sParamFile);
diff --git a/datamodels/2.x/itop-backup/ajax.backup.php b/datamodels/2.x/itop-backup/ajax.backup.php
index c228294fc..76e70ff72 100644
--- a/datamodels/2.x/itop-backup/ajax.backup.php
+++ b/datamodels/2.x/itop-backup/ajax.backup.php
@@ -184,7 +184,7 @@ EOF
$sFile = utils::ReadParam('file', '', false, 'raw_data');
$oBackup = new DBBackupScheduled();
$sBackupDir = APPROOT.'data/backups/';
- $sPathNoDotDotPattern = '/^((?!\/\.\.\/).)*$/';
+ $sPathNoDotDotPattern = "/^((?![\/\\\\]\.\.[\/\\\\]).)*$/";
if(preg_match($sPathNoDotDotPattern, $sBackupDir.$sFile) == 1)
{
$oBackup->DownloadBackup($sBackupDir.$sFile);
diff --git a/datamodels/2.x/itop-hub-connector/ajax.php b/datamodels/2.x/itop-hub-connector/ajax.php
index e7ee70a58..3196379b8 100644
--- a/datamodels/2.x/itop-hub-connector/ajax.php
+++ b/datamodels/2.x/itop-hub-connector/ajax.php
@@ -256,7 +256,11 @@ try
case 'compile':
SetupPage::log_info('Deployment starts...');
-
+ $sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
+ if (!file_exists(APPROOT.'data/hub/compile_authent') || $sAuthent !== file_get_contents(APPROOT.'data/hub/compile_authent'))
+ {
+ throw new SecurityException(Dict::S('iTopHub:FailAuthent'));
+ }
// First step: prepare the datamodel, if it fails, roll-back
$aSelectedExtensionCodes = utils::ReadParam('extension_codes', array());
$aSelectedExtensionDirs = utils::ReadParam('extension_dirs', array());
@@ -295,7 +299,13 @@ try
try
{
SetupPage::log_info('Move to production starts...');
- // Load the "production" config file to clone & update it
+ $sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
+ if (!file_exists(APPROOT.'data/hub/compile_authent') || $sAuthent !== file_get_contents(APPROOT.'data/hub/compile_authent'))
+ {
+ throw new SecurityException(Dict::S('iTopHub:FailAuthent'));
+ }
+ unlink(APPROOT.'data/hub/compile_authent');
+ // Load the "production" config file to clone & update it
$oConfig = new Config(APPCONF.'production/'.ITOP_CONFIG_FILE);
$oRuntimeEnv->InitDataModel($oConfig, true /* model only */);
@@ -357,6 +367,10 @@ try
}
catch (Exception $e)
{
+ if(file_exists(APPROOT.'data/hub/compile_authent'))
+ {
+ unlink(APPROOT.'data/hub/compile_authent');
+ }
// Note: at this point, the dictionnary is not necessarily loaded
SetupPage::log_error(get_class($e).': '.Dict::S('iTopHub:ConfigurationSafelyReverted')."\n".$e->getMessage());
SetupPage::log_error('Debug trace: '.$e->getTraceAsString());
diff --git a/datamodels/2.x/itop-hub-connector/en.dict.itop-hub-connector.php b/datamodels/2.x/itop-hub-connector/en.dict.itop-hub-connector.php
index 9ec96309a..db909d02a 100644
--- a/datamodels/2.x/itop-hub-connector/en.dict.itop-hub-connector.php
+++ b/datamodels/2.x/itop-hub-connector/en.dict.itop-hub-connector.php
@@ -48,7 +48,9 @@ Dict::Add('EN US', 'English', 'English', array(
'iTopHub:Landing:Install' => 'Deploying extensions...',
'iTopHub:CompiledOK' => 'Compilation successful.',
'iTopHub:ConfigurationSafelyReverted' => 'Error detected during deployment!
iTop configuration has NOT been modified.',
-
+ 'iTopHub:FailAuthent' => 'Authentication failed for this action.',
+
+
'iTopHub:InstalledExtensions' => 'Extensions deployed on this instance',
'iTopHub:ExtensionCategory:Manual' => 'Extensions deployed manually',
'iTopHub:ExtensionCategory:Manual+' => 'The following extensions have been deployed by copying them manually in the %1$s directory of iTop:',
diff --git a/datamodels/2.x/itop-hub-connector/fr.dict.itop-hub-connector.php b/datamodels/2.x/itop-hub-connector/fr.dict.itop-hub-connector.php
index a2ad611d1..cd670fe60 100644
--- a/datamodels/2.x/itop-hub-connector/fr.dict.itop-hub-connector.php
+++ b/datamodels/2.x/itop-hub-connector/fr.dict.itop-hub-connector.php
@@ -32,6 +32,7 @@ Dict::Add('FR FR', 'French', 'Français', array(
'iTopHub:Landing:Install' => 'Déploiement des extensions...',
'iTopHub:CompiledOK' => 'Compilation réussie.',
'iTopHub:ConfigurationSafelyReverted' => 'Une erreur a été détectée durant le déploiement!
La configuration d\'iTop n\'a PAS été modifiée.',
+ 'iTopHub:FailAuthent' => 'Échec d\'authentification pour cette action',
'iTopHub:InstalledExtensions' => 'Extensions déployées sur cette instance',
'iTopHub:ExtensionCategory:Manual' => 'Extensions déployées manuellement',
diff --git a/datamodels/2.x/itop-hub-connector/js/hub.js b/datamodels/2.x/itop-hub-connector/js/hub.js
index b5f468c3b..4a966b8e6 100644
--- a/datamodels/2.x/itop-hub-connector/js/hub.js
+++ b/datamodels/2.x/itop-hub-connector/js/hub.js
@@ -18,7 +18,8 @@ $(function()
extensions_installation: 'Installation of the extensions...',
installation_successful: 'Installation successful!',
rollback: 'iTop configuration has NOT been modified.'
- }
+ },
+ authent : ''
},
// the constructor
@@ -106,7 +107,7 @@ $(function()
var aExtensionCodes = [];
var aExtensionDirs = [];
$('.choice :input:checked').each(function() { aExtensionCodes.push($(this).attr('data-extension-code')); aExtensionDirs.push($(this).attr('data-extension-dir')); });
- $.post(this.options.self_url, {operation: 'compile', extension_codes: aExtensionCodes, extension_dirs: aExtensionDirs}, function(data) { me._on_compile(data) }, 'json');
+ $.post(this.options.self_url, {operation: 'compile', extension_codes: aExtensionCodes, extension_dirs: aExtensionDirs, authent: this.options.authent}, function(data) { me._on_compile(data) }, 'json');
},
_on_compile: function(data)
{
@@ -125,7 +126,7 @@ $(function()
{
$('#hub-installation-progress-text').html(' '+this.options.labels.extensions_installation);
var me = this;
- $.post(this.options.self_url, {operation: 'move_to_production'}, function(data) { me._on_move_to_prod(data) }, 'json');
+ $.post(this.options.self_url, {operation: 'move_to_production', authent: this.options.authent}, function(data) { me._on_move_to_prod(data) }, 'json');
},
_on_move_to_prod: function(data)
{
diff --git a/datamodels/2.x/itop-hub-connector/land.php b/datamodels/2.x/itop-hub-connector/land.php
index f87c34a4b..16e3508db 100644
--- a/datamodels/2.x/itop-hub-connector/land.php
+++ b/datamodels/2.x/itop-hub-connector/land.php
@@ -107,7 +107,7 @@ function DoLanding(WebPage $oPage)
$sPath = APPROOT.'data/downloaded-extensions/';
if (!is_dir($sPath))
{
- if (!mkdir($sPath)) throw new Exception("ERROR: Unable to create the directory '$sPath'. Cannot download any extension. Check the access rights on '".dirname($sPath)."'");
+ if (!mkdir($sPath)) throw new Exception("ERROR: Unable to create the directory '$sPath'. Cannot download any extension. Check the access rights on '".dirname('data/downloaded-extensions/')."'");
}
else
{
@@ -126,7 +126,7 @@ function DoLanding(WebPage $oPage)
$oZip = new ZipArchive();
if (!$oZip->open($sZipArchiveFile))
{
- throw new Exception('Unable to open "'.$sZipArchiveFile.'" for extraction. Make sure that the directory "'.$sPath.'" is writable for the web server.');
+ throw new Exception('Unable to open "'.$sZipArchiveFile.'" for extraction. Make sure that the directory "'.'data/downloaded-extensions/'.'" is writable for the web server.');
}
for($idx = 0; $idx < $oZip->numFiles; $idx++)
{
@@ -146,6 +146,9 @@ function DoLanding(WebPage $oPage)
function DoInstall(WebPage $oPage)
{
+ $sUID = hash('sha256', rand());
+ file_put_contents(APPROOT.'data/hub/compile_authent', $sUID);
+
$oPage->add_linked_stylesheet(utils::GetAbsoluteUrlModulesRoot().'itop-hub-connector/css/hub.css');
$oPage->add('
');
$sBannerUrl = utils::GetAbsoluteUrlModulesRoot().'/itop-hub-connector/images/landing-extension.png';
@@ -259,6 +262,7 @@ function DoInstall(WebPage $oPage)
'installation_successful' => Dict::S('iTopHub:InstallationProgress:InstallationSuccessful'),
'rollback' => Dict::S('iTopHub:ConfigurationSafelyReverted'),
),
+ 'authent' => $sUID,
);
$sWidgetParams = json_encode($aWidgetParams);
@@ -301,6 +305,10 @@ try
break;
case 'install':
+ if (!file_exists(APPROOT.'data/hub'))
+ {
+ mkdir(APPROOT.'data/hub');
+ }
DoInstall($oPage);
break;
diff --git a/datamodels/2.x/itop-hub-connector/zh_cn.dict.itop-hub-connector.php b/datamodels/2.x/itop-hub-connector/zh_cn.dict.itop-hub-connector.php
index f5ac43de6..42af3a804 100644
--- a/datamodels/2.x/itop-hub-connector/zh_cn.dict.itop-hub-connector.php
+++ b/datamodels/2.x/itop-hub-connector/zh_cn.dict.itop-hub-connector.php
@@ -48,7 +48,8 @@ Dict::Add('ZH CN', 'Chinese', '简体中文', array(
'iTopHub:Landing:Install' => '扩展安装进行中...',
'iTopHub:CompiledOK' => '编译成功.',
'iTopHub:ConfigurationSafelyReverted' => '安装时发生错误!
iTop 配置将不会改变.',
-
+ 'iTopHub:FailAuthent' => 'Authentication failed for this action.~~',
+
'iTopHub:InstalledExtensions' => '本机已安装的扩展',
'iTopHub:ExtensionCategory:Manual' => '手动安装的扩展',
'iTopHub:ExtensionCategory:Manual+' => '下列已安装的扩展是手动将文件放置到 %1$s 目录的:',
diff --git a/lib/tcpdf/CHANGELOG.TXT b/lib/tcpdf/CHANGELOG.TXT
index d6e4cf05e..3bdae3e24 100644
--- a/lib/tcpdf/CHANGELOG.TXT
+++ b/lib/tcpdf/CHANGELOG.TXT
@@ -1,5 +1,17 @@
-Unreleased
- - fix Undesired mouseover effect on links in PDF on Chrome Pdf Viewer
+6.2.25
+ - Fix support for image URLs.
+
+6.2.24
+ - Support remote urls when checking if file exists.
+
+6.2.23
+ - Simplify file_exists function.
+
+6.2.22
+ - Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data.
+
+6.2.19
+ - Merge various fixes for PHP 7.3 compatibility and security.
6.2.13 (2016-06-10)
- IMPORTANT: A new version of this library is under development at https://github.com/tecnickcom/tc-lib-pdf and as a consequence this version will not receive any additional development or support. This version should be considered obsolete, new projects should use the new version as soon it will become stable.
diff --git a/lib/tcpdf/README.TXT b/lib/tcpdf/README.TXT
deleted file mode 100644
index d051393ca..000000000
--- a/lib/tcpdf/README.TXT
+++ /dev/null
@@ -1,115 +0,0 @@
-TCPDF - README
-============================================================
-
-I WISH TO IMPROVE AND EXPAND TCPDF BUT I NEED YOUR SUPPORT.
-PLEASE MAKE A DONATION:
-http://sourceforge.net/donate/index.php?group_id=128076
-
-------------------------------------------------------------
-
-Name: TCPDF
-Version: 6.2.6
-Release date: 2015-01-28
-Author: Nicola Asuni
-
-Copyright (c) 2002-2015:
- Nicola Asuni
- Tecnick.com LTD
- www.tecnick.com
-
-URLs:
- http://www.tcpdf.org
- http://www.sourceforge.net/projects/tcpdf
-
-Description:
- TCPDF is a PHP class for generating PDF files on-the-fly without requiring external extensions.
- This library includes also a class to extract data from existing PDF documents and
- classes to generate 1D and 2D barcodes in various formats.
-
-Main Features:
- * no external libraries are required for the basic functions;
- * all standard page formats, custom page formats, custom margins and units of measure;
- * UTF-8 Unicode and Right-To-Left languages;
- * TrueTypeUnicode, OpenTypeUnicode v1, TrueType, OpenType v1, Type1 and CID-0 fonts;
- * font subsetting;
- * methods to publish some XHTML + CSS code, Javascript and Forms;
- * images, graphic (geometric figures) and transformation methods;
- * supports JPEG, PNG and SVG images natively, all images supported by GD (GD, GD2, GD2PART, GIF, JPEG, PNG, BMP, XBM, XPM) and all images supported via ImagMagick (http: www.imagemagick.org/www/formats.html)
- * 1D and 2D barcodes: CODE 39, ANSI MH10.8M-1983, USD-3, 3 of 9, CODE 93, USS-93, Standard 2 of 5, Interleaved 2 of 5, CODE 128 A/B/C, 2 and 5 Digits UPC-Based Extension, EAN 8, EAN 13, UPC-A, UPC-E, MSI, POSTNET, PLANET, RMS4CC (Royal Mail 4-state Customer Code), CBC (Customer Bar Code), KIX (Klant index - Customer index), Intelligent Mail Barcode, Onecode, USPS-B-3200, CODABAR, CODE 11, PHARMACODE, PHARMACODE TWO-TRACKS, Datamatrix, QR-Code, PDF417;
- * JPEG and PNG ICC profiles, Grayscale, RGB, CMYK, Spot Colors and Transparencies;
- * automatic page header and footer management;
- * document encryption up to 256 bit and digital signature certifications;
- * transactions to UNDO commands;
- * PDF annotations, including links, text and file attachments;
- * text rendering modes (fill, stroke and clipping);
- * multiple columns mode;
- * no-write page regions;
- * bookmarks, named destinations and table of content;
- * text hyphenation;
- * text stretching and spacing (tracking);
- * automatic page break, line break and text alignments including justification;
- * automatic page numbering and page groups;
- * move and delete pages;
- * page compression (requires php-zlib extension);
- * XOBject Templates;
- * Layers and object visibility.
- * PDF/A-1b support.
-
-Installation (full instructions on http: www.tcpdf.org):
- 1. copy the folder on your Web server
- 2. set your installation path and other parameters on the config/tcpdf_config.php
- 3. call the examples/example_001.php page with your browser to see an example
-
-Source Code Documentation:
- http://www.tcpdf.org
-
-Additional Documentation:
- http://www.tcpdf.org
-
-License:
- Copyright (C) 2002-2014 Nicola Asuni - Tecnick.com LTD
-
- TCPDF is free software: you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as
- published by the Free Software Foundation, either version 3 of the
- License, or (at your option) any later version.
-
- TCPDF is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- See the GNU Lesser General Public License for more details.
-
- You should have received a copy of the License
- along with TCPDF. If not, see
- .
-
- See LICENSE.TXT file for more information.
-
-Third party fonts:
-
- This library may include third party font files released with different licenses.
-
- All the PHP files on the fonts directory are subject to the general TCPDF license (GNU-LGPLv3),
- they do not contain any binary data but just a description of the general properties of a particular font.
- These files can be also generated on the fly using the font utilities and TCPDF methods.
-
- All the original binary TTF font files have been renamed for compatibility with TCPDF and compressed using the gzcompress PHP function that uses the ZLIB data format (.z files).
-
- The binary files (.z) that begins with the prefix "free" have been extracted from the GNU FreeFont collection (GNU-GPLv3).
- The binary files (.z) that begins with the prefix "pdfa" have been derived from the GNU FreeFont, so they are subject to the same license.
- For the details of Copyright, License and other information, please check the files inside the directory fonts/freefont-20120503
- Link : http://www.gnu.org/software/freefont/
-
- The binary files (.z) that begins with the prefix "dejavu" have been extracted from the DejaVu fonts 2.33 (Bitstream) collection.
- For the details of Copyright, License and other information, please check the files inside the directory fonts/dejavu-fonts-ttf-2.33
- Link : http://dejavu-fonts.org
-
- The binary files (.z) that begins with the prefix "ae" have been extracted from the Arabeyes.org collection (GNU-GPLv2).
- Link : http://projects.arabeyes.org/
-
-ICC profile:
- TCPDF includes the sRGB.icc profile from the icc-profiles-free Debian package:
- https://packages.debian.org/source/stable/icc-profiles-free
-
-
-============================================================
diff --git a/lib/tcpdf/composer.json b/lib/tcpdf/composer.json
index 83ffd67b8..1f19dfd86 100644
--- a/lib/tcpdf/composer.json
+++ b/lib/tcpdf/composer.json
@@ -1,6 +1,6 @@
{
"name": "tecnickcom/tcpdf",
- "version": "6.2.17",
+ "version": "6.2.26",
"homepage": "http://www.tcpdf.org/",
"type": "library",
"description": "TCPDF is a PHP class for generating PDF documents and barcodes.",
diff --git a/lib/tcpdf/include/tcpdf_fonts.php b/lib/tcpdf/include/tcpdf_fonts.php
index ba89c7cfb..9242ca4bf 100644
--- a/lib/tcpdf/include/tcpdf_fonts.php
+++ b/lib/tcpdf/include/tcpdf_fonts.php
@@ -70,7 +70,7 @@ class TCPDF_FONTS {
* @public static
*/
public static function addTTFfont($fontfile, $fonttype='', $enc='', $flags=32, $outpath='', $platid=3, $encid=1, $addcbbox=false, $link=false) {
- if (!file_exists($fontfile)) {
+ if (!TCPDF_STATIC::file_exists($fontfile)) {
// Could not find file
return false;
}
@@ -95,7 +95,7 @@ class TCPDF_FONTS {
$outpath = self::_getfontpath();
}
// check if this font already exist
- if (@file_exists($outpath.$font_name.'.php')) {
+ if (@TCPDF_STATIC::file_exists($outpath.$font_name.'.php')) {
// this font already exist (delete it from fonts folder to rebuild it)
return $font_name;
}
@@ -1543,11 +1543,11 @@ class TCPDF_FONTS {
public static function getFontFullPath($file, $fontdir=false) {
$fontfile = '';
// search files on various directories
- if (($fontdir !== false) AND @file_exists($fontdir.$file)) {
+ if (($fontdir !== false) AND @TCPDF_STATIC::file_exists($fontdir.$file)) {
$fontfile = $fontdir.$file;
- } elseif (@file_exists(self::_getfontpath().$file)) {
+ } elseif (@TCPDF_STATIC::file_exists(self::_getfontpath().$file)) {
$fontfile = self::_getfontpath().$file;
- } elseif (@file_exists($file)) {
+ } elseif (@TCPDF_STATIC::file_exists($file)) {
$fontfile = $file;
}
return $fontfile;
@@ -2003,7 +2003,11 @@ class TCPDF_FONTS {
$chars = str_split($str);
$carr = array_map('ord', $chars);
}
- $currentfont['subsetchars'] += array_fill_keys($carr, true);
+ if (is_array($currentfont['subsetchars']) && is_array($carr)) {
+ $currentfont['subsetchars'] += array_fill_keys($carr, true);
+ } else {
+ $currentfont['subsetchars'] = array_merge($currentfont['subsetchars'], $carr);
+ }
return $carr;
}
diff --git a/lib/tcpdf/include/tcpdf_images.php b/lib/tcpdf/include/tcpdf_images.php
index c2e3c36f9..86b3c20db 100644
--- a/lib/tcpdf/include/tcpdf_images.php
+++ b/lib/tcpdf/include/tcpdf_images.php
@@ -161,12 +161,8 @@ class TCPDF_IMAGES {
*/
public static function _parsejpeg($file) {
// check if is a local file
- if (!@file_exists($file)) {
- // try to encode spaces on filename
- $tfile = str_replace(' ', '%20', $file);
- if (@file_exists($tfile)) {
- $file = $tfile;
- }
+ if (!@TCPDF_STATIC::file_exists($file)) {
+ return false;
}
$a = getimagesize($file);
if (empty($a)) {
diff --git a/lib/tcpdf/include/tcpdf_static.php b/lib/tcpdf/include/tcpdf_static.php
index aa42c850a..df1b28e1e 100644
--- a/lib/tcpdf/include/tcpdf_static.php
+++ b/lib/tcpdf/include/tcpdf_static.php
@@ -55,7 +55,7 @@ class TCPDF_STATIC {
* Current TCPDF version.
* @private static
*/
- private static $tcpdf_version = '6.2.17';
+ private static $tcpdf_version = '6.2.26';
/**
* String alias for total number of pages.
@@ -1774,39 +1774,6 @@ class TCPDF_STATIC {
return $angle;
}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-// ====================================================================================================================
-// REIMPLEMENTED
-// ====================================================================================================================
-
-
-
-
-
-
-
-
-
-
-
-
-
-
/**
* Split string by a regular expression.
* This is a wrapper for the preg_split function to avoid the bug: https://bugs.php.net/bug.php?id=45850
@@ -1854,6 +1821,49 @@ class TCPDF_STATIC {
return fopen($filename, $mode);
}
+ /**
+ * Check if the URL exist.
+ * @param url (string) URL to check.
+ * @return Returns TRUE if the URL exists; FALSE otherwise.
+ * @public static
+ */
+ public static function url_exists($url) {
+ $crs = curl_init();
+ curl_setopt($crs, CURLOPT_URL, $url);
+ curl_setopt($crs, CURLOPT_NOBODY, true);
+ curl_setopt($crs, CURLOPT_FAILONERROR, true);
+ if ((ini_get('open_basedir') == '') && (!ini_get('safe_mode'))) {
+ curl_setopt($crs, CURLOPT_FOLLOWLOCATION, true);
+ }
+ curl_setopt($crs, CURLOPT_CONNECTTIMEOUT, 5);
+ curl_setopt($crs, CURLOPT_TIMEOUT, 30);
+ curl_setopt($crs, CURLOPT_SSL_VERIFYPEER, false);
+ curl_setopt($crs, CURLOPT_SSL_VERIFYHOST, false);
+ curl_setopt($crs, CURLOPT_USERAGENT, 'tc-lib-file');
+ curl_exec($crs);
+ $code = curl_getinfo($crs, CURLINFO_HTTP_CODE);
+ curl_close($crs);
+ return ($code == 200);
+ }
+
+ /**
+ * Wrapper for file_exists.
+ * Checks whether a file or directory exists.
+ * Only allows some protocols and local files.
+ * @param filename (string) Path to the file or directory.
+ * @return Returns TRUE if the file or directory specified by filename exists; FALSE otherwise.
+ * @public static
+ */
+ public static function file_exists($filename) {
+ if (preg_match('|^https?://|', $filename) == 1) {
+ return self::url_exists($filename);
+ }
+ if (strpos($filename, '://')) {
+ return false; // only support http and https wrappers for security reasons
+ }
+ return @file_exists($filename);
+ }
+
/**
* Reads entire file into a string.
* The file can be also an URL.
@@ -1914,8 +1924,10 @@ class TCPDF_STATIC {
}
//
$alt = array_unique($alt);
- //var_dump($alt);exit;//DEBUG
foreach ($alt as $path) {
+ if (!self::file_exists($path)) {
+ return false;
+ }
$ret = @file_get_contents($path);
if ($ret !== false) {
return $ret;
@@ -1949,8 +1961,6 @@ class TCPDF_STATIC {
return false;
}
-
-
/**
* Get ULONG from string (Big Endian 32-bit unsigned integer).
* @param $str (string) string from where to extract value
diff --git a/lib/tcpdf/tcpdf.php b/lib/tcpdf/tcpdf.php
index ef411a17d..24ef434ab 100644
--- a/lib/tcpdf/tcpdf.php
+++ b/lib/tcpdf/tcpdf.php
@@ -1,13 +1,13 @@
* @package com.tecnick.tcpdf
* @author Nicola Asuni
- * @version 6.2.8
+ * @version 6.2.26
*/
// TCPDF configuration
@@ -128,8 +128,11 @@ require_once(dirname(__FILE__).'/include/tcpdf_static.php');
* TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.
* @package com.tecnick.tcpdf
* @brief PHP class for generating PDF documents without requiring external extensions.
- * @version 6.2.8
+ * @version 6.2.26
* @author Nicola Asuni - info@tecnick.com
+ * @IgnoreAnnotation("protected")
+ * @IgnoreAnnotation("public")
+ * @IgnoreAnnotation("pre")
*/
class TCPDF {
@@ -1994,10 +1997,6 @@ class TCPDF {
* @since 1.53.0.TC016
*/
public function __destruct() {
- // restore internal encoding
- if (isset($this->internal_encoding) AND !empty($this->internal_encoding)) {
- mb_internal_encoding($this->internal_encoding);
- }
// cleanup
$this->_destroy(true);
}
@@ -4257,7 +4256,7 @@ class TCPDF {
// true when the font style variation is missing
$missing_style = false;
// search and include font file
- if (TCPDF_STATIC::empty_string($fontfile) OR (!@file_exists($fontfile))) {
+ if (TCPDF_STATIC::empty_string($fontfile) OR (!@TCPDF_STATIC::file_exists($fontfile))) {
// build a standard filenames for specified font
$tmp_fontfile = str_replace(' ', '', $family).strtolower($style).'.php';
$fontfile = TCPDF_FONTS::getFontFullPath($tmp_fontfile, $fontdir);
@@ -4269,7 +4268,7 @@ class TCPDF {
}
}
// include font file
- if (!TCPDF_STATIC::empty_string($fontfile) AND (@file_exists($fontfile))) {
+ if (!TCPDF_STATIC::empty_string($fontfile) AND (@TCPDF_STATIC::file_exists($fontfile))) {
include($fontfile);
} else {
$this->Error('Could not include font definition file: '.$family.'');
@@ -4453,6 +4452,7 @@ class TCPDF {
* @see SetFont()
*/
public function SetFontSize($size, $out=true) {
+ $size = (float)$size;
// font size in points
$this->FontSizePt = $size;
// font size in user units
@@ -4809,19 +4809,19 @@ class TCPDF {
$this->PageAnnots[$page][] = array('n' => ++$this->n, 'x' => $x, 'y' => $y, 'w' => $w, 'h' => $h, 'txt' => $text, 'opt' => $opt, 'numspaces' => $spaces);
if (!$this->pdfa_mode) {
if ((($opt['Subtype'] == 'FileAttachment') OR ($opt['Subtype'] == 'Sound')) AND (!TCPDF_STATIC::empty_string($opt['FS']))
- AND (@file_exists($opt['FS']) OR TCPDF_STATIC::isValidURL($opt['FS']))
+ AND (@TCPDF_STATIC::file_exists($opt['FS']) OR TCPDF_STATIC::isValidURL($opt['FS']))
AND (!isset($this->embeddedfiles[basename($opt['FS'])]))) {
$this->embeddedfiles[basename($opt['FS'])] = array('f' => ++$this->n, 'n' => ++$this->n, 'file' => $opt['FS']);
}
}
// Add widgets annotation's icons
- if (isset($opt['mk']['i']) AND @file_exists($opt['mk']['i'])) {
+ if (isset($opt['mk']['i']) AND @TCPDF_STATIC::file_exists($opt['mk']['i'])) {
$this->Image($opt['mk']['i'], '', '', 10, 10, '', '', '', false, 300, '', false, false, 0, false, true);
}
- if (isset($opt['mk']['ri']) AND @file_exists($opt['mk']['ri'])) {
+ if (isset($opt['mk']['ri']) AND @TCPDF_STATIC::file_exists($opt['mk']['ri'])) {
$this->Image($opt['mk']['ri'], '', '', 0, 0, '', '', '', false, 300, '', false, false, 0, false, true);
}
- if (isset($opt['mk']['ix']) AND @file_exists($opt['mk']['ix'])) {
+ if (isset($opt['mk']['ix']) AND @TCPDF_STATIC::file_exists($opt['mk']['ix'])) {
$this->Image($opt['mk']['ix'], '', '', 0, 0, '', '', '', false, 300, '', false, false, 0, false, true);
}
}
@@ -5769,10 +5769,9 @@ class TCPDF {
$this->resetLastH();
}
if (!TCPDF_STATIC::empty_string($y)) {
- $this->SetY($y);
- } else {
- $y = $this->GetY();
+ $this->SetY($y); // set y in order to convert negative y values to positive ones
}
+ $y = $this->GetY();
$resth = 0;
if (($h > 0) AND $this->inPageBody() AND (($y + $h + $mc_margin['T'] + $mc_margin['B']) > $this->PageBreakTrigger)) {
// spit cell in more pages/columns
@@ -6845,13 +6844,9 @@ class TCPDF {
$file = substr($file, 1);
$exurl = $file;
}
- // check if is a local file
- if (!@file_exists($file)) {
- // try to encode spaces on filename
- $tfile = str_replace(' ', '%20', $file);
- if (@file_exists($tfile)) {
- $file = $tfile;
- }
+ // check if file exist and it is valid
+ if (!@TCPDF_STATIC::file_exists($file)) {
+ return false;
}
if (($imsize = @getimagesize($file)) === FALSE) {
if (in_array($file, $this->imagekeys)) {
@@ -7750,6 +7745,10 @@ class TCPDF {
* @since 4.5.016 (2009-02-24)
*/
public function _destroy($destroyall=false, $preserve_objcopy=false) {
+ // restore internal encoding
+ if (isset($this->internal_encoding) AND !empty($this->internal_encoding)) {
+ mb_internal_encoding($this->internal_encoding);
+ }
if ($destroyall AND !$preserve_objcopy) {
// remove all temporary files
$tmpfiles = glob(K_PATH_CACHE.'__tcpdf_'.$this->file_id.'_*');
@@ -9648,7 +9647,7 @@ class TCPDF {
protected function _putcatalog() {
// put XMP
$xmpobj = $this->_putXMP();
- // if required, add standard sRGB_IEC61966-2.1 blackscaled ICC colour profile
+ // if required, add standard sRGB ICC colour profile
if ($this->pdfa_mode OR $this->force_srgb) {
$iccobj = $this->_newobj();
$icc = file_get_contents(dirname(__FILE__).'/include/sRGB.icc');
@@ -17783,7 +17782,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
// justify block
if (!TCPDF_STATIC::empty_string($this->lispacer)) {
$this->lispacer = '';
- continue;
+ break;
}
preg_match('/([0-9\.\+\-]*)[\s]([0-9\.\+\-]*)[\s]([0-9\.\+\-]*)[\s]('.$strpiece[1][0].')[\s](re)([\s]*)/x', $pmid, $xmatches);
if (!isset($xmatches[1])) {
@@ -18318,7 +18317,8 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
}
// text
$this->htmlvspace = 0;
- if ((!$this->premode) AND $this->isRTLTextDir()) {
+ $isRTLString = preg_match(TCPDF_FONT_DATA::$uni_RE_PATTERN_RTL, $dom[$key]['value']) || preg_match(TCPDF_FONT_DATA::$uni_RE_PATTERN_ARABIC, $dom[$key]['value']);
+ if ((!$this->premode) AND $this->isRTLTextDir() AND !$isRTLString) {
// reverse spaces order
$lsp = ''; // left spaces
$rsp = ''; // right spaces
@@ -18333,7 +18333,7 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
if ($newline) {
if (!$this->premode) {
$prelen = strlen($dom[$key]['value']);
- if ($this->isRTLTextDir()) {
+ if ($this->isRTLTextDir() AND !$isRTLString) {
// right trim except non-breaking space
$dom[$key]['value'] = $this->stringRightTrim($dom[$key]['value']);
} else {
@@ -18817,102 +18817,124 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
break;
}
case 'img': {
- if (!empty($tag['attribute']['src'])) {
- if ($tag['attribute']['src'][0] === '@') {
- // data stream
- $tag['attribute']['src'] = '@'.base64_decode(substr($tag['attribute']['src'], 1));
- $type = '';
- } else {
- // get image type
- $type = TCPDF_IMAGES::getImageFileType($tag['attribute']['src']);
- }
- if (!isset($tag['width'])) {
- $tag['width'] = 0;
- }
- if (!isset($tag['height'])) {
- $tag['height'] = 0;
- }
- //if (!isset($tag['attribute']['align'])) {
- // the only alignment supported is "bottom"
- // further development is required for other modes.
- $tag['attribute']['align'] = 'bottom';
- //}
- switch($tag['attribute']['align']) {
- case 'top': {
- $align = 'T';
- break;
- }
- case 'middle': {
- $align = 'M';
- break;
- }
- case 'bottom': {
- $align = 'B';
- break;
- }
- default: {
- $align = 'B';
- break;
- }
- }
- $prevy = $this->y;
- $xpos = $this->x;
- $imglink = '';
- if (isset($this->HREF['url']) AND !TCPDF_STATIC::empty_string($this->HREF['url'])) {
- $imglink = $this->HREF['url'];
- if ($imglink[0] == '#') {
- // convert url to internal link
- $lnkdata = explode(',', $imglink);
- if (isset($lnkdata[0])) {
- $page = intval(substr($lnkdata[0], 1));
- if (empty($page) OR ($page <= 0)) {
- $page = $this->page;
- }
- if (isset($lnkdata[1]) AND (strlen($lnkdata[1]) > 0)) {
- $lnky = floatval($lnkdata[1]);
- } else {
- $lnky = 0;
- }
- $imglink = $this->AddLink();
- $this->SetLink($imglink, $lnky, $page);
+ if (empty($tag['attribute']['src'])) {
+ break;
+ }
+ $imgsrc = $tag['attribute']['src'];
+ if ($imgsrc[0] === '@') {
+ // data stream
+ $imgsrc = '@'.base64_decode(substr($imgsrc, 1));
+ $type = '';
+ } else {
+ if (($imgsrc[0] === '/') AND !empty($_SERVER['DOCUMENT_ROOT']) AND ($_SERVER['DOCUMENT_ROOT'] != '/')) {
+ // fix image path
+ $findroot = strpos($imgsrc, $_SERVER['DOCUMENT_ROOT']);
+ if (($findroot === false) OR ($findroot > 1)) {
+ if (substr($_SERVER['DOCUMENT_ROOT'], -1) == '/') {
+ $imgsrc = substr($_SERVER['DOCUMENT_ROOT'], 0, -1).$imgsrc;
+ } else {
+ $imgsrc = $_SERVER['DOCUMENT_ROOT'].$imgsrc;
}
}
- }
- $border = 0;
- if (isset($tag['border']) AND !empty($tag['border'])) {
- // currently only support 1 (frame) or a combination of 'LTRB'
- $border = $tag['border'];
- }
- $iw = '';
- if (isset($tag['width'])) {
- $iw = $this->getHTMLUnitToUnits($tag['width'], ($tag['fontsize'] / $this->k), 'px', false);
- }
- $ih = '';
- if (isset($tag['height'])) {
- $ih = $this->getHTMLUnitToUnits($tag['height'], ($tag['fontsize'] / $this->k), 'px', false);
- }
- if (($type == 'eps') OR ($type == 'ai')) {
- $this->ImageEps($tag['attribute']['src'], $xpos, $this->y, $iw, $ih, $imglink, true, $align, '', $border, true);
- } elseif ($type == 'svg') {
- $this->ImageSVG($tag['attribute']['src'], $xpos, $this->y, $iw, $ih, $imglink, $align, '', $border, true);
- } else {
- $this->Image($tag['attribute']['src'], $xpos, $this->y, $iw, $ih, '', $imglink, $align, false, 300, '', false, false, $border, false, false, true);
- }
- switch($align) {
- case 'T': {
- $this->y = $prevy;
- break;
+ $imgsrc = urldecode($imgsrc);
+ $testscrtype = @parse_url($imgsrc);
+ if (empty($testscrtype['query'])) {
+ // convert URL to server path
+ $imgsrc = str_replace(K_PATH_URL, K_PATH_MAIN, $imgsrc);
+ } elseif (preg_match('|^https?://|', $imgsrc) !== 1) {
+ // convert URL to server path
+ $imgsrc = str_replace(K_PATH_MAIN, K_PATH_URL, $imgsrc);
}
- case 'M': {
- $this->y = (($this->img_rb_y + $prevy - ($this->getCellHeight($tag['fontsize'] / $this->k))) / 2);
- break;
- }
- case 'B': {
- $this->y = $this->img_rb_y - ($this->getCellHeight($tag['fontsize'] / $this->k) - ($this->getFontDescent($tag['fontname'], $tag['fontstyle'], $tag['fontsize']) * $this->cell_height_ratio));
- break;
+ }
+ // get image type
+ $type = TCPDF_IMAGES::getImageFileType($imgsrc);
+ }
+ if (!isset($tag['width'])) {
+ $tag['width'] = 0;
+ }
+ if (!isset($tag['height'])) {
+ $tag['height'] = 0;
+ }
+ //if (!isset($tag['attribute']['align'])) {
+ // the only alignment supported is "bottom"
+ // further development is required for other modes.
+ $tag['attribute']['align'] = 'bottom';
+ //}
+ switch($tag['attribute']['align']) {
+ case 'top': {
+ $align = 'T';
+ break;
+ }
+ case 'middle': {
+ $align = 'M';
+ break;
+ }
+ case 'bottom': {
+ $align = 'B';
+ break;
+ }
+ default: {
+ $align = 'B';
+ break;
+ }
+ }
+ $prevy = $this->y;
+ $xpos = $this->x;
+ $imglink = '';
+ if (isset($this->HREF['url']) AND !TCPDF_STATIC::empty_string($this->HREF['url'])) {
+ $imglink = $this->HREF['url'];
+ if ($imglink[0] == '#') {
+ // convert url to internal link
+ $lnkdata = explode(',', $imglink);
+ if (isset($lnkdata[0])) {
+ $page = intval(substr($lnkdata[0], 1));
+ if (empty($page) OR ($page <= 0)) {
+ $page = $this->page;
+ }
+ if (isset($lnkdata[1]) AND (strlen($lnkdata[1]) > 0)) {
+ $lnky = floatval($lnkdata[1]);
+ } else {
+ $lnky = 0;
+ }
+ $imglink = $this->AddLink();
+ $this->SetLink($imglink, $lnky, $page);
}
}
}
+ $border = 0;
+ if (isset($tag['border']) AND !empty($tag['border'])) {
+ // currently only support 1 (frame) or a combination of 'LTRB'
+ $border = $tag['border'];
+ }
+ $iw = '';
+ if (isset($tag['width'])) {
+ $iw = $this->getHTMLUnitToUnits($tag['width'], ($tag['fontsize'] / $this->k), 'px', false);
+ }
+ $ih = '';
+ if (isset($tag['height'])) {
+ $ih = $this->getHTMLUnitToUnits($tag['height'], ($tag['fontsize'] / $this->k), 'px', false);
+ }
+ if (($type == 'eps') OR ($type == 'ai')) {
+ $this->ImageEps($imgsrc, $xpos, $this->y, $iw, $ih, $imglink, true, $align, '', $border, true);
+ } elseif ($type == 'svg') {
+ $this->ImageSVG($imgsrc, $xpos, $this->y, $iw, $ih, $imglink, $align, '', $border, true);
+ } else {
+ $this->Image($imgsrc, $xpos, $this->y, $iw, $ih, '', $imglink, $align, false, 300, '', false, false, $border, false, false, true);
+ }
+ switch($align) {
+ case 'T': {
+ $this->y = $prevy;
+ break;
+ }
+ case 'M': {
+ $this->y = (($this->img_rb_y + $prevy - ($this->getCellHeight($tag['fontsize'] / $this->k))) / 2);
+ break;
+ }
+ case 'B': {
+ $this->y = $this->img_rb_y - ($this->getCellHeight($tag['fontsize'] / $this->k) - ($this->getFontDescent($tag['fontname'], $tag['fontstyle'], $tag['fontsize']) * $this->cell_height_ratio));
+ break;
+ }
+ }
break;
}
case 'dl': {
@@ -24206,9 +24228,12 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value:
}
$img = urldecode($img);
$testscrtype = @parse_url($img);
- if (!isset($testscrtype['query']) OR empty($testscrtype['query'])) {
+ if (empty($testscrtype['query'])) {
// convert URL to server path
$img = str_replace(K_PATH_URL, K_PATH_MAIN, $img);
+ } elseif (preg_match('|^https?://|', $img) !== 1) {
+ // convert server path to URL
+ $img = str_replace(K_PATH_MAIN, K_PATH_URL, $img);
}
}
// get image type
diff --git a/setup/backup.class.inc.php b/setup/backup.class.inc.php
index 5f185282a..ac71952c0 100644
--- a/setup/backup.class.inc.php
+++ b/setup/backup.class.inc.php
@@ -528,14 +528,21 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the "
*/
public function DownloadBackup($sFile)
{
- header('Content-Description: File Transfer');
- header('Content-Type: multipart/x-zip');
- header('Content-Disposition: inline; filename="'.basename($sFile).'"');
- header('Expires: 0');
- header('Cache-Control: must-revalidate');
- header('Pragma: public');
- header('Content-Length: '.filesize($sFile));
- readfile($sFile);
+ if (file_exists($sFile))
+ {
+ header('Content-Description: File Transfer');
+ header('Content-Type: multipart/x-zip');
+ header('Content-Disposition: inline; filename="'.basename($sFile).'"');
+ header('Expires: 0');
+ header('Cache-Control: must-revalidate');
+ header('Pragma: public');
+ header('Content-Length: '.filesize($sFile));
+ readfile($sFile) ;
+ }
+ else
+ {
+ throw new InvalidParameterException('Invalid file path');
+ }
}
/**
diff --git a/synchro/synchro_exec.php b/synchro/synchro_exec.php
index 28e0af9e5..9638a40f8 100644
--- a/synchro/synchro_exec.php
+++ b/synchro/synchro_exec.php
@@ -135,7 +135,7 @@ foreach(explode(',', $sDataSourcesList) as $iSDS)
$oSynchroDataSource = MetaModel::GetObject('SynchroDataSource', $iSDS, false);
if ($oSynchroDataSource == null)
{
- $oP->p("ERROR: The data source (id=$iSDS) does not exist. Exiting...");
+ $oP->p("ERROR: The data source (id=".utils::HtmlEntities($iSDS).") does not exist. Exiting...");
$oP->output();
exit -3;
}