There is a major security issue with using the dompdf.php file. The library can be used without it (and you actually aren't using it in your module) so it should be left out. I have informed the author of the original library, but it should be noted in your documentation. The fix is to remove dompdf.php, and just use dompdf_config.inc.php directly for the class (as you are doing.)

Here is a demonstration of the issue:

http://yoursite.com/sites/all/modules/dompdf/dompdf/dompdf.php?input_fil...

makes a nice pdf of the system passwd file (get a list of all users on the system)

?input_file=../../../../default/settings.php does not return the drupal install settings, only because it looks like HTML (the <?) and the lib chokes on it.

This is a super-major issue.

Comments

jrbeeman’s picture

jrbeeman
he/him
Primary language English
Location Arizona, USA
commented

Great find - thanks very much for doing the legwork on it. I have updated the README.txt with information on removing the offending file, and it should be ready to go as of r99571.

For those users currently running the module, simply remove dompdf.php from the dompdf library folder. This module does not make use of that file in any way.

jrbeeman’s picture

jrbeeman
he/him
Primary language English
Location Arizona, USA
commented
Status: Active » Fixed

Marking as fixed, to the extent that it can be addressed here.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

roball’s picture

roball commented

The README.txt says you are affected "If you are using dompdf version 0.5.1 or lower...", however version 0.5.2 alpha 1 also contains "dompdf.php".

roball’s picture

roball commented
Status: Closed (fixed) » Active