Fixed Path Traversal security vulnerability reported by Positive Technologies

Author: nicolaasuni

CHANGELOG.TXT

@@ -1,3 +1,6 @@
+6.9.0 (2025-04-03)
+	- Fixed Path Traversal security vulnerability reported by Positive Technologies.
+
 6.9.0 (2025-03-30)
 	- Added PHP 8.4 testing.
 	- Removed tcpdf_import.php and tcpdf_parser.php files (for a parser check the tc-lib-pdf-parser project instead).

VERSION

@@ -1 +1 @@
-6.9.0
+6.9.1

composer.json

@@ -12,7 +12,7 @@
         "barcodes"
     ],
     "homepage": "http://www.tcpdf.org/",
-    "version": "6.9.0",
+    "version": "6.9.1",
     "license": "LGPL-3.0-or-later",
     "authors": [
         {

include/tcpdf_static.php

@@ -55,7 +55,7 @@ class TCPDF_STATIC {
 	 * Current TCPDF version.
 	 * @private static
 	 */
-	private static $tcpdf_version = '6.9.0';
+	private static $tcpdf_version = '6.9.1';
 
 	/**
 	 * String alias for total number of pages.
@@ -2652,7 +2652,6 @@ public static function getPageMode($mode='UseNone') {
 		return $page_mode;
 	}
 
-
 } // END OF TCPDF_STATIC CLASS
 
 //============================================================+

tcpdf.php

@@ -1,9 +1,9 @@
 <?php
 //============================================================+
 // File name   : tcpdf.php
-// Version     : 6.9.0
+// Version     : 6.9.1
 // Begin       : 2002-08-03
-// Last Update : 2025-03-30
+// Last Update : 2025-04-03
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - [email protected]
 // License     : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
 // -------------------------------------------------------------------
@@ -104,7 +104,7 @@
  * Tools to encode your unicode fonts are on fonts/utils directory.</p>
  * @package com.tecnick.tcpdf
  * @author Nicola Asuni
- * @version 6.9.0
+ * @version 6.9.1
  */
 
 // TCPDF configuration
@@ -128,7 +128,7 @@
  * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
  * @package com.tecnick.tcpdf
  * @brief PHP class for generating PDF documents without requiring external extensions.
- * @version 6.9.0
+ * @version 6.9.1
  * @author Nicola Asuni - [email protected]
  * @IgnoreAnnotation("protected")
  * @IgnoreAnnotation("public")
@@ -18868,6 +18868,17 @@ public function writeHTML($html, $ln=true, $fill=false, $reseth=false, $cell=fal
 		unset($dom);
 	}
 
+	/**
+	 * Check if the path is relative.
+	 * @param string $path path to check
+	 * @return boolean true if the path is relative
+	 * @protected
+	 * @since 6.9.1
+	 */
+	 protected function isRelativePath($path) {
+		return (strpos(str_ireplace('%2E', '.', $this->unhtmlentities($path)), '..') !== false);
+	}
+
 	/**
 	 * Process opening tags.
 	 * @param array $dom html dom array
@@ -19060,7 +19071,7 @@ protected function openHTMLTagHandler($dom, $key, $cell) {
 				} else if (preg_match('@^data:image/([^;]*);base64,(.*)@', $imgsrc, $reg)) {
 					$imgsrc = '@'.base64_decode($reg[2]);
 					$type = $reg[1];
-				} elseif (strpos($imgsrc, '../') !== false) {
+				} elseif ($this->isRelativePath($imgsrc)) {
 					// accessing parent folders is not allowed
 					break;
 				} elseif ( $this->allowLocalFiles && substr($imgsrc, 0, 7) === 'file://') {
@@ -24467,7 +24478,7 @@ protected function startSVGElementHandler($parser, $name, $attribs, $ctm=array()
 						$img = '@'.base64_decode(substr($img, strlen($m[0])));
 					} else {
 						// fix image path
-						if (strpos($img, '../') !== false) {
+						if ($this->isRelativePath($img)) {
 							// accessing parent folders is not allowed
 							break;
 						}