Summary
The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing
Details
The bug occurs during SVG parsing of
if ($type === "svg") { $parser = xml_parser_create("utf-8"); xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false); xml_set_element_handler( $parser, function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { if ($name === "image") { $attributes = array_change_key_case($attributes, CASE_LOWER);
This part will try to detect
<svg> <Image xlink:href="phar:///foo"></Image> </svg>
As the tag is named «Image» and not «image», it will not pass the condition to trigger the check.
A correct solution would be to strtolower the
if (strtolower($name) === "image") {
PoC
Parsing the following SVG file is sufficient to reproduce the vulnerability :
<svg> <Image xlink:href="phar:///foo"></Image> </svg>
Impact
An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.