Update dependency dompdf/dompdf to v2.0.4 [SECURITY] (master)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dompdf/dompdf	2.0.3 -> 2.0.4

GitHub Vulnerability Alerts

CVE-2023-50262

Summary

When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.

Details

php-svg-lib, when run in isolation, does not support SVG references for image elements. An SVG document can, however, be referenced and Dompdf will run that reference through the same validation. Dompdf currently includes validation to prevent self-referential image references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion in the validation process by chaining references between two or more SVG images.

PoC

This following sources can be used to bypass validation provided by Dompdf:

recurse.html

<img src="one.svg">

one.svg

<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
  <image href="two.svg" />
</svg>

two.svg

<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
  <image href="one.svg" />
</svg>

Impact

When Dompdf parses the above payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.

---

Release Notes

dompdf/dompdf (dompdf/dompdf)

v2.0.4: Dompdf 2.0.4

Compare Source

Change highlights since 2.0.3

This release addresses the following announced vulnerability:

Vulnerability	References	Type	Severity
Possible DoS caused by infinite recursion when validating SVG images	GHSA-3qx2-6f78-w2j2	Resource Exhaustion	Moderate

2.0.x highlights

• Modifies callback and page_script/page_text handling
• Switches the HTML5 parser to Masterminds/HTML5
• Improves CSS property parsing and representation
• Switches installed fonts and font metrics cache file format to JSON

View all changes since the previous release in the commit history.

We would like to extend our gratitude to the community members who helped make this release possible.

Requirements

Dompdf 2.0.4 requires the following:

• PHP 7.1 or greater
• html5-php v2.0.0 or greater
• php-font-lib v0.5.4 or greater
• php-svg-lib v0.3.3 or greater

Note that some dependencies may have further dependencies (notably php-svg-lib requires sabberworm/php-css-parser).

Additionally, the following are recommended for optimal use:

• GD (for image processing)
• allow_url_fopen set to true or the curl PHP extension (for retrieving stylesheets, images, etc via http)

For full requirements and recommendations see the requirements page on the wiki.

Download Instructions

The dompdf team recommends that you use Composer for easier dependency management.

If you're not yet using Composer you can download a packaged release of dompdf which includes all the files you need to use the library. Click the link labeled "dompdf_2-0-4.zip" for the packaged release. The download options labeled "Source code" are auto-generated by github and do not include all the dependencies.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.