php · pontedilana/php-weasyprintHeads-up
pontedilana/php-weasyprint SSRF and local file disclosure via attachment option
Versions <= 2.5.1 are vulnerable to SSRF and local file disclosure via the attachment option, which uses file_get_contents() on any URL scheme accepted by FILTE
What changed
Versions <= 2.5.1 are vulnerable to SSRF and local file disclosure via the attachment option, which uses file_get_contents() on any URL scheme accepted by FILTER_VALIDATE_URL. Patched in 2.6.0.
Who it affects
Any application using pontedilana/php-weasyprint that passes user-controlled input to the attachment option of Pdf::generate(), Pdf::getOutput(), or setOption('attachment', ...).
What to do today
Upgrade to version 2.6.0 or later, and ensure no untrusted input is passed to the attachment option.
The trail
Collected→
Audited→
Written→
Published