GHSA-f3qr-qr4x-j273

Suggest an improvement
Source
https://github.com/advisories/GHSA-f3qr-qr4x-j273
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-f3qr-qr4x-j273/GHSA-f3qr-qr4x-j273.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-f3qr-qr4x-j273
Aliases
Published
2024-02-21T18:04:16Z
Modified
2024-02-21T19:46:57.106732Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
php-svg-lib lacks path validation on font through SVG inline styles
Details

Summary

php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib.

Details

The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the font-family and prevents it to use a PHAR url, to avoid passing an invalid and dangerous fontName value to other libraries. The same check as done in the Style::fromStyleSheets might be reused :

                if (
                    \array_key_exists("font-family", $styles)
                    && (
                        \strtolower(\substr($this->href, 0, 7)) === "phar://"
                        || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
                    )
                ) {
                    unset($style["font-family"]);
                }

PoC

Parsing the following SVG :

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
    <text x="20" y="35" style="color:red;font-family:phar:///path/to/whatever.phar/blaklis;">My</text>
</svg>

will pass the phar:///path/to/whatever.phar/blaklis as $family in SurfaceCpdf::setFont, which is then passed to the canvas selectFont as a $fontName.

Impact

Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even RCE, if they do not double check the value of the fontName that is passed by php-svg-lib

Database specific
{
    "nvd_published_at": "2024-02-21T17:15:09Z",
    "cwe_ids": [
        "CWE-502",
        "CWE-73"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T18:04:16Z"
}
References

Affected packages

Packagist / phenx/php-svg-lib

Package

Name
phenx/php-svg-lib
Purl
pkg:composer/phenx/php-svg-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.2

Affected versions

0.*

0.1
0.3.4
0.4.0
0.4.1
0.5.0
0.5.1

v0.*

v0.2
v0.3.0
v0.3.1
v0.3.2
v0.3.3