使用dompdf访问远程映像的安全问题 [英] Security Issue on Accessing Remote Image with dompdf

问题描述

我正在使用dompdf生成PDF文件，该文件从highcharts.js导出库中获取了一些图像（动态图表）。现在，我必须将DOMPDF_ENABLE_REMOTE的默认设置从 false更改为 true，以使dompdf能够包含来自远程站点的图像。我只是注意到启用此功能会导致服务器安全性问题，现在我的问题是此问题可能有多严重，以及如何防止这些问题发生？除了可以访问远程资源（在本例中为图像）之外，还有其他其他设置可用来阻止安全风险吗？
谢谢

I am using dompdf to generate PDF file which is getting some images (Dynamic charts) from highcharts.js exporting library. Now I have to change the default setting of DOMPDF_ENABLE_REMOTE from "false" to "true" to enable dompdf the inclusion of images from remote sites. I just noticed that enabling this feature can cause security issues for my server, now my question is how bad this issue might be and how I can prevent those thing? Is there any other extra setting which I can use to stop security risk besides having access to remote resources(in this case images) ? Thanks

推荐答案

在使用dompdf.php呈现文档时，启用远程访问主要是一个安全问题。 。如果您不使用该文件，则应将其删除或使其无法从网络上访问。 dompdf团队通常建议您不要使用该文件，而应直接使用dompdf类编写自己的PDF生成脚本。一旦直接使用该类，就可以通过将整个dompdf目录放置在无法通过网络访问的位置来进一步保护自己。

Enabling remote access is mainly a security issue when you're using dompdf.php to render your documents. If you're not using that file you should remove it or make it inaccessible from the web. The dompdf team generally recommends that you not use that file and instead write your own PDF generation script using the dompdf class directly. Once you're using the class directly you can further protect yourself by placing the entire dompdf directory in a location not accessible via the web.

启用远程资源时的主要问题访问和使用dompdf.php呈现文档时，就是有人可以使用dompdf.php从您的域外部加载文件，该文件似乎是由您的域生产和提供的。但是，如果您还启用了PHP解析（用于内联脚本编制），则会引起进一步的关注。启用PHP解析后，可以进一步使用远程文档通过远程执行代码来破坏您的计算机（内联脚本不仅限于PDF交互）。

The main concern when enabling remote resource access and when using dompdf.php to render documents is that someone can use dompdf.php to load a document from outside your domain that appears to by something produced and served by your domain. However, there is further concern if you also have PHP parsing enabled (for inline scripting). With PHP parsing enabled the remote document can be further used to compromise your machine via remote code execution (inline script is not limited to PDF interaction).

这篇关于使用dompdf访问远程映像的安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！