GHSA-97m3-52wr-xvv2: Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE

Summary

A lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a file_exists call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP < 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.

Details

The problem lies on the openFont function of the lib/Cpdf.php library, when the $font variable passed by php-svg-lib isn’t checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS :

$name = basename($font);
$dir = dirname($font);
[...]
$metrics_name = "$name.ufm";
[...]

if (!isset($this->fonts[$font]) && file_exists("$dir/$metrics_name")) {

Passing a font named phar:///foo/bar/baz.phar/test will set the value of $name to test and $dir to phar:///foo/bar/baz.phar, which once reconstructed will call file_exists on phar:///foo/bar/baz.phar/test.ufm. That allows to deserialize the baz.phar arbitrary file that contains a test.ufm file in the archive.