Merge branch 'main' into patch-1

.github/workflows/lint-docs.yml

@@ -1,5 +1,8 @@
 name: lint php documentation
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -12,7 +15,7 @@ jobs:
     lint-docs:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - name: lint php documentation
               uses: sudo-bot/action-doctum@dev
               with:

.github/workflows/tests.yml

@@ -1,5 +1,11 @@
 name: Run tests
 
+env:
+  XDEBUG_MODE: coverage
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -16,45 +22,21 @@ jobs:
         strategy:
             fail-fast: false
             matrix:
-                php-version: ["5.3", "5.4", "5.5", "5.6", "7.0", "7.1", "7.2", "7.3", "7.4", "8.0", "8.1", "8.2"]
-                os: [macos-latest, windows-latest]
+                php-version: ["7.1", "7.2", "7.3", "7.4", "8.0", "8.1", "8.2"]
+                os: [ubuntu-latest]
                 experimental: [false]
-                php-extensions: ["bcmath, imagick, gd"]
+                php-extensions: ["bcmath, curl, imagick, gd"]
                 coverage-extension: ["none"]
-                exclude:
-                  # For now, we do not know how to run workflow on Windows
-                  # with imagick PHP extension for PHP 5.3 - 5.6
-                  - { php-version: '5.3', os: windows-latest }
-                  - { php-version: '5.4', os: windows-latest }
-                  - { php-version: '5.5', os: windows-latest }
-                  - { php-version: '5.6', os: windows-latest }
-                  # Somehow some tests fail under Windows and PHP 7.0,
-                  # so we disable that run for now
-                  - { php-version: '7.0', os: windows-latest }
+                # Add more specific tests
                 include:
-                  - { php-version: '5.3', os: windows-latest, experimental: false, php-extensions: 'bcmath, gd', coverage-extension: 'none' }
-                  - { php-version: '5.4', os: windows-latest, experimental: false, php-extensions: 'bcmath, gd', coverage-extension: 'none' }
-                  - { php-version: '5.5', os: windows-latest, experimental: false, php-extensions: 'bcmath, gd', coverage-extension: 'none' }
-                  - { php-version: '5.6', os: windows-latest, experimental: false, php-extensions: 'bcmath, gd', coverage-extension: 'none' }
-                  # Specify coverage extension for Ubuntu runs
-                  - { php-version: '5.3', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'xdebug' }
-                  - { php-version: '5.4', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'xdebug' }
-                  - { php-version: '5.5', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'xdebug' }
-                  - { php-version: '5.6', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'xdebug' }
-                  - { php-version: '7.0', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'xdebug' }
-                  # pcov is available from PHP 7.1
-                  - { php-version: '7.1', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'pcov' }
-                  - { php-version: '7.2', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'pcov' }
-                  - { php-version: '7.3', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'pcov' }
-                  - { php-version: '7.4', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'pcov' }
-                  - { php-version: '8.0', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'pcov' }
-                  - { php-version: '8.1', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'pcov' }
-                  - { php-version: '8.2', os: ubuntu-latest, experimental: false, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'pcov' }
-                  - { php-version: 'nightly', os: ubuntu-latest, experimental: true, php-extensions: 'bcmath, imagick, gd', coverage-extension: 'pcov' }
+                  #- { php-version: '8.2', experimental: false, os: macos-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'none' }
+                  - { php-version: '8.2', experimental: false, os: windows-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'none' }
+                  - { php-version: '8.3', experimental: true, os: ubuntu-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'pcov' }
+                  - { php-version: 'nightly', experimental: true, os: ubuntu-latest, php-extensions: 'bcmath, curl, imagick, gd', coverage-extension: 'pcov' }
         env:
             PDFINFO_BINARY: ${{ (matrix.os == 'ubuntu-latest') && '/usr/bin/pdfinfo' || ((matrix.os == 'macos-latest') && '/usr/local/bin/pdfinfo' || 'C:\ProgramData\Chocolatey\bin\pdfinfo.exe') }}
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - name: Install pdfinfo, pdftopng or pdftoppm
               uses: ConorMacBride/install-package@v1
               with:
@@ -81,14 +63,14 @@ jobs:
             - name: List php modules using "no php ini" mode
               run: php -m -n
             - name: Cache module
-              uses: actions/cache@v3
+              uses: actions/cache@v4
               with:
                   path: ~/.composer/cache/
                   key: composer-cache
             - name: Install dependencies
-              run: composer install --no-interaction
+              run: composer update --no-interaction
             - name: Install test dependencies
-              run: cd ./tests && composer install --no-interaction && cd ../
+              run: cd ./tests && composer update --no-interaction && cd ../
             - name: Run shell-based test suite
               if: runner.os == 'Linux'
               run: ./tests/launch.sh
@@ -118,18 +100,17 @@ jobs:
         name: Static Analysis
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
-            - name: Use php 8.0
+            - uses: actions/checkout@v4
+            - name: Use php 8.2
               uses: shivammathur/setup-php@v2
               with:
-                  php-version: 8.0
-                  tools: composer:v2
+                  php-version: 8.2
             - name: Cache module
-              uses: actions/cache@v3
+              uses: actions/cache@v4
               with:
                   path: ~/.composer/cache/
                   key: composer-cache
             - name: Install phpstan
               run: composer require --dev phpstan/phpstan
             - name: Analyse files
-              run: ./vendor/bin/phpstan --memory-limit=2G
+              run: ./vendor/bin/phpstan --memory-limit=6G

CHANGELOG.TXT

@@ -1,3 +1,63 @@
+6.8.1 (2025-01-26)
+	- Check relative paths on SVG images.
+
+6.8.0 (2024-12-23)
+	- Requires PHP 7.1+ and curl extension.
+	- Escape error message.
+	- Use strict time-constant function to compare TCPDF-tag hashes.
+	- Add K_CURLOPTS config array to set custom cURL options (NOTE: some defaults have changed).
+	- Add some addTTFfont fixes from tc-lib-pdf-font.
+
+6.7.8 (2024-12-13)
+	- Improve SVG detection by checking for (mandatory) namespace.
+	- Use late state binding now that minimum PHP version is 5.5.
+
+6.7.7 (2024-10-26)
+	- Update regular expression to avoid ReDoS (CVE-2024-22641)
+	- [PHP 8.4] Fix: Curl CURLOPT_BINARYTRANSFER deprecated #675
+	- SVG detection fix for inline data images #646
+	- Fix count svg #647
+	- Since the version 6.7.4, the "0" is considered like empty string and not displayed
+	- Fixed handling of transparency in PDF/A mode in addExtGState method
+	- Encrypt /DA string when document is encrypted
+	- Improve quality of generated seed, avoid potential security pitfall
+	- Try to use random_bytes() first if it's available
+	- Do not include the server parameters in the generated seed, as they might contain sensitive data
+	- Fix bug on _getannotsrefs when there are empty signature appearances but not other annot on a page
+	- Fix SVG coordinate parser that caused drawing artifacts
+	- Remove usage of xml_set_object() function
+
+6.7.6 (2024-10-06)
+	- Forbid access to parent folder in HTML images.
+
+6.7.5 (2024-04-20)
+	- Update GitHub actions
+	- fix: CSV-2024-22640 (#712)
+
+6.7.4 (2024-03-24)
+	- Upgrade tcpdf tag encryption algorithm.
+	- Fix regression issue #699.
+	- Fix security issue.
+	- [BREAKING CHANGE] The tcpdf HTML tag syntax has changed, see example_049.php.
+	- New K_ALLOWED_TCPDF_TAGS configuration constant to set the allowed methods for the tcdpf HTML tag.
+	- Raised minimum PHP version to PHP 5.5.0.
+
+6.6.5 (2023-09-02)
+	- Fix corrupted file.
+	- Fix GitHub automation tests.
+	- Fix SPDX license ID (#591)
+	- Fix warning "array offset on value of type null" (#620)
+	- Improve the README about the status of this library (#589)
+	- Fix deprecation warning with PHP 8.1 (#614)
+	- Fixes for PHP 8.2 in tcpdf_fonts.php (#632)
+	- Fix some php 8+ edge cases (#630)
+	- Fix composite glyph output (#581)
+	- Fix "access array offset on value of type bool" with PDF/A (#583)
+	- Fix non-numeric value warning (#627)
+	- Fix issues with S25 barcode (#611)
+	- Fix return type annotations (#613)
+	- Fix some inconsistencies in type hints (#598)
+
 6.6.2 (2022-12-17)
 	- Ensure pregSplit return type is always array.
 	- Add ability to run tests on various operating systems (#566)

LICENSE.TXT

@@ -7,7 +7,7 @@
   published by the Free Software Foundation, either version 3 of the
   License, or (at your option) any later version.
 
-  2002-2022 Nicola Asuni - Tecnick.com LTD
+  2002-2025 Nicola Asuni - Tecnick.com LTD
 
 **********************************************************************
 **********************************************************************

README.md

@@ -6,15 +6,14 @@
 
 * **category**    Library
 * **author**      Nicola Asuni <[email protected]>
-* **copyright**   2002-2022 Nicola Asuni - Tecnick.com LTD
+* **copyright**   2002-2025 Nicola Asuni - Tecnick.com LTD
 * **license**     http://www.gnu.org/copyleft/lesser.html GNU-LGPL v3 (see LICENSE.TXT)
 * **link**        http://www.tcpdf.org
 * **source**      https://github.com/tecnickcom/TCPDF
 
 
-## IMPORTANT
-A new version of this library is under development at https://github.com/tecnickcom/tc-lib-pdf and as a consequence this version will not receive any additional development or support.
-This version should be considered obsolete, new projects should use the new version as soon it will become stable.
+## NOTE
+A new version of this library is under development at https://github.com/tecnickcom/tc-lib-pdf and as a consequence this library is in support only mode.
 
 
 

VERSION

@@ -1 +1 @@
-6.6.2
+6.8.1

composer.json

@@ -12,8 +12,8 @@
         "barcodes"
     ],
     "homepage": "http://www.tcpdf.org/",
-    "version": "6.6.2",
-    "license": "LGPL-3.0-only",
+    "version": "6.8.1",
+    "license": "LGPL-3.0-or-later",
     "authors": [
         {
             "name": "Nicola Asuni",
@@ -22,7 +22,8 @@
         }
     ],
     "require": {
-        "php": ">=5.3.0"
+        "php": ">=7.1.0",
+        "ext-curl": "*"
     },
     "autoload": {
         "classmap": [

config/tcpdf_config.php

@@ -212,6 +212,14 @@
  */
 define('K_TCPDF_CALLS_IN_HTML', false);
 
+/**
+ * List of TCPDF methods that are allowed to be called using HTML syntax.
+ * Note: each method name must end with surrounded with | (pipe) character.
+ * The constant K_TCPDF_CALLS_IN_HTML must be set to true.
+ * IMPORTANT: For security reason, disable this feature if you are allowing user HTML content.
+ */
+define('K_ALLOWED_TCPDF_TAGS', '');
+
 /**
  * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
  */

examples/config/tcpdf_config_alt.php

@@ -212,6 +212,14 @@
  */
 define('K_TCPDF_CALLS_IN_HTML', true);
 
+/**
+ * List of TCPDF methods that are allowed to be called using HTML syntax.
+ * Note: each method name must end with surrounded with | (pipe) character.
+ * The constant K_TCPDF_CALLS_IN_HTML must be set to true.
+ * IMPORTANT: For security reason, disable this feature if you are allowing user HTML content.
+ */
+define('K_ALLOWED_TCPDF_TAGS', '|AddPage|Rect|SetDrawColor|write1DBarcode|');
+
 /**
  * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
  */

examples/example_049.php

@@ -2,7 +2,7 @@
 //============================================================+
 // File name   : example_049.php
 // Begin       : 2009-04-03
-// Last Update : 2014-12-10
+// Last Update : 2024-03-18
 //
 // Description : Example 049 for TCPDF class
 //               WriteHTML with TCPDF callback functions
@@ -78,36 +78,36 @@
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 
 IMPORTANT:
-If you are printing user-generated content, tcpdf tag can be unsafe.
-You can disable this tag by setting to false the K_TCPDF_CALLS_IN_HTML
-constant on TCPDF configuration file.
+If you are printing user-generated content, the tcpdf tag should be considered unsafe.
+This tag is disabled by default by the K_TCPDF_CALLS_IN_HTML constant on TCPDF configuration file.
+Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.
 
-For security reasons, the parameters for the 'params' attribute of TCPDF
-tag must be prepared as an array and encoded with the
-serializeTCPDFtagParameters() method (see the example below).
+For security reasons, the content of the TCPDF tag must be prepared and encoded with the serializeTCPDFtag() method (see the example below).
 
  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 
 $html = '<h1>Test TCPDF Methods in HTML</h1>
 <h2 style="color:red;">IMPORTANT:</h2>
-<span style="color:red;">If you are using user-generated content, the tcpdf tag can be unsafe.<br />
-You can disable this tag by setting to false the <b>K_TCPDF_CALLS_IN_HTML</b> constant on TCPDF configuration file.</span>
+<span style="color:red;">If you are using user-generated content, the tcpdf tag should be considered unsafe.<br />
+Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.<br />
+This feature is disabled by default by the <b>K_TCPDF_CALLS_IN_HTML</b> constant on TCPDF configuration file.</span>
 <h2>write1DBarcode method in HTML</h2>';
 
-$params = $pdf->serializeTCPDFtagParameters(array('CODE 39', 'C39', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
-$html .= '<tcpdf method="write1DBarcode" params="'.$params.'" />';
+$data = $pdf->serializeTCPDFtag('write1DBarcode', array('CODE 39', 'C39', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
+$html .= '<tcpdf data="'.$data.'" />';
 
-$params = $pdf->serializeTCPDFtagParameters(array('CODE 128', 'C128', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
-$html .= '<tcpdf method="write1DBarcode" params="'.$params.'" />';
+$data = $pdf->serializeTCPDFtag('write1DBarcode', array('CODE 128', 'C128', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
+$html .= '<tcpdf data="'.$data.'" />';
 
-$html .= '<tcpdf method="AddPage" /><h2>Graphic Functions</h2>';
+$data = $pdf->serializeTCPDFtag('AddPage');
+$html .= '<tcpdf data="'.$data.'" /><h2>Graphic Functions</h2>';
 
-$params = $pdf->serializeTCPDFtagParameters(array(0));
-$html .= '<tcpdf method="SetDrawColor" params="'.$params.'" />';
+$data = $pdf->serializeTCPDFtag('SetDrawColor', array(0));
+$html .= '<tcpdf data="'.$data.'" />';
 
-$params = $pdf->serializeTCPDFtagParameters(array(50, 50, 40, 10, 'DF', array(), array(0,128,255)));
-$html .= '<tcpdf method="Rect" params="'.$params.'" />';
+$data = $pdf->serializeTCPDFtag('Rect', array(50, 50, 40, 10, 'DF', array(), array(0,128,255)));
+$html .= '<tcpdf data="'.$data.'" />';
 
 
 // output the HTML content

examples/example_066.php

@@ -18,8 +18,8 @@
  * @group pdf
  */
 
-// Load the autoloader, move one folder back from examples
-require_once __DIR__ . '/../vendor/autoload.php';
+// Include the main TCPDF library (search for installation path).
+require_once('tcpdf_include.php');
 
 // create new PDF document
 $pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false, true);

include/barcodes/qrcode.php

@@ -888,6 +888,7 @@ protected function getCode() {
 			if ($col >= $this->rsblocks[0]['dataLength']) {
 				$row += $this->b1;
 			}
+			$row = (int) $row;
 			$ret = $this->rsblocks[$row]['data'][$col];
 		} elseif ($this->count < $this->dataLength + $this->eccLength) {
 			$row = ($this->count - $this->dataLength) % $this->blocks;

include/tcpdf_colors.php

@@ -275,7 +275,7 @@ public static function convertHTMLColorToDec($hcolor, &$spotc, $defcol=array('R'
 		$color = strtolower($color);
 		// check for javascript color array syntax
 		if (strpos($color, '[') !== false) {
-			if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\]]/', $color, $m) > 0) {
+			if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\]]/', $color, $m) > 0) {
 				$returncolor = array();
 				switch ($m[1]) {
 					case 'cmyk': {