Merge branch 'release/1.1.1'

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning(https://semver.org/spec/v2.0.0.
 
 ## Unreleased
 
+## 1.1.1 - 2023-04-27
+### Security
+- Implement countermeasures for CVE-2023-28115
+
 ## 1.1.0 - 2023-04-03
 ### Added
 - Support WeasyPrint 58 new option (--pdf-forms)

src/AbstractGenerator.php

@@ -217,6 +217,10 @@ protected function executeCommand(string $command): array
      */
     protected function prepareOutput(string $filename, bool $overwrite): void
     {
+        if (0 === \strpos($filename, 'phar://')) {
+            throw new \InvalidArgumentException('The output file cannot be a phar archive.');
+        }
+
         $directory = \dirname($filename);
 
         if ($this->fileExists($filename)) {

tests/Unit/AbstractGeneratorTest.php

@@ -907,4 +907,32 @@ private function getPHPExecutableFromPath(): ?string
 
         return null; // not found
     }
+
+    /**
+     * test against CVE-2023-28115
+     * fix and test by @AntoineLelaisant
+     */
+    public function testFailingGenerateWithOutputContainingPharPrefix(): void
+    {
+        $media = $this->getMockBuilder(AbstractGenerator::class)
+            ->setMethods([
+                'configure',
+                'prepareOutput',
+            ])
+            ->setConstructorArgs(['the_binary', [], ['PATH' => '/usr/bin']])
+            ->getMock()
+        ;
+
+        $media->setTimeout(2000);
+
+        $media
+            ->expects($this->once())
+            ->method('prepareOutput')
+            ->with($this->equalTo('phar://the_output_file'))
+        ;
+
+        $this->expectException(\InvalidArgumentException::class);
+
+        $media->generate('the_input_file', 'phar://the_output_file', ['foo' => 'bar']);
+    }
 }