This module uses an external library (Dompdf) and I'd like to have a release of the print module closely related to the dompdf 0.7. Several steps can be taken to prepare this:
* prepare a documentation fix on this line "If you're using dompdf-0.5.1, delete the dompdf.php file as it contains a security vulnerability". Removing dompdf.php is not only recommended for old version, it MUST be done on every installation. Print is not using this file and this file contains a big numbers of security issues. I think something like this could also be added:
" for version prior to 0.7 the www folder of this library should also be removed"
And maybe this also:
"As a library dompdf could also be downloaded outside of the document root for better security."
* The print module knows the directory where dompdf is installed, a .htaccess preventing PHP execution on all this directory (and subdirectories) should be added, like the one used in uploaded files directories. This is a PHP library but the module is using it as a library, nothing requires a direct PHP execution on this library (from the browser). This would remove all problems for all versions of dompdf used (at least for Apache users).
* maybe the other print libraries could also be used without direct php execution (as libs) and could also have this .htaccess
* maybe drupal could install libraries outside of the web directory (one day), but that's a task for the core.
* Add instructions for removing index.php when dompdf is installed. The issues with the older dompdf were all from examples and index.php. When the project is used as a library, there's no need for those anyway.
* A fix like the hybridauth one would be good.
Reported by regilero.
Comments
Comment #2
jcnventura CreditAttribution: jcnventura commentedDuplicate of #2818589: Support dompdf version 0.7