Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.This module uses an external library (Dompdf) and I'd like to have a release of the print module closely related to the dompdf 0.7. Several steps can be taken to prepare this:
* prepare a documentation fix on this line "If you're using dompdf-0.5.1, delete the dompdf.php file as it contains a security vulnerability". Removing dompdf.php is not only recommended for old version, it MUST be done on every installation. Print is not using this file and this file contains a big numbers of security issues. I think something like this could also be added:
" for version prior to 0.7 the www folder of this library should also be removed"
And maybe this also:
"As a library dompdf could also be downloaded outside of the document root for better security."
* The print module knows the directory where dompdf is installed, a .htaccess preventing PHP execution on all this directory (and subdirectories) should be added, like the one used in uploaded files directories. This is a PHP library but the module is using it as a library, nothing requires a direct PHP execution on this library (from the browser). This would remove all problems for all versions of dompdf used (at least for Apache users).
* maybe the other print libraries could also be used without direct php execution (as libs) and could also have this .htaccess
* maybe drupal could install libraries outside of the web directory (one day), but that's a task for the core.
* Add instructions for removing index.php when dompdf is installed. The issues with the older dompdf were all from examples and index.php. When the project is used as a library, there's no need for those anyway.
* A fix like the hybridauth one would be good.
Reported by regilero.
Comments
Comment #2
jcnventura CreditAttribution: jcnventura commentedDuplicate of #2818589: Support dompdf version 0.7