From 582f1cd7f7865c688b2ca8459e8fca47725517fc Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sun, 5 Jan 2025 14:30:04 +0100 Subject: [PATCH 1/2] Fix bug 64823: ZTS GD fails to to find system TrueType font MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First, the `$fontfile` parameter actually supports a semicolon delimited list of fonts (as documented[1]); thus passing the full string to `VCWD_REALPATH()` or `php_check_open_basedir()` makes no sense; we could pass the individual parts, but … Second, libgd uses an elaborate font detection. There is a hard- coded `DEFAULT_PATH` which can be overridden by the environment variable `GDFONTPATH`. Semantics are like the `PATH` environment variable. If `DEFAULT_PATH` was still exposed (it is no longer as of libgd 2.1.0[2]), we could take that into account, but … External libgd can be configured with font-config support, so font aliases and even lookup patterns are supported. There is no way to cater to that upfront. Thus, we no longer interfere with libgd's font lookup. Checking the realpath was already doubtful (we didn't even use the resolved path). Lifting the open_basedir restriction is a bit more delicate, but the manual still states that open_basedir would not apply, and more relevant, not much harm can be done, because libgd only passes the found font to `FT_New_Face()` which likely fails for any non font files without any error which could reveal sensitive information. And the font file is never written. It should be noted that this solves lookup of system fonts, does not change the behavior for absolute font paths, but still does not resolve issues with relative paths to font files in ZTS environments using external libgd (our bundled libgd has a workaround for that). This particular issue cannot be solved, so users of ZTS builds still need to add `realpath(.)` to the `GDFONTPATH` as documented in the manual (or pass absolute paths as `$fontfile`). [1] [2] --- ext/gd/gd.c | 12 ------------ ext/gd/tests/bug64823.phpt | 13 +++++++++++++ 2 files changed, 13 insertions(+), 12 deletions(-) create mode 100644 ext/gd/tests/bug64823.phpt diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 17bda3d65e2dc..c5f7b65ce4c8b 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -3374,18 +3374,6 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode) } } -#ifdef VIRTUAL_DIR - { - char tmp_font_path[MAXPATHLEN]; - - if (!VCWD_REALPATH(fontname, tmp_font_path)) { - fontname = NULL; - } - } -#endif /* VIRTUAL_DIR */ - - PHP_GD_CHECK_OPEN_BASEDIR(fontname, "Invalid font filename"); - // libgd note: Those should return const char * ideally, but backward compatibility .. if (EXT) { error = gdImageStringFTEx(im, brect, col, fontname, ptsize, angle, x, y, str, &strex); diff --git a/ext/gd/tests/bug64823.phpt b/ext/gd/tests/bug64823.phpt new file mode 100644 index 0000000000000..89c818b22f14b --- /dev/null +++ b/ext/gd/tests/bug64823.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #64823 (ZTS GD fails to to find system TrueType font) +--EXTENSIONS-- +gd +--FILE-- + +--EXPECT-- +bool(true) From 1df75a2041bba62d6bc80c7696a97fad98177bd7 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 6 Jan 2025 19:05:57 +0100 Subject: [PATCH 2/2] Drop test case Cf. . --- ext/gd/tests/bug64823.phpt | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 ext/gd/tests/bug64823.phpt diff --git a/ext/gd/tests/bug64823.phpt b/ext/gd/tests/bug64823.phpt deleted file mode 100644 index 89c818b22f14b..0000000000000 --- a/ext/gd/tests/bug64823.phpt +++ /dev/null @@ -1,13 +0,0 @@ ---TEST-- -Bug #64823 (ZTS GD fails to to find system TrueType font) ---EXTENSIONS-- -gd ---FILE-- - ---EXPECT-- -bool(true)