From f698c623612f978e6040b74b9d81330a18eba82e Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 6 Jan 2025 19:05:57 +0100 Subject: [PATCH] Fix bug 64823: ZTS GD fails to to find system TrueType font MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First, the `$fontfile` parameter actually supports a semicolon delimited list of fonts (as documented[1]); thus passing the full string to `VCWD_REALPATH()` or `php_check_open_basedir()` makes no sense; we could pass the individual parts, but … Second, libgd uses an elaborate font detection. There is a hard- coded `DEFAULT_PATH` which can be overridden by the environment variable `GDFONTPATH`. Semantics are like the `PATH` environment variable. If `DEFAULT_PATH` was still exposed (it is no longer as of libgd 2.1.0[2]), we could take that into account, but … External libgd can be configured with font-config support, so font aliases and even lookup patterns are supported. There is no way to cater to that upfront. Thus, we no longer interfere with libgd's font lookup. Checking the realpath was already doubtful (we didn't even use the resolved path). Lifting the open_basedir restriction is a bit more delicate, but the manual still states that open_basedir would not apply, and more relevant, not much harm can be done, because libgd only passes the found font to `FT_New_Face()` which likely fails for any non font files without any error which could reveal sensitive information. And the font file is never written. It should be noted that this solves lookup of system fonts, does not change the behavior for absolute font paths, but still does not resolve issues with relative paths to font files in ZTS environments using external libgd (our bundled libgd has a workaround for that). This particular issue cannot be solved, so users of ZTS builds still need to add `realpath(.)` to the `GDFONTPATH` as documented in the manual (or pass absolute paths as `$fontfile`). [1] [2] Closes GH-17366. --- NEWS | 1 + ext/gd/gd.c | 12 ------------ 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/NEWS b/NEWS index 7807625ac34..181f2549237 100644 --- a/NEWS +++ b/NEWS @@ -35,6 +35,7 @@ PHP NEWS - GD: . Fixed bug #68629 (Transparent artifacts when using imagerotate). (pierre, cmb) + . Fixed bug #64823 (ZTS GD fails to to find system TrueType font). (cmb) - Intl: . Bumped ICU requirement to ICU >= 57.1. (cmb) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 17bda3d65e2..c5f7b65ce4c 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -3374,18 +3374,6 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode) } } -#ifdef VIRTUAL_DIR - { - char tmp_font_path[MAXPATHLEN]; - - if (!VCWD_REALPATH(fontname, tmp_font_path)) { - fontname = NULL; - } - } -#endif /* VIRTUAL_DIR */ - - PHP_GD_CHECK_OPEN_BASEDIR(fontname, "Invalid font filename"); - // libgd note: Those should return const char * ideally, but backward compatibility .. if (EXT) { error = gdImageStringFTEx(im, brect, col, fontname, ptsize, angle, x, y, str, &strex);