Merge pull request marcbachmann#3 from Mik317/master

[FIX] Arbitrary file read using `secure arguments` for `PhantomJS`
Placeloop · Sep 3, 2020 · 7e8f6a7 · 7e8f6a7
2 parents 1898ffc + 54a1535
commit 7e8f6a7
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -84,6 +84,8 @@ config = {
 
  // Export options
  "directory": "/tmp", // The directory the file gets written into if not using .toFile(filename, callback). default: '/tmp'
+
+ "readLocalFile": false, // Option to help specify if access to 'local files' is allowed or not (default *false* to avoid 'arbitrary file read')
 
  // Papersize Options: http://phantomjs.org/api/webpage/property/paper-size.html
  "height": "10.5in", // allowed units: mm, cm, in, px

diff --git a/lib/pdf.js b/lib/pdf.js
@@ -34,6 +34,8 @@ function PDF (html, options) {
 
  if (this.options.filename) this.options.filename = path.resolve(this.options.filename)
  if (!this.options.phantomPath) this.options.phantomPath = phantomjs && phantomjs.path
+ if (!this.options.readLocalFile) this.options.phantomArgs.push("--local-url-access=false")
+
  this.options.phantomArgs = this.options.phantomArgs || []
  assert(this.options.phantomPath, "html-pdf: Failed to load PhantomJS module. You have to set the path to the PhantomJS binary using 'options.phantomPath'")
  assert(typeof this.html === 'string' && this.html.length, "html-pdf: Can't create a pdf without an html string")