CVE-2026-49358
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
描述
### Summary `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from `__destruct()` and from a registered shutdown function — calls `unlink()` on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue [GHSA-87qc-37cw-84h4](https://github.com/KnpLabs/snappy/security/advisories/GHSA-87qc-37cw-84h4), patched in snappy 1.7.2. ### Affected versions `pontedilana/php-weasyprint` versions `<= 2.5.1`. Patched in: `2.6.0`. ### Vulnerable code `src/AbstractGenerator.php`: ```php public array $temporaryFiles = []; // ... public function removeTemporaryFiles(): void { foreach ($this->temporaryFiles as $file) { $this->unlink($file); } } ``` No path-containment check: whatever path is present in `$temporaryFiles` at shutdown is unlinked. ### Proof of concept ```php <?php use Pontedilana\PhpWeasyPrint\Pdf; $pdf = new Pdf(); $pdf->temporaryFiles[] = '/var/www/html/.env'; // On shutdown, removeTemporaryFiles() deletes /var/www/html/.env. ``` ### Impact - Arbitrary file deletion bound to script shutdown, scoped to the privileges of the PHP process user. - Not directly exploitable on its own (the attacker already needs to influence the property in the same request). The risk is **amplification**: chained with a separate disclosure bug it enables leak-then-delete-to-cover-tracks, and any deserialization/property-oriented gadget that reaches this property becomes a generic file-delete primitive. CWE-73 (External Control of File Name or Path). ### Suggested fix Only delete files that actually live inside the temporary folder, comparing canonical (`realpath`) paths: ```php public function removeTemporaryFiles(): void { $temporaryFolderPath = \realpath($this->getTemporaryFolder()); if (false === $temporaryFolderPath) { return; } $temporaryFolderPath = \rtrim($temporaryFolderPath, \DIRECTORY_SEPARATOR) . \DIRECTORY_SEPARATOR; foreach ($this->temporaryFiles as $file) { $filePath = \realpath($file); if (false === $filePath || 0 !== \strncmp($filePath, $temporaryFolderPath, \strlen($temporaryFolderPath))) { continue; } $this->unlink($file); } } ``` (The trailing directory separator prevents a sibling folder such as `/tmpevil` from matching `/tmp`; `strncmp` is used instead of `str_starts_with` to keep PHP 7.4 compatibility.) ### Credit Reported upstream to KnpLabs/snappy ([GHSA-87qc-37cw-84h4](https://github.com/KnpLabs/snappy/security/advisories/GHSA-87qc-37cw-84h4)); identified as applicable to `pontedilana/php-weasyprint`, which mirrors the same code.