Disable PHAR protocol

Author: nicolaasuni

CHANGELOG.TXT

@@ -1,5 +1,8 @@
-6.9.0 (2025-04-03)
-	- Fixed Path Traversal security vulnerability reported by Positive Technologies.
+6.9.2 (2025-04-18)
+	- Fixed "Deserialization of untrusted data" security vulnerability reported by Positive Technologies.
+
+6.9.1 (2025-04-03)
+	- Fixed "Path Traversal" security vulnerability reported by Positive Technologies.
 
 6.9.0 (2025-03-30)
 	- Added PHP 8.4 testing.

VERSION

@@ -1 +1 @@
-6.9.1
+6.9.2

composer.json

@@ -12,7 +12,7 @@
         "barcodes"
     ],
     "homepage": "http://www.tcpdf.org/",
-    "version": "6.9.1",
+    "version": "6.9.2",
     "license": "LGPL-3.0-or-later",
     "authors": [
         {

include/tcpdf_static.php

@@ -55,7 +55,7 @@ class TCPDF_STATIC {
 	 * Current TCPDF version.
 	 * @private static
 	 */
-	private static $tcpdf_version = '6.9.1';
+	private static $tcpdf_version = '6.9.2';
 
 	/**
 	 * String alias for total number of pages.

tcpdf.php

@@ -1,9 +1,9 @@
 <?php
 //============================================================+
 // File name   : tcpdf.php
-// Version     : 6.9.1
+// Version     : 6.9.2
 // Begin       : 2002-08-03
-// Last Update : 2025-04-03
+// Last Update : 2025-04-18
 // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - [email protected]
 // License     : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
 // -------------------------------------------------------------------
@@ -104,7 +104,7 @@
  * Tools to encode your unicode fonts are on fonts/utils directory.</p>
  * @package com.tecnick.tcpdf
  * @author Nicola Asuni
- * @version 6.9.1
+ * @version 6.9.2
  */
 
 // TCPDF configuration
@@ -128,7 +128,7 @@
  * TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
  * @package com.tecnick.tcpdf
  * @brief PHP class for generating PDF documents without requiring external extensions.
- * @version 6.9.1
+ * @version 6.9.2
  * @author Nicola Asuni - [email protected]
  * @IgnoreAnnotation("protected")
  * @IgnoreAnnotation("public")
@@ -7865,7 +7865,7 @@ public function _destroy($destroyall=false, $preserve_objcopy=false) {
 			}
 			if (isset($this->imagekeys)) {
 				foreach($this->imagekeys as $file) {
-					if (strpos($file, K_PATH_CACHE) === 0 && TCPDF_STATIC::file_exists($file)) {
+					if (strpos($file,  K_PATH_CACHE.'__tcpdf_'.$this->file_id.'_') === 0 && TCPDF_STATIC::file_exists($file)) {
 						@unlink($file);
 					}
 				}

tcpdf_autoconfig.php

@@ -3,11 +3,11 @@
 // File name   : tcpdf_autoconfig.php
 // Version     : 1.1.1
 // Begin       : 2013-05-16
-// Last Update : 2014-12-18
+// Last Update : 2025-04-18
 // Authors     : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - [email protected]
 // License     : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
 // -------------------------------------------------------------------
-// Copyright (C) 2011-2014 Nicola Asuni - Tecnick.com LTD
+// Copyright (C) 2011-2025 Nicola Asuni - Tecnick.com LTD
 //
 // This file is part of TCPDF software library.
 //
@@ -37,9 +37,14 @@
  * @file
  * Try to automatically configure some TCPDF constants if not defined.
  * @package com.tecnick.tcpdf
- * @version 1.1.1
+ * @version 1.2.1
  */
 
+// Disable phar stream wrapper to prevent deserialization vulnerability.
+if (in_array('phar', stream_get_wrappers(), true)) {
+    stream_wrapper_unregister('phar');
+}
+
 // DOCUMENT_ROOT fix for IIS Webserver
 if ((!isset($_SERVER['DOCUMENT_ROOT'])) OR (empty($_SERVER['DOCUMENT_ROOT']))) {
 	if(isset($_SERVER['SCRIPT_FILENAME'])) {