Table of contents
By default tc-lib-pdf does not fetch remote URLs. Images, fonts, and SVG files referenced by HTTP or HTTPS are blocked unless you explicitly allow the originating hosts. Local file reads are split between internal library IO and markup-originated resource loads, with separate allowlists.
How Remote Access Is Controlled
Remote access is configured through the optional fileOptions array passed as the last argument to the Tcpdf constructor (and forwarded to initClassObjects()).
$pdf = new \Com\Tecnick\Pdf\Tcpdf(
unit: 'mm',
fileOptions: [
'allowedHosts' => ['cdn.example.com', 'assets.myapp.io'],
],
);
Only the listed host names are permitted. Any attempt to load a resource from an unlisted host is silently blocked.
Restricting Local Paths
The allowedPaths key controls which local path prefixes may be read by the shared file helper for internal library IO, such as temp-backed signing flows, fonts, and other explicit file operations.
- If you omit
allowedPaths, tc-lib-pdf computes a default trusted set. - If you pass
allowedPaths, your list replaces the defaults (it is not merged).
The computed defaults come from trusted local roots, including:
- The system temp directory.
- The package root.
- Bundled
vendor/tecnickcomassets. K_PATH_FONTSwhen that constant is defined and resolves to a real path.
These defaults are returned by Com\\Tecnick\\Pdf\\Base::defaultFileAllowedPaths().
The markupAllowedPaths key controls which local path prefixes may be read when resources are referenced by rendered HTML, CSS, or SVG markup.
- If you omit
markupAllowedPathsand provideallowedPaths, tc-lib-pdf reuses your explicitallowedPathslist for markup. - If you omit both keys, tc-lib-pdf computes a stricter markup default that excludes the system temp directory.
- If you pass
markupAllowedPaths, your list replaces markup defaults (it is not merged).
The stricter markup defaults are returned by Com\\Tecnick\\Pdf\\Base::defaultMarkupAllowedPaths().
Windows absolute paths with drive letters are supported as long as they are absolute and match a trusted root after path normalization. You can supply them in native form (C:\\...) or normalized form (C:/...); using the same canonical format for both the allowlist and the resource path is the safest option.
$pdf = new \Com\Tecnick\Pdf\Tcpdf(
unit: 'mm',
fileOptions: [
'allowedPaths' => [
(string) realpath(sys_get_temp_dir()),
(string) realpath(__DIR__ . '/../storage/pdf-assets'),
(string) realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'),
],
'markupAllowedPaths' => [
(string) realpath(__DIR__ . '/../storage/pdf-assets'),
(string) realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'),
],
],
);
When you override allowedPaths, include every local directory needed for trusted internal operations, such as temp-backed signature files, image fixtures, custom font directories, and cache-backed assets.
When you override markupAllowedPaths, include only directories that should be reachable from rendered markup.
fileOptions Reference
| Key | Type | Default | Description |
|---|---|---|---|
allowedHosts | string[] | [] (none) | Host names the library may fetch over HTTP/HTTPS. Remote loading is disabled when this list is empty. |
allowedPaths | string[] | Computed internal trusted roots | Local path prefixes permitted for internal file reads. Passing this key replaces defaults, so include all required temp/cache/font directories. |
markupAllowedPaths | string[] | Explicit allowedPaths value, else stricter computed roots | Local path prefixes permitted for file reads triggered by rendered HTML, CSS, or SVG markup. Passing this key replaces markup defaults. |
maxRemoteSize | int | 52428800 (50 MiB) | Maximum bytes accepted for a single remote download. Requests exceeding this limit are aborted. |
curlopts | array<int, bool|int|string> | [] | Per-request cURL options (keyed by CURLOPT_* constants) merged on top of the built-in defaults. |
defaultCurlOpts | array<int, bool|int|string> | null | Replaces the built-in default cURL option set entirely. Omit this key to keep the safe defaults. |
fixedCurlOpts | array<int, bool|int|string> | null | cURL options that are always enforced and cannot be overridden by curlopts for locked-down environments. |
Example: Pinning TLS and Setting a Short Timeout
$pdf = new \Com\Tecnick\Pdf\Tcpdf(
unit: 'mm',
fileOptions: [
'allowedHosts' => ['cdn.example.com'],
'allowedPaths' => [
(string) realpath(sys_get_temp_dir()),
(string) realpath(__DIR__ . '/../storage/pdf-assets'),
(string) realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'),
],
'markupAllowedPaths' => [
(string) realpath(__DIR__ . '/../storage/pdf-assets'),
(string) realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'),
],
'maxRemoteSize' => 10 * 1024 * 1024,
'curlopts' => [
CURLOPT_TIMEOUT => 10,
CURLOPT_CONNECTTIMEOUT => 5,
],
'fixedCurlOpts' => [
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
],
],
);
Operational Guidance
- Prefer explicit host allowlists rather than wildcards.
- Configure
allowedPathsfor trusted internal operations andmarkupAllowedPathsfor rendered markup paths. - Keep
markupAllowedPathsnarrower thanallowedPathswhen possible. - Keep
maxRemoteSizeconservative when users can influence asset URLs. - Use
fixedCurlOptswhen you need organization-wide TLS constraints that downstream code must not weaken. - Treat remote resource access as an integration boundary, not a convenience default.
Related Guides
- Fonts and local font preparation: /docs/fonts/
- Digital signature workflows: /docs/digital-signatures/
- PDF import behavior and constraints: /docs/pdf-import/
Previous: /docs/development/
Overview: /docs/