Remote Resources

Remote and local asset controls with fileOptions for tc-lib-pdf

By default tc-lib-pdf does not fetch remote URLs. Images, fonts, and SVG files referenced by HTTP or HTTPS are blocked unless you explicitly allow the originating hosts. Local file reads are split between internal library IO and markup-originated resource loads, with separate allowlists.

How Remote Access Is Controlled

Remote access is configured through the optional fileOptions array passed as the last argument to the Tcpdf constructor (and forwarded to initClassObjects()).

$pdf = new \Com\Tecnick\Pdf\Tcpdf(
    unit: 'mm',
    fileOptions: [
        'allowedHosts' => ['cdn.example.com', 'assets.myapp.io'],
    ],
);

Only the listed host names are permitted. Any attempt to load a resource from an unlisted host is silently blocked.

Restricting Local Paths

The allowedPaths key controls which local path prefixes may be read by the shared file helper for internal library IO, such as temp-backed signing flows, fonts, and other explicit file operations.

  • If you omit allowedPaths, tc-lib-pdf computes a default trusted set.
  • If you pass allowedPaths, your list replaces the defaults (it is not merged).

The computed defaults come from trusted local roots, including:

  • The system temp directory.
  • The package root.
  • Bundled vendor/tecnickcom assets.
  • K_PATH_FONTS when that constant is defined and resolves to a real path.

These defaults are returned by Com\\Tecnick\\Pdf\\Base::defaultFileAllowedPaths().

The markupAllowedPaths key controls which local path prefixes may be read when resources are referenced by rendered HTML, CSS, or SVG markup.

  • If you omit markupAllowedPaths and provide allowedPaths, tc-lib-pdf reuses your explicit allowedPaths list for markup.
  • If you omit both keys, tc-lib-pdf computes a stricter markup default that excludes the system temp directory.
  • If you pass markupAllowedPaths, your list replaces markup defaults (it is not merged).

The stricter markup defaults are returned by Com\\Tecnick\\Pdf\\Base::defaultMarkupAllowedPaths().

Windows absolute paths with drive letters are supported as long as they are absolute and match a trusted root after path normalization. You can supply them in native form (C:\\...) or normalized form (C:/...); using the same canonical format for both the allowlist and the resource path is the safest option.

$pdf = new \Com\Tecnick\Pdf\Tcpdf(
    unit: 'mm',
    fileOptions: [
        'allowedPaths' => [
            (string) realpath(sys_get_temp_dir()),
            (string) realpath(__DIR__ . '/../storage/pdf-assets'),
            (string) realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'),
        ],
        'markupAllowedPaths' => [
            (string) realpath(__DIR__ . '/../storage/pdf-assets'),
            (string) realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'),
        ],
    ],
);

When you override allowedPaths, include every local directory needed for trusted internal operations, such as temp-backed signature files, image fixtures, custom font directories, and cache-backed assets.

When you override markupAllowedPaths, include only directories that should be reachable from rendered markup.

fileOptions Reference

KeyTypeDefaultDescription
allowedHostsstring[][] (none)Host names the library may fetch over HTTP/HTTPS. Remote loading is disabled when this list is empty.
allowedPathsstring[]Computed internal trusted rootsLocal path prefixes permitted for internal file reads. Passing this key replaces defaults, so include all required temp/cache/font directories.
markupAllowedPathsstring[]Explicit allowedPaths value, else stricter computed rootsLocal path prefixes permitted for file reads triggered by rendered HTML, CSS, or SVG markup. Passing this key replaces markup defaults.
maxRemoteSizeint52428800 (50 MiB)Maximum bytes accepted for a single remote download. Requests exceeding this limit are aborted.
curloptsarray<int, bool|int|string>[]Per-request cURL options (keyed by CURLOPT_* constants) merged on top of the built-in defaults.
defaultCurlOptsarray<int, bool|int|string>nullReplaces the built-in default cURL option set entirely. Omit this key to keep the safe defaults.
fixedCurlOptsarray<int, bool|int|string>nullcURL options that are always enforced and cannot be overridden by curlopts for locked-down environments.

Example: Pinning TLS and Setting a Short Timeout

$pdf = new \Com\Tecnick\Pdf\Tcpdf(
    unit: 'mm',
    fileOptions: [
        'allowedHosts'  => ['cdn.example.com'],
        'allowedPaths'  => [
            (string) realpath(sys_get_temp_dir()),
            (string) realpath(__DIR__ . '/../storage/pdf-assets'),
            (string) realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'),
        ],
        'markupAllowedPaths' => [
            (string) realpath(__DIR__ . '/../storage/pdf-assets'),
            (string) realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'),
        ],
        'maxRemoteSize' => 10 * 1024 * 1024,
        'curlopts'      => [
            CURLOPT_TIMEOUT        => 10,
            CURLOPT_CONNECTTIMEOUT => 5,
        ],
        'fixedCurlOpts' => [
            CURLOPT_SSL_VERIFYPEER => true,
            CURLOPT_SSL_VERIFYHOST => 2,
        ],
    ],
);

Operational Guidance

  • Prefer explicit host allowlists rather than wildcards.
  • Configure allowedPaths for trusted internal operations and markupAllowedPaths for rendered markup paths.
  • Keep markupAllowedPaths narrower than allowedPaths when possible.
  • Keep maxRemoteSize conservative when users can influence asset URLs.
  • Use fixedCurlOpts when you need organization-wide TLS constraints that downstream code must not weaken.
  • Treat remote resource access as an integration boundary, not a convenience default.

Previous: /docs/development/

Overview: /docs/

Next: /docs/digital-signatures/

 

© 2004-2026 – Nicola Asuni - Tecnick.com - All rights reserved.
sponsor - legal notice - privacy