clear statement about WKHTMLTOPDF only with security flaws possible #2673

New Issue

Closed

opened 2026-02-05 04:45:31 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 04:45:31 +03:00

Owner

Copy Link

Originally created by @ManfredHerrmann on GitHub (Feb 24, 2022).

Describe the Bug

The documentation about is a bit missleading?

Note: as of BookStack v21.08 you’ll need to also enable untrusted server fetching in your .env file like below. This change was made for security since, in many cases, wkhtmltopdf will perform fetches to external URLs which may be defined by users. You should only enable the below option in environments where only trusted users can export content.

It took me long time for trying the "NOT optional"
ALLOW_UNTRUSTED_SERVER_FETCHING=true

Steps to Reproduce

enable WKHTMLTOPDF
without "unsecure fetches"

# In .env file
WKHTMLTOPDF=/home/user/bins/wkhtmltopdf

Expected Behaviour

My missunderstanding was "optional security"

# In .env file
WKHTMLTOPDF=/home/user/bins/wkhtmltopdf

"optional" ... with less functionality
ALLOW_UNTRUSTED_SERVER_FETCHING=true

Screenshots or Additional Context

No response

Exact BookStack Version

v21.12.5

PHP Version

No response

Hosting Environment

Ubuntu 20.04

Originally created by @ManfredHerrmann on GitHub (Feb 24, 2022). ### Describe the Bug The documentation about is a bit missleading? > Note: as of BookStack v21.08 you’ll need to also enable untrusted server fetching in your .env file like below. This change was made for security since, in many cases, wkhtmltopdf will perform fetches to external URLs which may be defined by users. You should only enable the below option in environments where only trusted users can export content. It took me long time for trying the "NOT optional" `ALLOW_UNTRUSTED_SERVER_FETCHING=true` ### Steps to Reproduce enable WKHTMLTOPDF without "unsecure fetches" ``` # In .env file WKHTMLTOPDF=/home/user/bins/wkhtmltopdf ``` ### Expected Behaviour My missunderstanding was "optional security" ``` # In .env file WKHTMLTOPDF=/home/user/bins/wkhtmltopdf ``` "optional" ... with less functionality `ALLOW_UNTRUSTED_SERVER_FETCHING=true` ### Screenshots or Additional Context _No response_ ### Exact BookStack Version v21.12.5 ### PHP Version _No response_ ### Hosting Environment Ubuntu 20.04

OVERLORD added the 🐛 Bug label 2026-02-05 04:45:31 +03:00

OVERLORD closed this issue 2026-02-05 04:45:33 +03:00

OVERLORD commented 2026-02-05 04:45:34 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 24, 2022):

Hi @ManfredHerrmann,

The use of also within "you’ll need to also enable untrusted server fetching", and the lack of mention of "optional" makes it seem clear to me that this was a requirement. I'm not clear how it's misleading.

Any constructive recommendation in regards to how the docs can be altered to make it clearer?
I didn't want to have both config lines in the same box as I was worried users may copy and paste without understanding the security risk. It also represents it as a seperate option (Since it is and may control other abilities) rather than being something specific to the WKHTMLTOPDF option.

@ssddanbrown commented on GitHub (Feb 24, 2022): Hi @ManfredHerrmann, The use of `also` within "you’ll need to also enable untrusted server fetching", and the lack of mention of "optional" makes it seem clear to me that this was a requirement. I'm not clear how it's misleading. Any constructive recommendation in regards to how the docs can be altered to make it clearer? I didn't want to have both config lines in the same box as I was worried users may copy and paste without understanding the security risk. It also represents it as a seperate option (Since it is and may control other abilities) rather than being something specific to the WKHTMLTOPDF option.

OVERLORD commented 2026-02-05 04:45:41 +03:00

Author

Owner

Copy Link

@ManfredHerrmann commented on GitHub (Feb 25, 2022):

Hi @ssddanbrown,
sorry for my "bug report" ... it is the first time I try to contribute to famous OpenSource like BookStack :o)

this sentence ... I see its not that easy to express
You should only enable the below option in environments where only trusted users can export content.

my "constructive recommendation"
You should only enable WKHTMLTOPDF + ALLOW_UNTRUSTED_SERVER_FETCHING where only trusted users can export content.

I hope this make sense to you and to all other.

@ManfredHerrmann commented on GitHub (Feb 25, 2022): Hi @ssddanbrown, sorry for my "bug report" ... it is the first time I try to contribute to famous OpenSource like BookStack :o) this sentence ... I see its not that easy to express `You should only enable the below option in environments where only trusted users can export content.` my "constructive recommendation" `You should only enable WKHTMLTOPDF + ALLOW_UNTRUSTED_SERVER_FETCHING where only trusted users can export content.` I hope this make sense to you and to all other.

OVERLORD commented 2026-02-05 04:45:45 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 25, 2022):

Thank you @ManfredHerrmann.

I've now updated the wording on https://www.bookstackapp.com/docs/admin/pdf-rendering/.
Specifically:

As of BookStack v21.08 the ALLOW_UNTRUSTED_SERVER_FETCHING must also be set to true for wkhtmltopdf to be enabled, without this dompdf will be used instead.

Hopefully this is much clearer in stating this option is required.
Will hence close this off.

@ssddanbrown commented on GitHub (Feb 25, 2022): Thank you @ManfredHerrmann. I've now updated the wording on https://www.bookstackapp.com/docs/admin/pdf-rendering/. Specifically: > As of BookStack v21.08 the ALLOW_UNTRUSTED_SERVER_FETCHING must also be set to true for wkhtmltopdf to be enabled, without this dompdf will be used instead. Hopefully this is much clearer in stating this option is required. Will hence close this off.

OVERLORD commented 2026-02-05 04:45:49 +03:00

Author

Owner

Copy Link

@ManfredHerrmann commented on GitHub (Feb 25, 2022):

well done @ssddanbrown, thanks

@ManfredHerrmann commented on GitHub (Feb 25, 2022): well done @ssddanbrown, thanks

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

release

v25-12

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2673