Skip to content

setjSignPdfJarPath() is inconsistently treated as both directory and jar file, causing open_basedir warning and failure in debug mode #46

New issue
New issue
Open
Open
setjSignPdfJarPath() is inconsistently treated as both directory and jar file, causing open_basedir warning and failure in debug mode#46
@vkywalker

Description

@vkywalker
vkywalker
opened on Jan 7, 2026

Thanks for maintaining this library and for the work you’ve put into it. It’s been very useful for us, and I appreciate you taking the time to review this issue.

Description

The PDF signing process fails when application debug mode is enabled due to a PHP warning raised inside the JSignPDF PHP wrapper.

Warning: file_exists(): open_basedir restriction in effect.
File(/var/www/vhosts/somedomain.com/jsignpdf/JSignPdf.jar/.jsignpdf_version_jsignpdf-2.3.0.zip)
is not within the allowed path(s): (/var/www/vhosts/somedomain.com/:/tmp/)

This warning causes the signing process to fail when PHP is in a strict mode.

According to the README, the following configuration is documented:
$param->setjSignPdfJarPath('/path/to/jsignpdf');
This suggests that a directory should be provided.

But, in practice:

Passing a directory (e.g. /var/www/vhosts/somedomain.com/jsignpdf) results in:
Error: Invalid or corrupt jarfile /var/www/vhosts/somedomain.com/jsignpdf

This indicates that the value passed to setjSignPdfJarPath() must point to the JAR file itself.

Passing the JAR file path works correctly but only when debug mode is disabled.

$param->setjSignPdfJarPath('/var/www/vhosts/somedomain.com/jsignpdf/JSignPdf.jar');

While investigating, I found that in
src/Runtime/JSignPdfRuntimeService.php, method validateVersion(), the value returned by getJSignPdfPath() is treated as a directory:
$versionCacheFile = $jsignPdfPath . '/.jsignpdf_version_' . basename($params->getJSignPdfDownloadUrl());
When $jsignPdfPath is a JAR file path, this produces an invalid filesystem path such as:

/path/to/JSignPdf.jar/.jsignpdf_version_...

PHP triggers a file_exists() warning, which breaks execution when strict error handling is enabled.

Working fix

Proof fix, which works for me
Changing the above line to use the parent directory resolves the issue completely:
$versionCacheFile = \dirname($jsignPdfPath) . '/.jsignpdf_version_' . basename($params->getJSignPdfDownloadUrl());

Please clarify or enforce whether setjSignPdfJarPath() expects a directory or a JAR file, and handle runtime/cache paths accordingly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions