Handle Encrypted PDF files

[petarjakopec]

The function first checks the file extension. If it's not a .pdf (case-insensitive), it returns false immediately. This avoids unnecessary file reading for images or other documents. After that, it ensures the temporary file uploaded by Symfony actually exists on the disk and is readable by the PHP process.
Instead of loading the entire PDF into memory (which could be hundreds of megabytes), the function reads only the specific parts of the file where encryption markers are typically stored:
The Head (first 4KB):
$head = (string) fread($fp, 4096);
This captures the PDF header and initial metadata.

The Tail (last 16KB):
@fseek($fp, -16384, SEEK_END); $tail = (string) fread($fp, 16384);
PDF metadata (the "Trailer" and "Cross-Reference Table") is often located at the very end of the file. Password protection settings are frequently defined there.

if (strpos($head, '%PDF-') !== 0) { return false; }
It verifies that the file content actually starts with the standard PDF magic bytes %PDF-. This prevents "fake" PDFs (e.g., a text file renamed to .pdf) from being processed.

return strpos($head . $tail, '/Encrypt') !== false;
This is the core logic. It searches for the /Encrypt token within the combined head and tail buffers.
In the PDF specification, the /Encrypt key in the document trailer dictionary indicates that the file is encrypted (password-protected).
If this token is found, the function returns true, signaling the controller to use resourceType: 'raw' for the Cloudinary upload.