Images: Forced intervention loading via specific method

Updated image loading for intervention library to be via a specific 'initFromBinary' method to avoid being overly accepting of input types and mechansisms. For CVE-2023-6199
2024-11-23 11:22:33 +01:00 · 2023-11-19 16:34:29 +00:00 · 2023-11-19 16:34:29 +00:00 · 9b1f820596
commit 9b1f820596
parent 2fb873f7ef
2 changed files with 13 additions and 7 deletions
--- a/app/Config/app.php
+++ b/app/Config/app.php
@ -141,7 +141,6 @@ return [
        // Third party service providers
        Barryvdh\DomPDF\ServiceProvider::class,
        Barryvdh\Snappy\ServiceProvider::class,
-        Intervention\Image\ImageServiceProvider::class,
        SocialiteProviders\Manager\ServiceProvider::class,

        // BookStack custom service providers
@ -161,9 +160,6 @@ return [
        // Laravel Packages
        'Socialite'    => Laravel\Socialite\Facades\Socialite::class,

-        // Third Party
-        'ImageTool' => Intervention\Image\Facades\Image::class,
-
        // Custom BookStack
        'Activity'    => BookStack\Facades\Activity::class,
        'Theme'       => BookStack\Facades\Theme::class,
--- a/app/Uploads/ImageResizer.php
+++ b/app/Uploads/ImageResizer.php
@ -6,15 +6,14 @@ use BookStack\Exceptions\ImageUploadException;
 use Exception;
 use GuzzleHttp\Psr7\Utils;
 use Illuminate\Support\Facades\Cache;
+use Intervention\Image\Gd\Driver;
 use Intervention\Image\Image as InterventionImage;
-use Intervention\Image\ImageManager;

 class ImageResizer
 {
    protected const THUMBNAIL_CACHE_TIME = 604_800; // 1 week

    public function __construct(
-        protected ImageManager $intervention,
        protected ImageStorage $storage,
    ) {
    }
@ -117,7 +116,7 @@ class ImageResizer
        ?string $format = null,
    ): string {
        try {
-            $thumb = $this->intervention->make($imageData);
+            $thumb = $this->interventionFromImageData($imageData);
        } catch (Exception $e) {
            throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
        }
@ -144,6 +143,17 @@ class ImageResizer
        return $thumbData;
    }

+    /**
+     * Create an intervention image instance from the given image data.
+     * Performs some manual library usage to ensure image is specifically loaded
+     * from given binary data instead of data being misinterpreted.
+     */
+    protected function interventionFromImageData(string $imageData): InterventionImage
+    {
+        $driver = new Driver();
+        return $driver->decoder->initFromBinary($imageData);
+    }
+
    /**
     * Orientate the given intervention image based upon the given original image data.
     * Intervention does have an `orientate` method but the exif data it needs is lost before it