From 9b1f82059659d0af745fab239f6b306f436d1e99 Mon Sep 17 00:00:00 2001
From: Dan Brown <email@danb.me>
Date: Sun, 19 Nov 2023 16:34:29 +0000
Subject: [PATCH] Images: Forced intervention loading via specific method

Updated image loading for intervention library to be via a specific
'initFromBinary' method to avoid being overly accepting of input types
and mechansisms.

For CVE-2023-6199
---
 app/Config/app.php           |  4 ----
 app/Uploads/ImageResizer.php | 16 +++++++++++++---
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/app/Config/app.php b/app/Config/app.php
index dcd3ffc31..fc913eb8f 100644
--- a/app/Config/app.php
+++ b/app/Config/app.php
@@ -141,7 +141,6 @@ return [
         // Third party service providers
         Barryvdh\DomPDF\ServiceProvider::class,
         Barryvdh\Snappy\ServiceProvider::class,
-        Intervention\Image\ImageServiceProvider::class,
         SocialiteProviders\Manager\ServiceProvider::class,
 
         // BookStack custom service providers
@@ -161,9 +160,6 @@ return [
         // Laravel Packages
         'Socialite'    => Laravel\Socialite\Facades\Socialite::class,
 
-        // Third Party
-        'ImageTool' => Intervention\Image\Facades\Image::class,
-
         // Custom BookStack
         'Activity'    => BookStack\Facades\Activity::class,
         'Theme'       => BookStack\Facades\Theme::class,
diff --git a/app/Uploads/ImageResizer.php b/app/Uploads/ImageResizer.php
index e229bb5a0..4dc1b0b99 100644
--- a/app/Uploads/ImageResizer.php
+++ b/app/Uploads/ImageResizer.php
@@ -6,15 +6,14 @@ use BookStack\Exceptions\ImageUploadException;
 use Exception;
 use GuzzleHttp\Psr7\Utils;
 use Illuminate\Support\Facades\Cache;
+use Intervention\Image\Gd\Driver;
 use Intervention\Image\Image as InterventionImage;
-use Intervention\Image\ImageManager;
 
 class ImageResizer
 {
     protected const THUMBNAIL_CACHE_TIME = 604_800; // 1 week
 
     public function __construct(
-        protected ImageManager $intervention,
         protected ImageStorage $storage,
     ) {
     }
@@ -117,7 +116,7 @@ class ImageResizer
         ?string $format = null,
     ): string {
         try {
-            $thumb = $this->intervention->make($imageData);
+            $thumb = $this->interventionFromImageData($imageData);
         } catch (Exception $e) {
             throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
         }
@@ -144,6 +143,17 @@ class ImageResizer
         return $thumbData;
     }
 
+    /**
+     * Create an intervention image instance from the given image data.
+     * Performs some manual library usage to ensure image is specifically loaded
+     * from given binary data instead of data being misinterpreted.
+     */
+    protected function interventionFromImageData(string $imageData): InterventionImage
+    {
+        $driver = new Driver();
+        return $driver->decoder->initFromBinary($imageData);
+    }
+
     /**
      * Orientate the given intervention image based upon the given original image data.
      * Intervention does have an `orientate` method but the exif data it needs is lost before it