Images: Forced intervention loading via specific method
Updated image loading for intervention library to be via a specific 'initFromBinary' method to avoid being overly accepting of input types and mechansisms. For CVE-2023-6199
This commit is contained in:
Dan Brown
parent
2fb873f7ef
commit
9b1f820596
2 changed files with 13 additions and 7 deletions
|
|
@ -141,7 +141,6 @@ return [
|
||||||
// Third party service providers
|
// Third party service providers
|
||||||
Barryvdh\DomPDF\ServiceProvider::class,
|
Barryvdh\DomPDF\ServiceProvider::class,
|
||||||
Barryvdh\Snappy\ServiceProvider::class,
|
Barryvdh\Snappy\ServiceProvider::class,
|
||||||
Intervention\Image\ImageServiceProvider::class,
|
|
||||||
SocialiteProviders\Manager\ServiceProvider::class,
|
SocialiteProviders\Manager\ServiceProvider::class,
|
||||||
|
|
||||||
// BookStack custom service providers
|
// BookStack custom service providers
|
||||||
|
|
@ -161,9 +160,6 @@ return [
|
||||||
// Laravel Packages
|
// Laravel Packages
|
||||||
'Socialite' => Laravel\Socialite\Facades\Socialite::class,
|
'Socialite' => Laravel\Socialite\Facades\Socialite::class,
|
||||||
|
|
||||||
// Third Party
|
|
||||||
'ImageTool' => Intervention\Image\Facades\Image::class,
|
|
||||||
|
|
||||||
// Custom BookStack
|
// Custom BookStack
|
||||||
'Activity' => BookStack\Facades\Activity::class,
|
'Activity' => BookStack\Facades\Activity::class,
|
||||||
'Theme' => BookStack\Facades\Theme::class,
|
'Theme' => BookStack\Facades\Theme::class,
|
||||||
|
|
|
||||||
|
|
@ -6,15 +6,14 @@ use BookStack\Exceptions\ImageUploadException;
|
||||||
use Exception;
|
use Exception;
|
||||||
use GuzzleHttp\Psr7\Utils;
|
use GuzzleHttp\Psr7\Utils;
|
||||||
use Illuminate\Support\Facades\Cache;
|
use Illuminate\Support\Facades\Cache;
|
||||||
|
use Intervention\Image\Gd\Driver;
|
||||||
use Intervention\Image\Image as InterventionImage;
|
use Intervention\Image\Image as InterventionImage;
|
||||||
use Intervention\Image\ImageManager;
|
|
||||||
|
|
||||||
class ImageResizer
|
class ImageResizer
|
||||||
{
|
{
|
||||||
protected const THUMBNAIL_CACHE_TIME = 604_800; // 1 week
|
protected const THUMBNAIL_CACHE_TIME = 604_800; // 1 week
|
||||||
|
|
||||||
public function __construct(
|
public function __construct(
|
||||||
protected ImageManager $intervention,
|
|
||||||
protected ImageStorage $storage,
|
protected ImageStorage $storage,
|
||||||
) {
|
) {
|
||||||
}
|
}
|
||||||
|
|
@ -117,7 +116,7 @@ class ImageResizer
|
||||||
?string $format = null,
|
?string $format = null,
|
||||||
): string {
|
): string {
|
||||||
try {
|
try {
|
||||||
$thumb = $this->intervention->make($imageData);
|
$thumb = $this->interventionFromImageData($imageData);
|
||||||
} catch (Exception $e) {
|
} catch (Exception $e) {
|
||||||
throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
|
throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
|
||||||
}
|
}
|
||||||
|
|
@ -144,6 +143,17 @@ class ImageResizer
|
||||||
return $thumbData;
|
return $thumbData;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create an intervention image instance from the given image data.
|
||||||
|
* Performs some manual library usage to ensure image is specifically loaded
|
||||||
|
* from given binary data instead of data being misinterpreted.
|
||||||
|
*/
|
||||||
|
protected function interventionFromImageData(string $imageData): InterventionImage
|
||||||
|
{
|
||||||
|
$driver = new Driver();
|
||||||
|
return $driver->decoder->initFromBinary($imageData);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Orientate the given intervention image based upon the given original image data.
|
* Orientate the given intervention image based upon the given original image data.
|
||||||
* Intervention does have an `orientate` method but the exif data it needs is lost before it
|
* Intervention does have an `orientate` method but the exif data it needs is lost before it
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue