Images: Forced intervention loading via specific method
Updated image loading for intervention library to be via a specific 'initFromBinary' method to avoid being overly accepting of input types and mechansisms. For CVE-2023-6199
This commit is contained in:
parent
2fb873f7ef
commit
9b1f820596
2 changed files with 13 additions and 7 deletions
app
|
@ -141,7 +141,6 @@ return [
|
|||
// Third party service providers
|
||||
Barryvdh\DomPDF\ServiceProvider::class,
|
||||
Barryvdh\Snappy\ServiceProvider::class,
|
||||
Intervention\Image\ImageServiceProvider::class,
|
||||
SocialiteProviders\Manager\ServiceProvider::class,
|
||||
|
||||
// BookStack custom service providers
|
||||
|
@ -161,9 +160,6 @@ return [
|
|||
// Laravel Packages
|
||||
'Socialite' => Laravel\Socialite\Facades\Socialite::class,
|
||||
|
||||
// Third Party
|
||||
'ImageTool' => Intervention\Image\Facades\Image::class,
|
||||
|
||||
// Custom BookStack
|
||||
'Activity' => BookStack\Facades\Activity::class,
|
||||
'Theme' => BookStack\Facades\Theme::class,
|
||||
|
|
|
@ -6,15 +6,14 @@ use BookStack\Exceptions\ImageUploadException;
|
|||
use Exception;
|
||||
use GuzzleHttp\Psr7\Utils;
|
||||
use Illuminate\Support\Facades\Cache;
|
||||
use Intervention\Image\Gd\Driver;
|
||||
use Intervention\Image\Image as InterventionImage;
|
||||
use Intervention\Image\ImageManager;
|
||||
|
||||
class ImageResizer
|
||||
{
|
||||
protected const THUMBNAIL_CACHE_TIME = 604_800; // 1 week
|
||||
|
||||
public function __construct(
|
||||
protected ImageManager $intervention,
|
||||
protected ImageStorage $storage,
|
||||
) {
|
||||
}
|
||||
|
@ -117,7 +116,7 @@ class ImageResizer
|
|||
?string $format = null,
|
||||
): string {
|
||||
try {
|
||||
$thumb = $this->intervention->make($imageData);
|
||||
$thumb = $this->interventionFromImageData($imageData);
|
||||
} catch (Exception $e) {
|
||||
throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
|
||||
}
|
||||
|
@ -144,6 +143,17 @@ class ImageResizer
|
|||
return $thumbData;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an intervention image instance from the given image data.
|
||||
* Performs some manual library usage to ensure image is specifically loaded
|
||||
* from given binary data instead of data being misinterpreted.
|
||||
*/
|
||||
protected function interventionFromImageData(string $imageData): InterventionImage
|
||||
{
|
||||
$driver = new Driver();
|
||||
return $driver->decoder->initFromBinary($imageData);
|
||||
}
|
||||
|
||||
/**
|
||||
* Orientate the given intervention image based upon the given original image data.
|
||||
* Intervention does have an `orientate` method but the exif data it needs is lost before it
|
||||
|
|
Loading…
Reference in a new issue