Avoid the use of PIL to determine the image type

Bug #1381284 reported by François Marier on 2014-10-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar
High
Unassigned

Bug Description

Currently, when an image is uploaded, we open it in PIL to check its format:

  https://gitorious.org/libravatar/libravatar/source/bbebda5000c8ce4cd883558b863b1adbc90b830a:libravatar/account/models.py#L147
  https://gitorious.org/libravatar/libravatar/source/bbebda5000c8ce4cd883558b863b1adbc90b830a:libravatar/account/models.py#L218

We should avoid doing that in case there is a vulnerability in PIL since that would compromise the Django process.

Perhaps we should use file or simply trust the mimetype sent by the browser.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers